A survey of more than 4,000 organizations around the globe gives a mix grade to data security in the cloud.
According to new research from Ponemon Institute and Thales e-Security, some 35 percent of respondents say their use of the cloud has decreased their security posture, while 15 percent say it has increased it. The greatest sense of improvement was seen in the UK and Brazil.
Just who has the most responsibility for security is a source of debate in the study. More than 60 percent of those whose organizations currently transfer sensitive or confidential data to the cloud believe the cloud provider has the primary responsible for protecting data. Twenty-two percent say the cloud consumer is responsible – though the patter is reversed for users of an infrastructure-as-a-service (IaaS).
“Staying in control of sensitive or confidential data is paramount for most organizations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “In this, our second year of conducting this survey, we wanted to dig a little deeper and explore the difference in attitudes about the most common types of cloud services – IaaS, PaaS and SaaS.”
More than of the respondents said they don’t know what their cloud provider actually does to protect their data – a slight improvement over 2011, when 62 percent said they didn’t. Only 30 percent said they do. Those numbers echo another story released today from Cyber-Ark Software, which found that 56 percent of the nearly 1,000 C-level and IT executives surveyed were unaware of what their cloud providers were doing to secure privileged accounts.
Outside network level encryption tools such as SSL, globally the use of encryption to protect data before it goes to the cloud is 33 percent higher than the use of encryption within the cloud itself, according to the research. The use of encryption is a third more common in software-as-a-service offerings than any other service type.
Usually, the respondents said their own organization looked after their encryption keys, though this number declined to 29 percent in 2012 from 36 percent the year before.
“Encryption is the most widely proven and accepted method to secure sensitive data both within the enterprise and the cloud, but it’s no silver bullet,” said Richard Moulds, vice president strategy of Thales e-Security, in a statement. “Decisions still need to be taken over where encryption is performed and critically, who controls the keys. This is perhaps one of the reasons why new key management standards, such as the Key Management Interoperability Protocol (KMIP), have already attracted considerable interest, particularly in the context of cloud encryption.”
“Overall, it’s very positive news that confidence in cloud security and in particular the use of encryption seems to be increasing,” he said.