Thales Blog

Data Protection In The Cloud - Are We Fooling Ourselves?

August 7, 2012

How many organizations currently transfer sensitive data to the cloud? Who should be responsible for looking after that data? Are organizations capable of protecting their data once it has been transferred to the cloud? And how do organizations apply encryption to protect data in the cloud? These are just some of the questions that our brand new study – Encryption in the Cloud – answers.

The study is based on a global survey carried out by the Ponemon Institute of over 4,000 business and IT managers. The findings are fascinating and provide a comprehensive picture of how organizations around the world approach the topic of protecting their sensitive data assets in the cloud environment.

To download a full copy of the report click here

We all know that in general the cloud has already become central to the IT strategy of many organizations around the world, but I expected to hear that organizations took a much more cautious approach when it comes to their more security sensitive business processes and data. But surprisingly, about half of respondents said that their organization already entrusts sensitive or confidential data to the cloud; a further third said that their organization is very likely to go down the same path in the next twenty-four months – that’s only 18% that said they have no intention of risking confidential data in the cloud.

And once again we see that economics seems to trump security. Of the respondents that have already moved sensitive business processes to the cloud, 39% of them believe that cloud adoption has in fact decreased the security posture of their organisations and only 10% believe that it has been a net security benefit.

Next we looked at the issue of security posture from a different perspective and the findings seem to explode the notion that the security savvy are standing back and allowing the less sophisticated to fall into the cloud security trap.

The survey shows that in fact it is the organizations with the strongest security postures that are more likely to move sensitive data to the cloud and that those with weaker security postures tend to be more resistant. The obvious interpretation to make from this finding is that those organizations which understand information security better – the risks, regulations and measures available to counter security threats – are more likely to take advantage of the businesses benefits the cloud provides.

That actually sounds quite comforting, but the picture changes when we asked about responsibility and confidence. We focus on those that are currently transferring sensitive or confidential data to the cloud and ask them who is responsible for protecting it. The answer was surprising; nearly two thirds considered the cloud service provider to be primarily responsible and only 19% thought the responsibility was shared between the cloud provider and the organization using the cloud service.

Worse still only half of those that expected the provider to protect the data thought that they were actually capable of doing so – not surprising when nearly two thirds said that they didn’t even know what measures their service provider was taking to provide security.

Finally we looked at the use of encryption. This survey is part of a broader global encryption trends study and so we already knew that encryption is becoming a critical data protection tool and we were keen to understand how it is used in the cloud.

35% of respondents said their organizations encrypt sensitive data before is ever leaves their organization, presumably on the assumption they don’t trust the cloud, whereas 27% rely on encryption being applied in the cloud to protect their data. That’s interesting, but of course the issue is that regardless of where encryption is deployed the net security is still driven by the measures that are put in place to protect and control the keys.

You would expect that those that perform encryption themselves, inside their organization, would keep control of the keys but the survey showed that less than half retain exclusive control of the keys. Furthermore, for organizations that rely on encryption only 32% retain control of the keys and 35% believe that the cloud ser vice provider should have sole responsibility for managing keys. With the news last week about the breach at DropBox, that sort of approach might raise a few eyebrows, particularly from your auditor!