Annual global survey reveals widespread uncertainty about cloud security and negative impact on security posture
InfoSecurity Europe, London and Plantation, Fla – April 29, 2014 – Thales, a world leader in Critical Information Systems and Cybersecurity announces the cloud is losing the ‘scare factor’ for businesses, according to its latest report – Encryption in the Cloud. The study reveals that more and more organizations are transferring sensitive or confidential information to public cloud services even though more than a third expect a negative impact on security posture. In response, the use of encryption is increasing but more than half of respondents still admit their sensitive data goes unprotected when it is stored in the cloud, despite data security topping the global news agenda.
The independent global study of more than 4,000 organizations conducted by the Ponemon Institute reveals differing opinions over who is responsible for security in the cloud – the cloud provider, or the cloud consumer and how best to protect the sensitive data that is sent there. The report explores the impact on security posture of moving to the cloud, the transparency of cloud providers, how organizations are treading the line between trust and control with regard to encryption and how encryption keys should be managed.
Larry Ponemon, chairman and founder, Ponemon Institute, says:
Staying in control of sensitive or confidential data is paramount for most organizations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud. It is perhaps a sign of confidence that organizations with the highest overall security posture were most likely to use the cloud for operations involving sensitive data and it is encouraging to find that significantly fewer respondents believe that use of the cloud is weakening their security posture. However there are still concerns that many organizations continue to believe that their cloud providers are solely responsible for protecting their sensitive data even though the majority of respondents claim not to know what specific security measures their cloud provider is taking.
Richard Moulds, vice president strategy, Thales e-Security, says:
Encryption is the most widely proven method to secure sensitive data in the enterprise and in the cloud, and yet more than half of respondents report that sensitive data in the cloud goes unprotected. Those that are using encryption have adopted a variety of deployment strategies but once again a universal pain point is key management. Very often, the way that keys are managed makes all the difference with poor implementations dramatically reducing effectiveness and driving up costs. Key management is a critical control issue for respondents, who are increasingly focused on retaining ownership of keys as a way to control access to data. Deployed correctly encryption can help organizations to migrate sensitive data and high risk applications to the cloud, allowing them to safely unlock the full potential for economic benefit the cloud can deliver.
- Cloud security is here to stay: The use of the cloud for processing and storing sensitive data seems inevitable. More than half of all respondents say their organization already transfers sensitive or confidential data to the cloud and only 11 percent say that their organization has no plans to use the cloud for sensitive operations, down from 19 percent only two years ago.
- Cloud confidence is on the up, but at what cost? Although nearly half of respondents believe that their use of the cloud has had no impact on their overall security posture, those that believe it has had a negative effect (34 percent) on their security posture outnumbered those that experienced a positive effect (17 percent) by a factor of two to one.
- Where does the security buck stop? The perceived responsibility for protecting sensitive data in the cloud is very dependent on the type of cloud service in question. In software-as-a-service (SaaS) environments more than half of respondents see the cloud provider as being primarily responsible for security. In contrast, nearly half of infrastructure-as-a-service/platform-as-a-service (IaaS/PaaS) users view security as a shared responsibility between the user and cloud provider.
- Visibility improves but gaps remain: The good news is that visibility into the security practices of cloud providers is increasing with 35 percent of respondents considering themselves knowledgeable about the security practices of their cloud providers compared with 29 percent only two years ago. But, half of SaaS users still claim to have no knowledge of what steps their providers are taking to secure their sensitive data.
- Encryption usage increases but data still exposed: The use of encryption to protect sensitive or confidential data stored in the cloud (data at rest) appears to be increasing. For SaaS users we see an increase from 32 percent in 2011 to 39 percent in 2013 and for IaaS/PaaS users respondents report an increase from 17 percent to 26 percent over the same period, but still, more than half of respondents report that their sensitive data is in the clear and therefore readable when stored in the cloud.
- Treading a line between trust and control: There is currently an almost equal division in terms of how stored data is encrypted while in the cloud. Of those respondents that encrypt stored data just over half apply encryption directly within in the cloud with just over 40 percent elect to encrypt the data before it is sent to the cloud.
- Who holds the key? When it comes to key management there is a clear recognition of the importance of retaining ownership of encryption keys with 34 percent of respondents reporting that their own organization is in control of encryption keys when data is encrypted in the cloud. Only 18 percent of respondents report that the cloud provider has full control over keys.
- Standards enable trust in a shared environment: The need to share keys between organizations and the cloud highlights the growing interest in key management standards – in particular OASIS Key Management Interoperability Protocol (KMIP) – where 54 percent of respondents identify cloud based applications and storage encryption as the area to be most impacted by the adoption of the KMIP standard.
About the Study:
This Encryption in the Cloud study was commissioned as part of a larger international study on Global Encryption Trends. More than 4,000 organizations were surveyed in the US, UK, Germany, France, Australia, Japan, Brazil and Russia. Click here to download a copy of Encryption in the Cloud: https://www.thales-esecurity.com/knowledge-base/analyst-reports/encryption-in-the-cloud-english
Thales offers high assurance hardware security modules (HSM) that protect keys from the risk of theft or misuse simplifying compliance with privacy regulations. Our keyAuthority centralized key manager reduces the operation burden of managing keys securely and provides full support for KMIP, allowing organizations to retain control of their keys and consolidate key management activities across a range of cloud and enterprise based encryption systems. Thales solutions play a key role in creating a secure encryption and key management infrastructure for cloud providers, enterprises and other organizations looking to protect sensitive and confidential data. Thales is also a major stakeholder and investor in the French Cloudwatt service.
Visit Thales at stand F30, InfoSecurity Europe 2014, Earls Court, London, 29 April – 1 May 2014.
For industry insight and views on the latest payment security and key management trends check out our blog www.thales-esecurity.com/blogs
About Thales e-Security
Thales e-Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology, manufacturing, government and technology sectors. With a 40-year track record of protecting corporate and government information, Thales solutions are used by four of the five largest energy and aerospace companies, 22 NATO countries, and secure more than 80 percent of worldwide payment transactions. Thales e-Security has offices in Australia, France, Hong Kong, Norway, United States and the United Kingdom. www.thales-esecurity.com
Thales is a global technology leader in the Aerospace, Transportation and Defence & Security markets. In 2013, the company generated revenues of €14.2 billion (equivalent of $18.3 billion) with 65,000 employees in 56 countries. With its 25,000 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales has an exceptional international footprint, with operations around the world working with customers and local partners. www.thalesgroup.com
Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe’s leading players in the security market. The Group’s security teams work with government agencies, local authorities and enterprise customers to develop and deploy integrated, resilient solutions to protect citizens, sensitive data and critical infrastructure.
Drawing on its strong cryptographic capabilities, Thales is one of the world leaders in cybersecurity products and solutions for critical state and military infrastructures, satellite networks and industrial and financial companies. With a presence throughout the entire security chain, Thales offers a comprehensive range of services and solutions ranging from security consulting, intrusion detection and architecture design to system certification, development and through-life management of products and services, and security supervision with Security Operation Centres in France and the United Kingdom.
Thales Media Relations – Security
+33 (0)1 57 77 90 89
Thales e-Security Media Relations
+44 (0)1223 723612