When the Poneman Institute released the results of its “2016 Gemalto Global Cloud Data Security Study” earlier this year, it once again highlighted the importance of security practices and data governance in cloud-based services. The study, sponsored by Gemalto, discusses the challenges inherent in cloud data security and includes information for protecting and minimizing risks to your sensitive data.
For the 2016 report, the Ponemon Institute surveyed 3,476 information technology (IT) and IT security professionals in the U.S., Europe, India, Australia, Japan, and South America and asked them about the security practices and governance policies they use to secure data and minimize risks when using the cloud.
The purpose of this study is to understand trends in cloud governance and security practices since the first research results were published in 2014, according to the Ponemon Institute. The 2016 research results discuss the following key findings:
- The growth in popularity of cloud-based services comes with an increased risk to sensitive data stored in the cloud
- Shadow IT presents ongoing challenges to cloud security
- Current data security governance practices overlook security practitioners
- Keeping sensitive data in the cloud secure is vital but not practiced
- Cloud complicates identity and access management
Rise in Cloud Usage Equates to Increased Risk
It’s no secret that the growth and popularity of cloud-based services bring unwanted risks to a business’ most valuable information. Customer information, email, consumer data, employee records, payment information, and health information—are the types of data most subject to breach risks.
While 73% of the IT professionals participating in the study reported that cloud computing applications and platform solutions are essential to business operations today, they also stated they expect this number to increase to 81% over the next two years. And 60% of respondents said it’s harder to protect confidential or sensitive information in the cloud, even though 36% of organizations’ entire IT and data processing methods reported using cloud resources. (That number is expected to rise to 45% in the next two years.)
Challenges of Shadow IT
Shadow IT, a phrase used to describe the activities of employees using software and hardware that has not been approved by the IT department for use within the organization, was cited as a security concern by the survey participants. According to the research, an average of 49% of the cloud services deployed were not approved by corporate IT and “…an average of 47% of corporate data stored in the cloud environment is not managed or controlled by the IT department.” Without knowing all the applications residing in the organization’s cloud-base storage, or the security levels of each, IT departments cannot protect sensitive data.
Compliance Issues in the Cloud Increasing
Approximately 62% of the surveyed IT professionals believe the use of cloud resources increases compliance risks, and 73% described it is as more complex to manage privacy and data protection regulations in cloud environments than on-premises. Still, 54% did not agree that their organizations have a proactive approach to managing compliance with privacy and data protection regulations in cloud environments.
Respondents reported finding it challenging to maintain adequate security and compliance standards in cloud computing environments. Moreover, most of them agreed it’s more difficult to protect sensitive data in cloud computing environments than in traditional approaches. And nearly half said restricting and controlling end-user data access is much harder in the cloud.
Data Security: Who’s in Charge?
One alarming discovery is that “security practitioners are not the decision makers when it comes to the use of cloud resources.” Only 21% of respondents reported that members of their security team were involved in decisions regarding the use of cloud applications or platforms.
One of the reasons for this lack of participation by security practitioners is that there’s confusion as to who is responsible for providing data protection in the cloud. Consequently, only 43% of IT professionals surveyed described their organizations as having clearly defined roles and responsibilities for safeguarding sensitive data in the cloud.
This issue is further compounded when organizations leave their IT security teams out of the loop about cloud resources. Nearly half of the IT professionals in the study lack confidence in knowing about all the cloud services used in their respective companies.
We Know It’s Important to Keep Data Secure But…
Forty-two percent of the IT respondents reported using private data network connectivity to secure the data their organization stores in the cloud. Thirty-nine percent stated their company was using encryption, tokenization or other cryptographic tools; yet, 35% of the respondents had no idea what security solutions were in place to protect data and maintain any level of compliance. The study’s authors speculate that business units and corporate IT departments are making investments in security without getting the proper input beforehand.
Cloud complicates identity and access management
Sixty-seven percent of the professionals surveyed stated that the administration of user identities is more involved in the cloud than in the on-premises environment. Although there are a range of measures that can increase cloud security and are not difficult to implement, most organizations are not adopting them. The study identified the most important features of controlling and securing access to cloud services as the ability to:
- Manage secure authentication before accessing data and applications in the cloud
- Maintain a record of consistently high availability
- Support multiple identity federation standards in clouding SAML
- Add new identity management services quickly with short deployment cycles
- Utilize social identities provided from trusted third parties
- Operate with accelerated on-boarding process for new users
- Expand or contract usage based on the organization’s current needs
The study noted that, since 2014, the ability to control strong authentication before accessing data and applications in the cloud has increased from 73% of respondents to 78% of those surveyed.
Key Recommendations for Data Security in the Cloud
Overall, global organizations fail to secure data in the cloud due to the lack of critical governance and security practices in place. The report cites some indications of a positive nature, namely that the difficulty in protecting sensitive data in the cloud has decreased slightly, confidence in the knowing all the cloud computing services in use in an organization is increasing, and the usage of encryption services in the cloud is growing. However, the findings underscore the reality that organizations still face significant challenges in securing sensitive data in the cloud.
The report concludes with a list of recommended practices for improving cloud governance, including:
Organizations should educate employees on security, set comprehensive policies for data governance and compliance, create guidelines for the sourcing of cloud services—such as including IT security in the process—and establish rules for securely storing data in the cloud.
Companies can increase security, maintain control of sensitive data, and improve compliance with regulatory mandates in the cloud by enabling IT departments to manage data protection solutions centrally across the organization.
As business continues to store more sensitive data in the cloud and deploy more cloud-based services, IT organizations must place greater emphasis on stronger data protection measures. This includes encrypting or tokenizing sensitive data, maintaining control and ownership of encryption keys, storing keys securely in hardware and separately from encrypted data, and applying secure multi-factor authentication to control access to cloud-based business applications.
OnRamp specializes in helping organizations remain compliant and secure in the cloud and throughout their entire infrastructure. Most companies are aware of encryption, but may not fully understand how to integrate this solution in their current environment. Compliance experts, like OnRamp, recommend that your organization follow encryption best practices, including data-at-rest encryption, self-encrypting hard drives, backup encryption, and other security services that keep your data safe and your organization compliant.
Additional Resources on This Topic
Gemalto and Ponemon Institute Study: Cloud data security still a challenge for many companies
Cloud adoption still outpacing security capability, study finds
Nearly a third of companies using public cloud not encrypting data