Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/26/2013
06:54 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Thales Finds Organizations More Confident Transferring Sensitive Data To The Cloud Despite Data Protection Concerns

Study reveals surprising attitudes about who is considered responsible for protecting data in the cloud

Plantation, Fla. – June 25, 2013 – Thales, leader in information systems and communications security, announces the results of a new survey on cloud security that shows an increasing number of organizations transferring sensitive or confidential data to the cloud despite concerns over data protection. Encryption in the Cloud is a global study of more than 4,000 organizations in seven countries conducted by the Ponemon Institute and commissioned by Thales.

The study examines perceptions and current practices surrounding the threats and protection issues relating to sensitive or confidential data in the cloud. It reveals surprising attitudes about who is considered responsible for protecting this valuable and often regulated class of data – the cloud service provider or cloud service consumer. The findings are also significant in explaining how that data is protected and where data encryption is applied inside and outside the cloud. Most important is who manages the associated encryption keys and therefore who ultimately controls access to the data.

Larry Ponemon, chairman and founder, Ponemon Institute, says:

"Staying in control of sensitive or confidential data is paramount for most organizations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud. In this, our second year of conducting this survey, we wanted to dig a little deeper and explore the difference in attitudes about the most common types of cloud services – IaaS, PaaS and SaaS. Perceived responsibility for data protection, awareness of security measures, confidence and impact on overall security posture illustrate important regional and service type differences but overall the trend is positive, Respondents generally feel better informed, more confident in their cloud service providers and more positive about the impact on their security posture compared with last year."

Richard Moulds, vice president strategy, Thales e-Security, says:

"Encryption is the most widely proven and accepted method to secure sensitive data both within the enterprise and the cloud, but it's no silver bullet. Decisions still need to be taken over where encryption is performed and critically, who controls the keys. This is perhaps one of the reasons why new key management standards, such as the Key Management Interoperability Protocol (KMIP), have already attracted considerable interest, particularly in the context of cloud encryption. Overall, it's very positive news that confidence in cloud security and in particular the use of encryption seems to be increasing. The ability to safely migrate sensitive applications to the cloud has the potential to deliver even more economic benefit than the more routine applications that have already taken that step."

Key findings:

· More than half of all respondents say their organization currently transfers sensitive or confidential data to the cloud – an increase of about 10% compared with last year's study.

· More than twice as many respondents say use of the cloud has decreased their security posture (35%) than say it has increased (15%), but this is an improvement on last year where nearly four times as many respondents said that cloud adoption had decreased their security posture (39%) while only 10% said it had increased. The greatest sense of improvement was seen in both the UK and Brazil.

· More than 60% of respondents whose organizations currently transfer sensitive or confidential data to the cloud believe the cloud provider has primary responsibility for protecting that data and 22% believed the cloud consumer to be responsible. However, the pattern is reversed for users of an Infrastructure-as-a-Service (IaaS) cloud offering.

· There was a marked increase in confidence among respondents in the ability of cloud providers to protect the sensitive and confidential data entrusted to them – up from 41% (2011) to 56% (2012).

· However just over half of respondents say they don't know what their cloud provider actually does to protect their data – and only 30% say they do know. This is an improvement on last year where 62% of respondents said they didn't know what measures their cloud provider took to protect their data.

· Excluding network level encryption tools such as SSL, on a global basis the use of encryption to protect data before it goes to the cloud is 33% higher than the use of encryption within the cloud itself. When encryption is applied inside the cloud it is more than a third more common in Software-as-a-Service (SaaS) offerings than other service types however regional variation is considerable.

· When it comes to key management there is still no clear picture. In most cases the respondents report that their own organizations look after their own keys however this has declined from the previous year (36% and 29% respectively) and there is an apparent shift to key management being perceived to be a shared responsibility between cloud user and cloud provider.

· This might point to the growing interest in key management standards – in particular OASIS Key Management Interoperability Protocol (KMIP) – where cloud encryption was identified as the most valuable usage scenario for the new protocol.

.

About the Study:

This Encryption in the Cloud study was commissioned as part of a larger international study on Global Encryption Trends. More than 4,000 organizations were surveyed in the US, UK, Germany, France, Australia, Japan and Brazil. Click here to download a copy of Encryption in the Cloud.

Thales offers high assurance hardware security modules (HSM) that bring the protection necessary to mitigate the risk of the theft or misuse of encryption keys and to simplify compliance with privacy regulations. Our keyAuthority centralized key manager provides full support for KMIP, allowing organizations to retain control of their keys and consolidate key management activities across a range of cloud and enterprise based encryption systems. Thales solutions play a key role in creating a secure, protected and compliant cloud infrastructure for cloud providers, enterprises and other organizations looking to protect sensitive and confidential data in a public or private cloud. Thales is also a major stakeholder and investor in the French Cloudwatt service.

Encryption in the Cloud webinar, Wednesday, June 26, 2013 11am EDT / 4pm BST

Join Larry Ponemon, Ponemon Institute and Richard Moulds, Thales for a webinar discussing the highlights of this new report. Register now at www.thales-esecurity.com/webinars

For industry insight and views on the latest payment security and key management trends check out our blog www.thales-esecurity.com/blogs

Follow Thales e-Security on Twitter @Thalesesecurity, LinkedIn, Facebook and YouTube

About Thales e-Security

Thales e-Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology, manufacturing, government and technology sectors. With a 40-year track record of protecting corporate and government information, Thales solutions are used by four of the five largest energy and aerospace companies, 22 NATO countries, and secure more than 80% of worldwide payment transactions. Thales e-Security has offices in Australia, France, Hong Kong, Norway, United States and the United Kingdom. www.thales-esecurity.com

About Thales

Thales is a global technology leader for the Defence & Security and the Aerospace & Transport markets. In 2012, the company generated revenues of €14.2 billion with 67,000 employees in 56 countries. With its 25,000 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales has an exceptional international footprint, with operations around the world working with customers and local partners. www.thalesgroup.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVE-2019-18981
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVE-2019-18982
PUBLISHED: 2019-11-15
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.
CVE-2019-18985
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks brute force protection for the 2FA token.
CVE-2019-18928
PUBLISHED: 2019-11-15
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.