A second annual global survey by Thales and Ponemon Institute examines attitudes towards data protection and encryption in the cloud.
This survey on cloud security suggests more organisations are transferring sensitive or confidential data to the cloud, despite concerns over data protection. Encryption in the Cloud is a global study of more than 4,000 organisations in seven countries, by the Ponemon Institute and commissioned by Thales.
The study is of perceptions and current practices around the threats and protection issues relating to sensitive or confidential data in the cloud. Who is considered responsible for protecting this valuable and often regulated class of data – the cloud service provider or cloud service consumer? How is that data protected and where is data encryption applied inside and outside the cloud? Who manages the associated encryption keys and therefore who ultimately controls access to the data.
Larry Ponemon, chairman and founder, Ponemon Institute, says: “Staying in control of sensitive or confidential data is paramount for most organisations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud. In this, our second year of conducting this survey, we wanted to dig a little deeper and explore the difference in attitudes about the most common types of cloud services – IaaS, PaaS and SaaS. Perceived responsibility for data protection, awareness of security measures, confidence and impact on overall security posture illustrate important regional and service type differences but overall the trend is positive. Respondents generally feel better informed, more confident in their cloud service providers and more positive about the impact on their security posture compared with last year.”
Richard Moulds, vice president strategy, Thales e-Security, says: “Encryption is the most widely proven and accepted method to secure sensitive data both within the enterprise and the cloud, but it’s no silver bullet. Decisions still need to be taken over where encryption is performed and critically, who controls the keys. This is perhaps one of the reasons why new key management standards, such as the Key Management Interoperability Protocol (KMIP), have already attracted considerable interest, particularly in the context of cloud encryption. Overall, it’s very positive news that confidence in cloud security and in particular the use of encryption seems to be increasing. The ability to safely migrate sensitive applications to the cloud has the potential to deliver even more economic benefit than the more routine applications that have already taken that step.”
Findings:
More than half of all respondents say their organisation transfers sensitive or confidential data to the cloud – an increase of about 10 percent compared with last year’s study.
More than twice as many respondents say use of the cloud has decreased their security posture (35 per cent) than say it has increased (15 per cent), but this is an improvement on last year where nearly four times as many respondents said that cloud adoption had decreased their security posture (39 per cent) while only 10 per cent said it had increased. The greatest sense of improvement was seen in both the UK and Brazil.
More than 60 per cent of respondents whose organisations transfer sensitive or confidential data to the cloud believe the cloud provider has primary responsibility for protecting that data and 22 per cent believed the cloud consumer to be responsible. However, the pattern is reversed for users of an Infrastructure-as-a-Service (IaaS) cloud offering.
There was a marked increase in confidence among respondents in the ability of cloud providers to protect the sensitive and confidential data entrusted to them – up from 41 per cent (2011) to 56 per cent (2012).
However just over half of respondents say they don’t know what their cloud provider actually does to protect their data – and only 30 percent say they do know. This is an improvement on last year where 62 per cent of respondents said they didn’t know what measures their cloud provider took to protect their data.
Excluding network level encryption tools such as SSL, on a global basis the use of encryption to protect data before it goes to the cloud is 33 per cent higher than the use of encryption within the cloud itself. When encryption is applied inside the cloud it is more than a third more common in Software-as-a-Service (SaaS) offerings than other service types however regional variation is considerable.
When it comes to key management there is still no clear picture. In most cases the respondents report that their own organisations look after their own keys however this has declined from the previous year (36 per cent and 29 per cent respectively) and there is an apparent shift to key management being perceived to be a shared responsibility between cloud user and cloud provider.
This might point to the growing interest in key management standards – in particular OASIS Key Management Interoperability Protocol (KMIP) – where cloud encryption was identified as the most valuable usage scenario for the new protocol.
About the study
This Encryption in the Cloud study was commissioned as part of a larger international study on Global Encryption Trends. More than 4,000 organisations were surveyed in the US, UK, Germany, France, Australia, Japan and Brazil.
