As organizations shift toward the cloud to store and transfer sensitive and confidential information, there are some disagreements over who is in charge of protecting the data, a new report said.
Nearly half, or 49 percent, organizations already transfer sensitive and confidential data into the cloud, and 30 percent are planning to do so within the next two years, according to the “Encryption in the Cloud” report from Ponemon Institute.
The report surveyed 4,000 business and IT managers in seven countries and the responses were fairly consistent across the board. German companies were more likely to transfer sensitive or confidential data, and French and Japanese companies were less likely to do so, the report found. The U.S. was right in the middle, at 50 percent.
Just over one third, or 39 percent, of the business and IT managers surveyed believed cloud adoption had made their company less secure. While that number seems large, 44 percent said using cloud services has not affected the organization’s security posture, the report found. Ten percent of survey respondents felt moving the data to the cloud resulted in the organization being more secure, according to the report.
“Once again we see that economics seems to trump security,” Richard Moulds, vice president of product management and strategy at Thales Information Systems Security. Thales commissioned the Ponemon report.
However, the survey indicated organizations with strong security postures were the ones actually moving sensitive data to the cloud while those with weaker security focus have not yet made the shift, Moulds said. It appears organizations who understand the security risks of being in the cloud are more likely to take advantage of the business benefits of the cloud, which “sounds quite comforting,” Moulds said.
There was disagreement over who was responsible for protecting the data. While more respondents, 44 percent, feel the cloud provider has primary responsibility for protecting sensitive or confidential data in the cloud environment, 30 percent said the responsibility lay with the customer. One quarter believe the two should share the responsibility.
Only half of those expected the provider to protect the data believed the cloud provider was actually capable of doing so. That was not surprising when nearly two thirds said they had no idea what the cloud providers are actually doing to protect the data, Moulds said.
About 38 percent said the organization encrypts the data during transit to the provider’s environment, compared to 35 percent who performed the encryption first before initiating the transfer, the report found. About 27 percent relied on the cloud provider to encrypt the data.
“Regardless of where encryption is deployed the net security is still driven by the measures that are put in place to protect and control the keys,” Moulds said.
Overall, 36 percent of the respondents said the organization retained control of the encryption keys, compared to 22 percent who said the cloud provider had control. Another 22 percent used a third-party service other than the cloud provider to manage the keys.
Organizations need effective key management integrated with existing IT business processes, Moulds said. Regardless of where they store data, the organization needs to retain control.
“Even if you allow your data to be encrypted in the cloud, it’s important to know you can still keep control of your keys. If you control the keys, you control the data,” Moulds said.