Who is responsible for the safety of confidential or sensitive information stored in the cloud?
According to “The Challenges of Cloud Governance and Data Safety Study,” one of the biggest challenges organizations face is the difficulty in answering that very question. The study, published by the Ponemon Institute and SafeNet, highlights the difficulties in enforcing security and data privacy policies in the cloud.
The Ponemon Institute surveyed 1,864 IT and IT security practitioners from the United States, United Kingdom, EMEA and APAC who described themselves as familiar and involved in their companies’ usage of both public and private cloud resources. According to the report, 72 percent of respondents say their organizations are heavy (26 percent) or moderate (46 percent) users of cloud resources.
Main Areas of Concern
The study highlights a global reality: sensitive corporate data is at risk in the cloud, in part because of a lack of appropriate governance policies and security practices. Respondents reported the following areas of concern around cloud governance:
- Confusion about who is responsible for protecting sensitive data stored in the cloud.
- Decisions about the use of cloud resources without consulting IT security or even involving IT security in the evaluations of the security capabilities of cloud service providers.
- Shadow IT issues with many IT departments uncertain about the extent of the cloud computing applications, platform or infrastructure services their organization is employing.
- Only 36 percent of respondents say they use encryption, tokenization or other cryptographic solutions to secure confidential data stored in the cloud.
- An inability to manage access and handling of sensitive data in the cloud by employees and third-party vendors, which makes compliance with regulations a challenge.
- Growth in the number of employees who are using cloud apps without specific training on the security procedures to follow.
The data most often stored in the cloud is also the data most sought after by cybercriminals. But does the growth and importance of the cloud mean an increase in policies and procedures to safeguard data? Apparently not. The study’s key findings point to the current state of cloud governance, which “…does not include a proactive approach to reducing security risks in the cloud.”
62 percent of the respondents reported a commitment to protecting sensitive data stored in the cloud and 70 percent described the management of privacy and data protection regulations in the cloud as more complex than in networks located within the organization. The complexity they describe is not being addressed—with policies or a focus on compliance with privacy and security regulations.
According to the research, standard security practices are difficult to apply in public clouds. Among the top challenges are the inability to inspect cloud-computing providers directly, and the trouble in restricting or even controlling end-user access to confidential information. Additionally, respondents reported a lack of specialized security training for employees to help them in protecting the privacy and security of sensitive data kept in cloud applications. The majority of the respondents (56 percent) reported employee training on general security topics without explicit reference to cloud application security.
“The Challenges of Cloud Governance and Data Safety Study” also addresses the impact of Shadow IT. Approximately 50 percent of cloud services are deployed by departments other than IT and 44 percent of the data stored in the cloud is not managed or controlled by the IT department, so most IT departments do know all of the cloud computing applications, platforms or infrastructures their organizations are using.
Encryption is another topic covered in the study. The research reveals that encryption, while considered critical, in actuality is not commonly used. “Seventy-one percent of respondents say the ability to encrypt or tokenize sensitive or confidential data is important, and 79 percent say it will become more important over the next two years.”
Recommendations for Improving Cloud Security
The study’s findings detail the challenges global organizations are facing as the race to the cloud picks up speed, but vital governance and security practices lag. It concludes by offering specific recommendations for more secure cloud environments including:
- Determine who is responsible for the safety of the data stored in the cloud. Involve IT security in assessing the security practices employed by the cloud services vendor.
- Develop clearly defined policies for the business departments and employees using cloud services and involve the IT department in those discussions.
- Reduce the risk of Shadow IT by clearly disclosing the usage of cloud services, applications, and platforms to the IT department.
- Implement policies about how to share documents securely across business units.
- Provide specialized training to employees that highlights the risks if they circumvent security policies when using SaaS applications.
- Adopt encryption, tokenization or other cryptographic solutions to secure sensitive data transferred and stored in the cloud.
Use of cloud services will only continue to grow, as will the data breaches perpetrated by cybercriminals and neglectful employees. “The Challenges of Cloud Governance and Data Safety Study” details the current realities faced by organizations of all sizes and provides an extensive list of recommended steps, which may help organizations protect their cloud-based data. You can read the entire study here.
Additional Resources on This Topic: