Having recently read this year’s The 2016 Global Cloud Data Security Study, by the Ponemon Institute (News - Alert), commissioned by Gemalto, I felt the need to highlight some of the key findings, which clearly demonstrate the lack of security preparedness by the enterprise market, by and large.
Cloud security is stormy because of shadow IT: This one was surprising. Who knew that that so many cloud services (49 percent) are deployed by departments other than corporate IT? Or did you know that an average of 47 percent of corporate data stored in cloud environments is not managed or controlled by the IT department? That said, 54 percent of respondents are confident that their IT organizations know all cloud computing applications, platform or infrastructure services in use. This represents a nine percent increase from 2014.
Conventional security practices do not apply in the cloud: In 2014, 60 percent of respondents felt it was more difficult to protect confidential or sensitive information when using cloud services. This year, 54 percent said the same. Difficulty in controlling or restricting end-user access increased from 48 percent in 2014 to 53 percent of respondents in 2016. The other major challenges that make security difficult include the inability to apply conventional information security in cloud environments (70 percent of respondents) and the inability to directly inspect cloud providers for security compliance (69 percent of respondents).
More customer information is being stored in the cloud and is considered the data most at risk: Respondents said customer information, emails, consumer data, employee records and payment information are the types of data most often stored in the cloud. In looking at the trends, it is noted that, since 2014, the storage of customer information in the cloud has increased the most, from 53 percent in 2014 to 62 percent. In addition, 53 percent also considered customer information the data most at risk in the cloud.
Security departments left in the dark when it comes to buying cloud services: Now for the rather disturbing part. The survey found only 21 percent of respondents said members of the security team are involved in the decision-making process about using certain cloud application or platforms. It gets worse with the finding that 64 percent also said their organizations do not have a policy that requires use of security safeguards, such as encryption, as a condition to using certain cloud computing applications.
Encryption is important, but not yet pervasive in the cloud: Confirming what other reports have found, and which is also cause for some consternation given how high the stakes are, 72 percent of respondents said the ability to encrypt or tokenize sensitive or confidential data is important, with 86 percent saying it will become more important over the next two years, up from 79 percent in 2014. However, encryption is not yet widely deployed in the cloud. The authors cite as an example SaaS (News - Alert), which only 34 percent of respondents say their organization encrypts or tokenizes sensitive or confidential data directly within cloud-based applications.
Just as a personal observation, while the case can be made that not everything needs to be encrypted—and there are questions surrounding, where, when, why, how and at what cost—this lack of encryption for data which we have seen on an almost daily basis is being breached and sold on the dark web is troubling.
Many companies still rely on passwords to secure user access to cloud services: On a practical note, 67 percent said the management of user identities is more difficult in the cloud than on-premises, 45 percent of companies are not using multi-factor authentication to secure employee and third-party access to applications and data in the cloud. This means they are relying on easily compromised user names and passwords. With 58 percent of respondents saying their organizations have third-party users accessing their data and information in the cloud this is perilous.
What to do?
The report has some recommendations on how to improve cloud data security. The main one is there must be an establishment of comprehensive policies for data governance and compliance, with specific guidelines for the sourcing cloud services, along with rules for what data can and cannot be stored in the cloud. In short, IT organizations can accomplish their mission to protect corporate data while also being enablers of Shadow IT by, “implementing data security measures such as encryption that allow them to protect data in the cloud in a centralized fashion as their internal organizations source cloud-based services as needed.” In addition, possibly in the category of having a keen grasp of the obvious, IT needs to beef up access controls both for internal employees and third-party vendors. Indeed, one would have thought that the Snowden leaks would have caused a spike investment in enhanced authentication capabilities.
Edited by Stefania Viscusi