Ponemon Institute and SafeNet Research Reveals that IT is Losing the Battle on Security in the Cloud

-- IT Departments Find It Difficult to Control Corporate Data in the Cloud as More than 40 Percent of Corporate Data Stored in the Cloud is Not Managed by Corporate IT

-- Companies Lack Single Point of Accountability When It Comes to Data Security in the Cloud

-- Conventional Data Security Measures Are More Difficult in the Cloud with More Organizations Turning to Encryption and Multi-Factor Authentication to Secure Data

A majority of IT organizations are kept in the dark when it comes to protecting corporate data in the cloud, putting confidential and sensitive information at risk. This is just one of the findings of a recent Ponemon Institute study commissioned by SafeNet, Inc., a global leader in data protection. The study, titled “The Challenges of Cloud Information Governance: A Global Data Security Study,” surveyed more than 1800 IT and IT security professionals worldwide.

Among the key findings, the research indicates that while organizations are increasingly using cloud computing resources, IT staff is having trouble controlling the management and security of data in the cloud. The survey found that only 38 percent of organizations have clearly defined roles and accountability for safeguarding confidential or sensitive information in the cloud. Adding to the confusion, 44 percent of corporate data stored in cloud environments is not managed or controlled by the IT department. And more than two-thirds (71 percent) of respondents say it is more difficult to protect sensitive data in the cloud using conventional security practices.

“The findings reveal that global organizations are struggling to secure data in the cloud due to the lack of critical governance and security practices in place,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “To create a more secure cloud environment, organizations can begin with simple steps such as including IT security in establishing security policies and procedures; increasing visibility into the use of cloud applications, platforms, and infrastructure; and protecting data with encryption and stronger access controls, such as multi-factor authentication.”

Key Findings

As the Cloud’s Popularity Grows, So Does the Risk to Sensitive Data

Nearly three-quarters (71 percent) of IT professionals confirmed that cloud computing is very important today, and more than three quarters (78 percent) believe it will be over the next two years. The respondents also estimate that 33 percent of their organizations’ total IT and data processing requirements are met with cloud resources today, and that is expected to increase to an average of 41 percent within two years.

However, the majority of respondents (70 percent) agree that it is more complex to manage privacy and data protection regulations in a cloud environment, and they also agree that the types of corporate data stored in the cloud, such as emails, and consumer, customer, and payment information, are the types of data most at risk.

Cloud Security, Shadow IT and the Need for More Accountability

On average, half of all cloud services are deployed by departments other than corporate IT, and an average of 44 percent of corporate data stored in the cloud environment is not managed or controlled by the IT department. As a result, only 19 percent of respondents are very confident that they know about all cloud computing applications, platforms, or infrastructure services in use in their organizations today.

Along with this lack of control over the sourcing of cloud services, views on who is actually accountable for cloud data security are mixed. Thirty five percent of respondents say it is a shared responsibility between the cloud user and the cloud provider while 33 percent say it is the responsibility of the cloud user and 32 percent say it is the responsibility of the cloud provider.

Encryption, Multi-Factor Authentication Seen as Strong Alternatives to Conventional Data Security Measures

More than two-thirds (71 percent) of respondents say it is more difficult to protect sensitive data in the cloud using conventional security practices, and nearly half (48 percent) say it’s more difficult to control or restrict end-user access to cloud data. As a result, more than one-third (34 percent) of IT professionals surveyed say their organizations already have a policy in place that requires the use of security safeguards such as encryption as a condition for using certain cloud computing resources. Seventy-one (71) percent of respondents say the ability to encrypt or tokenize sensitive or confidential data is important, and 79 percent say it will become more important over the next two years.

In terms of what companies are actually doing to secure data in the cloud, 43 percent of respondents say their organization is using private data network connectivity. Nearly two-fifths, or 39 percent, of respondents say their organizations use encryption, tokenization or other cryptographic tools to protect data in the cloud. Thirty-three percent say they don’t know what security solutions they use and 29 percent say they use premium security services provided by their cloud provider.

Respondents also noted that the management of their encryption keys is important to securing data in the cloud, given the increasing number of key management and encryption platforms their companies use. Fifty-four percent of respondents say their organization controls the encryption keys when data is stored in the cloud. However, 45 percent say they store their encryption keys in the software where they store their data while 27 percent say they store their keys in more secure environments such as hardware devices.

Regarding access to data in the cloud, 68 percent of respondents also say that the management of user identities is more difficult in the cloud, and 62 percent of respondents say their organizations have third parties accessing the cloud. Nearly half (46 percent) say their company uses multi-factor authentication to secure third-party access to data in the cloud environment. About the same percentage (48 percent) of respondents say their organizations use multi-factor authentication for employees’ access to the cloud.

“While the cloud has revolutionized the way IT is delivered, many IT organizations are finding it difficult to keep up with demand for these services and the security implications that are created when critical data is stored in the cloud,” said Tsion Gonen, chief strategy officer, SafeNet. “And as we’ve seen in 2014 with a raft of record-breaking data breaches, organizations are attacked frequently from different angles. In order to mitigate risk, there needs to be focused coordination and new approaches to securing data in the cloud, and IT needs to be at the center of this migration.”

Key Recommendations for Data Security in the Cloud

The role of IT organizations is changing and they need to adapt to the new realities of Cloud IT by educating employees on security, setting comprehensive policies for data governance and compliance, creating guidelines for the sourcing of cloud services, and establishing rules for what data can and cannot be stored in the cloud.

IT organizations can accomplish their mission to protect corporate data while being an enabler of “Shadow IT” by implementing data security measures such as “encryption-as-a-service” that allow them to manage the protection data in the cloud in a centralized fashion as their internal organizations source cloud-based services as needed.

As companies store more data in the cloud and utilize more cloud-based services for their employees, IT organizations need to place greater emphasis on stronger user access controls with multi-factor authentication. This is even more important for companies that give third-parties and vendors to access their data in cloud. Multi-factor authentication solutions can be managed centrally to provide more secure access to all applications and data whether in the cloud or on-premises.

Resources

Read the full Ponemon Institute report here:
http://www2.safenet-inc.com/cloud-security-research/SafeNet-Cloud-Governance.pdf

Survey Web Page:
http://www2.safenet-inc.com/cloud-security-research

SafeNet Cloud Security page:
http://www.safenet-inc.com/data-protection/virtualization-cloud-security/

About SafeNet, Inc.

Founded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNet’s data-centric approach focuses on the protection of high-value information throughout its lifecycle, from the data center to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments.  Learn more about SafeNet on Twitter, LinkedIn, Facebook, YouTube, and Google+.