The study examines perceptions and current practices surrounding the threats and protection issues relating to sensitive or confidential data in the cloud. It reveals surprising attitudes about who is considered responsible for protecting this valuable and often regulated class of data – the cloud service provider or cloud service consumer. The findings are also significant in explaining how that data is protected and where data encryption is applied inside and outside the cloud. Most important is who manages the associated encryption keys and therefore who ultimately controls access to the data.
Larry Ponemon, chairman and founder, Ponemon Institute, says:
"Staying in control of sensitive or confidential data is paramount for most organizations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud. In this, our second year of conducting this survey, we wanted to dig a little deeper and explore the difference in attitudes about the most common types of cloud services – IaaS, PaaS and SaaS. Perceived responsibility for data protection, awareness of security measures, confidence and impact on overall security posture illustrate important regional and service type differences but overall the trend is positive, Respondents generally feel better informed, more confident in their cloud service providers and more positive about the impact on their security posture compared with last year."
Richard Moulds, vice president strategy, Thales e-Security, says:
"Encryption is the most widely proven and accepted method to secure sensitive data both within the enterprise and the cloud, but it's no silver bullet. Decisions still need to be taken over where encryption is performed and critically, who controls the keys. This is perhaps one of the reasons why new key management standards, such as the Key Management Interoperability Protocol (KMIP), have already attracted considerable interest, particularly in the context of cloud encryption. Overall, it's very positive news that confidence in cloud security and in particular the use of encryption seems to be increasing. The ability to safely migrate sensitive applications to the cloud has the potential to deliver even more economic benefit than the more routine applications that have already taken that step."
· More than half of all respondents say their organization currently transfers sensitive or confidential data to the cloud – an increase of about 10% compared with last year's study.
· More than twice as many respondents say use of the cloud has decreased their security posture (35%) than say it has increased (15%), but this is an improvement on last year where nearly four times as many respondents said that cloud adoption had decreased their security posture (39%) while only 10% said it had increased. The greatest sense of improvement was seen in both the UK and Brazil.
· More than 60% of respondents whose organizations currently transfer sensitive or confidential data to the cloud believe the cloud provider has primary responsibility for protecting that data and 22% believed the cloud consumer to be responsible. However, the pattern is reversed for users of an Infrastructure-as-a-Service (IaaS) cloud offering.
· There was a marked increase in confidence among respondents in the ability of cloud providers to protect the sensitive and confidential data entrusted to them – up from 41% (2011) to 56% (2012).
· However just over half of respondents say they don't know what their cloud provider actually does to protect their data – and only 30% say they do know. This is an improvement on last year where 62% of respondents said they didn't know what measures their cloud provider took to protect their data.
· Excluding network level encryption tools such as SSL, on a global basis the use of encryption to protect data before it goes to the cloud is 33% higher than the use of encryption within the cloud itself. When encryption is applied inside the cloud it is more than a third more common in Software-as-a-Service (SaaS) offerings than other service types however regional variation is considerable.
· When it comes to key management there is still no clear picture. In most cases the respondents report that their own organizations look after their own keys however this has declined from the previous year (36% and 29% respectively) and there is an apparent shift to key management being perceived to be a shared responsibility between cloud user and cloud provider.
· This might point to the growing interest in key management standards – in particular OASIS Key Management Interoperability Protocol (KMIP) – where cloud encryption was identified as the most valuable usage scenario for the new protocol.
About the Study:
This Encryption in the Cloud study was commissioned as part of a larger international study on Global Encryption Trends. More than 4,000 organizations were surveyed in the US, UK, Germany, France, Australia, Japan and Brazil. Click here to download a copy of Encryption in the Cloud.
Thales offers high assurance hardware security modules (HSM) that bring the protection necessary to mitigate the risk of the theft or misuse of encryption keys and to simplify compliance with privacy regulations. Our keyAuthority centralized key manager provides full support for KMIP, allowing organizations to retain control of their keys and consolidate key management activities across a range of cloud and enterprise based encryption systems. Thales solutions play a key role in creating a secure, protected and compliant cloud infrastructure for cloud providers, enterprises and other organizations looking to protect sensitive and confidential data in a public or private cloud. Thales is also a major stakeholder and investor in the French Cloudwatt service.
Encryption in the Cloud webinar, Wednesday, June 26, 2013 11am EDT / 4pm BST
Join Larry Ponemon, Ponemon Institute and Richard Moulds, Thales for a webinar discussing the highlights of this new report. Register now at www.thales-esecurity.com/webinars
For industry insight and views on the latest payment security and key management trends check out our blog www.thales-esecurity.com/blogs
Follow Thales e-Security on Twitter @Thalesesecurity, LinkedIn, Facebook and YouTube
About Thales e-Security
Thales e-Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology, manufacturing, government and technology sectors. With a 40-year track record of protecting corporate and government information, Thales solutions are used by four of the five largest energy and aerospace companies, 22 NATO countries, and secure more than 80% of worldwide payment transactions. Thales e-Security has offices in Australia, France, Hong Kong, Norway, United States and the United Kingdom. www.thales-esecurity.com
Thales is a global technology leader for the Defence & Security and the Aerospace & Transport markets. In 2012, the company generated revenues of €14.2 billion with 67,000 employees in 56 countries. With its 25,000 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales has an exceptional international footprint, with operations around the world working with customers and local partners. www.thalesgroup.com