Organisations struggle to secure data in the cloud
Survey shows complexity of cloud security is causing concerns
The majority of IT organisations are struggling with managing data security in the cloud, according to a new survey by the Ponemon Institute commissioned by SafeNet.
The global study of over 1,800 IT and IT security professionals showed that 70% of respondents agree that it is more complex to manage privacy and data protection regulations in a cloud environment, and due to factors such as shadow IT, only 19% of respondents are very confident that they know about all cloud computing applications, platforms, or infrastructure services in use in their organisations today.
The survey found that only 38% of organisations have clearly defined roles and accountability for safeguarding confidential or sensitive information in the cloud. Adding to the confusion, 44% of corporate data stored in cloud environments is not managed or controlled by the IT department. And more than two-thirds (71%) of respondents say it is more difficult to protect sensitive data in the cloud using conventional security practices.
"The findings reveal that global organisations are struggling to secure data in the cloud due to the lack of critical governance and security practices in place," said Dr Larry Ponemon, chairman and founder of the Ponemon Institute. "To create a more secure cloud environment, organisations can begin with simple steps such as including IT security in establishing security policies and procedures; increasing visibility into the use of cloud applications, platforms, and infrastructure; and protecting data with encryption and stronger access controls, such as multi-factor authentication."
Cloud is becoming increasingly important to most organisations, with an average of one third of the organisations' total IT and data processing requirements being met with cloud resources today, a figure which is expected to rise to an average of 41% within in two years.
While the IT department does not control or manage 44% of the data in the cloud, there is also a difference in views as to who is responsible for cloud data security, with 35% of respondents saying it is a shared responsibility between the cloud user and the cloud provider while 33% say it is the responsibility of the cloud user and 32% say it is the responsibility of the cloud provider.
Because of the difficulties of protecting data using conventional security practices, more than one-third (34%) of IT professionals surveyed say their organisations already have a policy in place that requires the use of security safeguards such as encryption as a condition for using certain cloud computing resources. Seventy-one percent of respondents say the ability to encrypt or tokenize sensitive or confidential data is important, and 79% say it will become more important over the next two years.
In terms of what companies are actually doing to secure data in the cloud, 43% of respondents say their organisation is using private data network connectivity. Nearly two-fifths, or 39%, of respondents say their organisations use encryption, tokenization or other cryptographic tools to protect data in the cloud. Thirty-three percent say they don't know what security solutions they use and 29% say they use premium security services provided by their cloud provider.
Respondents also noted that the management of their encryption keys is important to securing data in the cloud, given the increasing number of key management and encryption platforms their companies use. Fifty-four percent of respondents say their organisation controls the encryption keys when data is stored in the cloud. However, 45% say they store their encryption keys in the software where they store their data while 27% say they store their keys in more secure environments such as hardware devices.
Regarding access to data in the cloud, 68% of respondents also say that the management of user identities is more difficult in the cloud, and 62% of respondents say their organisations have third parties accessing the cloud. Nearly half (46%) say their company uses multi-factor authentication to secure third-party access to data in the cloud environment. About the same percentage (48%) of respondents say their organisations use multi-factor authentication for employees' access to the cloud.
"While the cloud has revolutionized the way IT is delivered, many IT organisations are finding it difficult to keep up with demand for these services and the security implications that are created when critical data is stored in the cloud," said Sebastien Pavie, regional sales director, MEA, SafeNet. "And as we've seen in 2014 with a raft of record-breaking data breaches, organizations are attacked frequently from different angles. In order to mitigate risk, there needs to be focused coordination and new approaches to securing data in the cloud, and IT needs to be at the center of this migration."