Companies are moving relentlessly towards moving sensitive data to the cloud, although many are skeptical about the cloud providers ability to protect and many do not even know what the providers are doing. Yet the beat goes on to more and more migration to the cloud.
About half of the 4,140 companies queried by the Ponemon Institute in a survey sponsored by Thales about half are already transferring about their sensitive data to the cloud. Another one third expect to do so within the next two years, which will make it the norm rather than the exception. The rub comes in how much confidence they have in doing so.
Four out of 10 companies believe their security posture is weaker as a consequence of their action, while the largest group(44%) believe it has had no effect. That means that either they take the risk for the convenience and savings of cloud data storage, or it depends on whom you are talking to in the organization (a security-conscious person may not like it much, someone else may think it’s fine).
Fully 63 percent of the respondents do not know what cloud providers do to secure data entrusted to them. France, which has the lowest cloud participation (45%, tied with Japan), had the least knowledge of what the provider was doing to protect the data, 76%. Yet when ask who was responsible for securing the data, 67% of the French said the provider; only 11% said the client. Talk about throwing the data over the fence and hoping for the best! We don’t know what you are doing, we are not sure we trust it but we do it nonetheless.
The U.S. and U.K. were both fairly close in terms of who they thought was responsible, followed by Japan and Australia. Germany and Brazil exhibited, to a somewhat lesser degree, the laissez faire attitude of the French. Bon chance.
Among the companies that are currently transferring sensitive data to the cloud, there is strong bias towards the provider having responsibility for its security. Nearly a third, 31% of all the companies interviews who are already transferring data to the cloud hold the provider responsible, with only 8% saying they are responsible and 9% shared. The companies that plan to transfer are a lot less sure, with 11% saying the provider will be responsible and 15% saying they will be responsible. Perhaps this will change when reality sets in.
The question of encryption of data is critical to security, of course. Companies are split over where the data is encrypted. The companies split between data being encrypted as it is being transferred through its networks (38%) and those that encrypt the data before it is transferred to the cloud (35%). Another 16% encrypts selectively at the application layer within the cloud environment and 11% have data stored encrypted as a service.
On the subject of encryption keys, the largest number companies (36%) manage the keys themselves. The rest are split between third parties (22%) and the provider (22%), with the balance (18%) covered between a combination of the provider and the company.
What’s clear is that protestations of weaker security or a lack of trust notwithstanding, companies are flocking to cloud in increasing and soon dominant numbers, so the question will be not whether the cloud is secure, but how to best secure it.