IT organisations are kept in the dark when it comes to protecting corporate data in the cloud, putting confidential and sensitive information at risk. This is one of the findings of a recent Ponemon Institute study commissioned by the US-based data protection product firm SafeNet, Inc. The study, titled “The Challenges of Cloud Information Governance: A Global Data Security,” surveyed more than 1800 IT and IT security people worldwide.
Among the findings, the research indicates that while organisations are increasingly using cloud computing, IT staff are having trouble controlling the management and security of data in the cloud. The survey found that only 38 per cent of organisations have clearly defined roles and accountability for safeguarding confidential or sensitive information in the cloud.
Adding to the confusion, 44 per cent of corporate data stored in ‘the cloud’ is not managed or controlled by the IT department. And more than two-thirds (71 per cent) of respondents say it is more difficult to protect sensitive data in the cloud using conventional security practices.
Dr Larry Ponemon, chairman and founder of the US-based Ponemon Institute, said: “The findings reveal that global organisations are struggling to secure data in the cloud due to the lack of critical governance and security practices in place. To create a more secure cloud environment, organisations can begin with simple steps such as including IT security in establishing security policies and procedures; increasing visibility into the use of cloud applications, platforms, and infrastructure; and protecting data with encryption and stronger access controls, such as multi-factor authentication.”
Findings
Nearly three-quarters (71 per cent) of IT professionals confirmed that cloud computing is very important today, and more than three quarters (78 per cent) believe it will be over the next two years. The respondents also estimate that 33 per cent of their organisations’ total IT and data processing requirements are met with cloud resources today, and that is expected to increase to an average of 41 per cent within two years.
However, the majority of respondents (70 per cent) agree that it is more complex to manage privacy and data protection regulations in a cloud environment, and they also agree that the types of corporate data stored in the cloud, such as emails, and consumer, customer, and payment information, are the types of data most at risk.
On average, half of all cloud services are deployed by departments other than corporate IT, and an average of 44 per cent of corporate data stored in the cloud environment is not managed or controlled by the IT department. As a result, only 19 per cent of respondents are very confident that they know about all cloud computing applications, platforms, or infrastructure services in use in their organisations.
With this lack of control over the sourcing of cloud services, views on who is actually accountable for cloud data security are mixed. Thirty five per cent of respondents say it is a shared responsibility between the cloud user and the cloud provider while 33 per cent say it is the responsibility of the cloud user and 32 per cent say it is the responsibility of the cloud provider.
Encryption
More than two-thirds (71 per cent) of respondents say it is more difficult to protect sensitive data in the cloud using conventional security practices, and nearly half (48 per cent) say it’s more difficult to control or restrict end-user access to cloud data. As a result, more than one-third (34 per cent) of IT professionals surveyed say their organisations already have a policy in place that requires the use of security safeguards such as encryption as a condition for using certain cloud computing resources. Seventy-one (71) per cent of respondents say the ability to encrypt or tokenise sensitive or confidential data is important, and 79 per cent say it will become more important over the next two years.
In terms of what companies are actually doing to secure data in the cloud, 43 per cent of respondents say their organisation is using private data network connectivity. Nearly two-fifths, or 39 per cent, of respondents say their organisations use encryption, tokenisation or other cryptographic tools to protect data in the cloud. Thirty-three per cent say they don’t know what security solutions they use and 29 per cent say they use premium security services provided by their cloud provider.
Respondents also noted that the management of their encryption keys is important to securing data in the cloud, given the increasing number of key management and encryption platforms their companies use. Fifty-four percent of respondents say their organisation controls the encryption keys when data is stored in the cloud. However, 45 per cent say they store their encryption keys in the software where they store their data while 27 per cent say they store their keys in more secure environments such as hardware devices.
On access to data in the cloud, 68 per cent of respondents also say that the management of user identities is more difficult in the cloud, and 62 per cent of respondents say their organisations have third parties accessing the cloud. Nearly half (46 per cent) say their company uses multi-factor authentication to secure third-party access to data in the cloud environment. About the same percentage (48 per cent) of respondents say their organisations use multi-factor authentication for employees’ access to the cloud.
Tsion Gonen, chief strategy officer, SafeNet, said: “While the cloud has revolutionised the way IT is delivered, many IT organizations are finding it difficult to keep up with demand for these services and the security implications that are created when critical data is stored in the cloud. And as we’ve seen in 2014 with a raft of record-breaking data breaches, organisations are attacked frequently from different angles. In order to mitigate risk, there needs to be focused co-ordination and new approaches to securing data in the cloud, and IT needs to be at the centre of this migration.”
