Attitudes towards data protection and encryption in the cloud

An increasing number of organizations are transferring sensitive or confidential data to the cloud despite concerns over data protection, according to the Ponemon Institute.

The study examines perceptions and current practices surrounding the threats and protection issues relating to sensitive or confidential data in the cloud. It reveals surprising attitudes about who is considered responsible for protecting this valuable and often regulated class of data – the cloud service provider or cloud service consumer.

The findings are also significant in explaining how that data is protected and where data encryption is applied inside and outside the cloud. Most important is who manages the associated encryption keys and therefore who ultimately controls access to the data.

Larry Ponemon, chairman and founder, Ponemon Institute, says: “Staying in control of sensitive or confidential data is paramount for most organizations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud. In this, our second year of conducting this survey, we wanted to dig a little deeper and explore the difference in attitudes about the most common types of cloud services – IaaS, PaaS and SaaS. Perceived responsibility for data protection, awareness of security measures, confidence and impact on overall security posture illustrate important regional and service type differences but overall the trend is positive. Respondents generally feel better informed, more confident in their cloud service providers and more positive about the impact on their security posture compared with last year.”

Key findings:

• More than half of all respondents say their organization currently transfers sensitive or confidential data to the cloud – an increase of about 10 percent compared with last year’s study.
• More than twice as many respondents say use of the cloud has decreased their security posture (35 per cent) than say it has increased (15 per cent), but this is an improvement on last year where nearly four times as many respondents said that cloud adoption had decreased their security posture (39 per cent) while only 10 per cent said it had increased. The greatest sense of improvement was seen in both the UK and Brazil.
• More than 60 per cent of respondents whose organizations currently transfer sensitive or confidential data to the cloud believe the cloud provider has primary responsibility for protecting that data and 22 per cent believed the cloud consumer to be responsible. However, the pattern is reversed for users of an Infrastructure-as-a-Service (IaaS) cloud offering.
• There was a marked increase in confidence among respondents in the ability of cloud providers to protect the sensitive and confidential data entrusted to them – up from 41 per cent (2011) to 56 per cent (2012).
• However just over half of respondents say they don’t know what their cloud provider actually does to protect their data – and only 30 percent say they do know. This is an improvement on last year where 62 per cent of respondents said they didn’t know what measures their cloud provider took to protect their data.
• Excluding network level encryption tools such as SSL, on a global basis the use of encryption to protect data before it goes to the cloud is 33 per cent higher than the use of encryption within the cloud itself. When encryption is applied inside the cloud it is more than a third more common in Software-as-a-Service (SaaS) offerings than other service types however regional variation is considerable.
• When it comes to key management there is still no clear picture. In most cases the respondents report that their own organizations look after their own keys however this has declined from the previous year (36 per cent and 29 per cent respectively) and there is an apparent shift to key management being perceived to be a shared responsibility between cloud user and cloud provider.
• This might point to the growing interest in key management standards – in particular OASIS Key Management Interoperability Protocol (KMIP) – where cloud encryption was identified as the most valuable usage scenario for the new protocol.

Richard Moulds, vice president strategy, Thales e-Security, says: “Encryption is the most widely proven and accepted method to secure sensitive data both within the enterprise and the cloud, but it’s no silver bullet. Decisions still need to be taken over where encryption is performed and critically, who controls the keys. This is perhaps one of the reasons why new key management standards, such as the Key Management Interoperability Protocol (KMIP), have already attracted considerable interest, particularly in the context of cloud encryption. Overall, it’s very positive news that confidence in cloud security and in particular the use of encryption seems to be increasing. The ability to safely migrate sensitive applications to the cloud has the potential to deliver even more economic benefit than the more routine applications that have already taken that step.”