Organizations hosting sensitive data in the cloud aren't confident of their ability to protect that data, according to a new survey by the Cloud Security Alliance. (Photo by Leon Neal/Getty Images)

The Cloud Security Alliance (CSA) on Wednesday released a report that found 67% of organizations host sensitive data or workloads in the public cloud.

While 89% of respondents found that cloud service provider (CSP) security controls are effective, the CSA found that organizations still aren’t confident in their own ability to protect sensitive data in the cloud.

Most organizations report that their CSP security controls are highly effective (38%) or somewhat effective (51%). However, just under one-third were not confident or only slightly confident about their ability to protect sensitive data in a cloud environment. Another 44% say they were only moderately confident.

The high levels of interest (more than 50% of respondents) in privacy enhancing computation (PEC) techniques, like homomorphic encryption and confidential computing, demonstrate how top-of-mind data processing in the public cloud or with multiple parties is for organizations, said Hillary Baron, senior technical director for research at the CSA, and a lead author of the report.

“Companies have sensitive data in public cloud, but are not confident with their ability to secure it,” Baron said. “PEC techniques help to bridge that gap. The use and interest in PEC techniques will only pick up over the next several years as the space continues to mature.”

Saryu Nayyar, founder and CEO at Gurucul, said while it’s not surprising that most organizations already host sensitive data or workloads in the public cloud, what’s of greater concern is the large number (75%) of respondents who are not confident, slightly confident, or moderately confident about their ability to protect sensitive data in cloud environments.

“It's increasingly common for organizations to use multiple cloud providers which introduces cross-cloud risks that require more sophisticated security controls,” Nayyar said. “New attacks, such as multi-RAT campaigns, increasingly embed themselves across multiple cloud services, making it very difficult for organizations to reduce their attack exposure while meeting digital transformation objectives. What organizations need are cross-cloud detection and response solutions that span across all common cloud stacks (Amazon Web Services, Microsoft Azure, Google Cloud Platform), providing a unified view of security and risk across multiple cloud environments.”

Shira Shamban, chief executive officer at Solvo, added that it’s most surprising that 33% of respondents in the CSA survey don't think or don't know they have sensitive data in the cloud.

“Once you run a cloud-native or a hybrid application in the cloud, you will have keys in order for it to operate smoothly and leverage other cloud capabilities,” Shamban said. “If you don’t acknowledge how sensitive this data is or that it exists, you’re leaving yourself seriously exposed. Security teams must store their keys and credentials somewhere secure and ensure that policies can control access.”