A new survey of more than 4,000 organizations in seven countries from the Ponemon Institute, commissioned by Thales e-Security, tries to put a positive spin on the state of data protection in the cloud, but the only conclusion I could come to was that cloud security is a disaster waiting to happen. According to Thales, which knows a thing or two about data protection, organizations are more confident transferring sensitive data to the cloud despite data protection concerns.
More than half of the respondents say their organization currently transfers sensitive or confidential data to the cloud – an increase of about 10% compared with last year’s study. Respondents generally feel better informed, more confident in their cloud service providers and more positive about the impact on their security posture compared with last year, stated Larry Ponemon, chairman and founder, Ponemon Institute.
Here are some of the findings that troubled me:
-more than twice as many respondents say use of the cloud has decreased their security posture (35%) than say it has increased (15%), but this is an improvement on last year where nearly four times as many said that cloud adoption had decreased their security posture (39%) while only 10% said it had increased;
-more than 60% who currently transfer sensitive or confidential data to the cloud believe the cloud provider has primary responsibility for protecting that data and 22% believed the cloud consumer to be responsible (the pattern is reversed for users of an Infrastructure-as-a-Service (IaaS) cloud offering);
-there was a marked increase in confidence in the ability of cloud providers to protect the sensitive and confidential data entrusted to them – up from 41% (2011) to 56% (2012);
-however just over half of respondents say they don’t know what their cloud provider actually does to protect their data – and only 30% say they do know (this is an improvement on last year where 62% said they didn’t know what measures their cloud provider took to protect their data);
-excluding network level encryption tools such as SSL, the use of encryption to protect data before it goes to the cloud is 33% higher than the use of encryption within the cloud itself; and,
-when it comes to key management there is still no clear picture. In most cases the respondents report that their own organizations look after their own keys however this has declined from the previous year (36% and 29% respectively) and there is an apparent shift to key management being perceived to be a shared responsibility between cloud user and cloud provider.
The results were a little less of a surprise to Thales’ Richard Moulds, VP Strategy, who said they probably got over the shock from last year’s study. He did find the idea of pushing off security to cloud providers “a little bit of wishful thinking.” It becomes even more alarming when you consider the recent Verizon security report that found the average period that breeches remain undiscovered is four months, he said.
However, the problems can be much worse than the study indicates, he added. “At the end of the day, this survey is of IT security people. There is a real risk that these numbers are understated.”
One of the real challenges to security is Shadow IT, employees sidestepping corporate IT to use outside services like DropBox and Box, said Moulds.
According to Enterprise Strategy Group, almost half (40%) of organizations have policies saying you can’t use a personal account to store data, but almost 40% of those with such a policy know people have personal accounts, and the actual numbers are probably 80%.
As for the uptick to 15% believing their security had improved by moving to the cloud, a 50% increase from last year, Moulds felt that was just recognition that “they’re not very good at security themselves.” On a more positive note, at least from Thales’ perspective, is that the use of encryption is growing, and that is a positive development for the evolution and adoption of standards like the Key Management Interoperability Protocol (KMIP).
“Encryption is the most widely proven and accepted method to secure sensitive data both within the enterprise and the cloud, but it’s no silver bullet,” he stated. “Decisions still need to be taken over where encryption is performed and critically, who controls the keys.”
He believes some of the increased confidence in cloud security might be attributed to the growth in encryption. “They’re encrypting data before sending it to the cloud, so it’s not necessarily trusting cloud so much as trusting encryption.”
People have been focusing on the technology, but they can’t focus on security without focusing on the information, he said. These are still early days for cloud security, but Moulds believes encryption will be the key moving forward.
“It’s no longer good enough to say data in the cloud is encrypted. Who owns the keys? How safe is the encrypted data?”