Cloud Data Security: 10 Field Observations


In a recent  post, we commented on the coverage cloud data security has been getting in the trade press, noting that security was a larger issue than availability (despite some recent, well-publicized outages at major public cloud providers). Furthermore, we noted that the emergence of big data initiatives at the corporate level had exacerbated concerns about cloud data security. Today, we follow up with some field observations, culled from the  Ponemon Institute’s recent  study of encryption in the cloud.

The study surveyed more than 4,000 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan, and Brazil with the objective of determining how organizations protect information assets entrusted to cloud providers. Here are 10 key survey findings relating to data protection, encryption, and key management activities in the cloud:

  •  Transfer of data
    About half of respondents say their organizations transfer sensitive or confidential data to the cloud environment. Within another two years, another third say they are very likely to do this.
  • Security effects
    Thirty-nine percent of respondents believe cloud adoption has decreased their companies’ security postures. Forty-four percent indicate cloud adoption has neither increased nor decreased security posture. Only 10 percent believe cloud adoption has increased their organization’s security posture.
  • Responsibility
    Forty-four percent of respondents believe that the cloud provider has primary responsibility for protecting sensitive or confidential data in the cloud; 30 percent believe it is the cloud consumer who has primary responsibility.
  • Use and attribution of responsibility
    Companies that currently transfer sensitive or confidential data to the cloud are much more likely to hold the cloud provider responsible for data protection; those that do not currently do so are more likely to hold the cloud consumer responsible.
  • Consuming in the dark
    Sixty-three percent of respondents say that they do not know what cloud providers are doing to protect the sensitive or confidential data entrusted to them.
  • Confidence levels
    In general, those who select the cloud provider as most responsible for protecting data are more confident in the provider’s ability to do so than are those who select their own organization as most responsible (51 percent versus 32 percent).
  • Where data encryption is applied
  • Encryption site and responsibility
    Among companies that encrypt data inside the cloud, 74 percent believe the cloud provider is most responsible for protecting the data. Among those encrypting within their organization before sending to the cloud, only 34 percent hold the cloud provider most responsible for security.
  • Encryption key management responsibility
    Thirty-six percent say their own organization is most responsible for key management when sensitive or confidential information is transferred to the cloud. Twenty-two percent say the cloud provider is most responsible. Another 22 percent say a third party (i.e., another independent service provider) is responsible.
  • Strength from strength
    Companies with characteristics indicating a strong security posture are more likely to transfer sensitive or confidential information than those with weaker secure postures. In other words, companies that understand security are more willing and able to take advantage of the cloud. This finding is at odds with the conventional belief that security-aware organizations are more skeptical of cloud security, while those less aware of security are more likely to overlook a perceived lack of security.

Posted by Epicor Social Media Team


Share on...