Businesses are vigorously adopting digital transformation to provide higher quality services, operate more efficiently and deliver better customer experiences. The engine that is powering this transformation is the cloud and the vast array of on demand services it provides. In fact, according to the 2019 Thales Cloud Security Study, the average company uses 29 cloud services. In addition, 76% of the respondents said moving to a cloud environment is a strategic decision to increase efficiency, speed up deployment time and to reduce costs.
So far so good, but when I speak to CIOs, the worrying thing is the clear disconnection between making strategic decisions about their move to the cloud and implementing them in a secure and effective manner.
Nearly half (48%) of corporate data is stored in the cloud. This corporate data is most notably consumer information (60%), data (46%) and business emails (48%). Despite the sensitivity of the data stored in the cloud, less than half (49%) of organizations are encrypting them in the cloud. And it gets worse. 35% of the organizations believe that cloud service providers bear the most responsibility for the sensitive data they store in the cloud (35%).
You Are Responsible for Securing Your Data in the Cloud
Handing over the responsibility of the security for your data to your cloud provider is a bit like giving the keys to your house to your neighbor. Sure, you trust your neighbor but what if they lose your keys? .Or, even worse, what is someone steals the keys from your neighbor?
It is no wonder that more and more data breaches are due to misconfigurations or inadequate security settings in cloud provided services and applications. Organizations present an inability in understanding the shared responsibility model when it comes to security. Let me repeat this once more: “security in the cloud” is the sole responsibility of the customer, that is you. Whatever you store, whatever services you are using “in the cloud”, it is your responsibility to configure them correctly and to assume responsibility and accountability if something goes wrong. The provider is responsible only for the underlying infrastructure.
Speaking about roles and responsibilities, another worrying finding of the 2019 Cloud Security Study is that only 50% of the organizations that were surveyed have established clearly defined roles and accountability for safeguarding confidential or sensitive information stored in the cloud. Responsibility and accountability are the cornerstones for an effective security program, whether for on-premise, hybrid or multi-cloud environments. Who are you going to blame for if something goes wrong?
Encrypt Everything and Control the Keys
If you remember Greek mythology, the Greeks almost lost the Trojan War because of Achilles’ heel. In cloud security, lack of encryption and poor management of keys can be the “Achilles’ heel”. Although encryption and tokenization are identified as significant factors for protecting sensitive information, less than an average of 46% of such data is encrypted when transferred to the cloud environment and only an average of 43% is secured with encryption and key management. What is more, only 53% of the respondents are in control of the encryption keys, and 50% of respondents say their organizations have separate identity management interfaces for the cloud and on-premise environment.
Above figures highlight a significant lack of centralized encryption management. If you couple this with the lack of understanding the level of corporate responsibility for “security in the cloud”, you create a dangerous situation that is destined to explode in the hands of the C-Suite. Protecting your sensitive data must be a strategic decision and not a nice-to-have feature. Otherwise, the fines for violating GDPR and other privacy regulations, such as CCPA, are going to be huge. Not to mention the reputational damage caused by your breach hitting the headlines.
Maybe that explains why corporations based in Europe seem to be the most proactive in securing sensitive and confidential information in the cloud, managing the complexity of privacy and data protection regulations in the cloud environment, ensuring security policies for the cloud are in place and having confidence in knowing all cloud computing applications in use.
Thales can help you overcome the complexity of managing the security of your data across any cloud environment, including AWS, Azure, Google and Salesforce.com. Our Data Encryption and Access Management solutions enable you to apply security and access controls directly to both your sensitive data in the cloud and the individuals who access it. Investing in the right solutions now will help enable your cloud transformation, simplify compliance and prevent data breaches.
For more information, attend our “Global Trends in Cloud Security: Gaps in Security Persist in a Multi-Cloud World” webinar taking place on November 7 or visit the 2019 Thales Cloud Security Study website.