Companies are not adopting appropriate governance and security measures to protect sensitive data in the cloud according to a Ponemon Institute report The 2016 Global Cloud Data Security Study, commissioned by Gemalto.
More than 3400 IT and IT security practitioners were surveyed from the UK, US, Brazil, Germany, France, Russian Federation, India, Japan and Australia.
The research disclosed that 92 percent of UK businesses fail to encrypt over 75 percent of their sensitive and confidential data when sent via the cloud. Four out of 10 (39 percent) don't encrypt sensitive and confidential data when it rests in the cloud. The most common type of data that UK companies store in the cloud is customer information (59 percent), followed by financial business information (47 percent) and email (45 percent).
“While UK businesses are choosing to store sensitive information from consumer and customer information to payment details in the cloud, they're still failing to properly protect it in the most secure techniques, such as encryption. If the recent hacks of LinkedIn, Myspace and Tumblr have taught us anything, it's that passwords alone are not secure enough to stop hackers getting access to the data and business leaders should take note,” said Joe Pindar, director product strategy, CTO at Gemalto in emailed comments to SCMagazineUK.com.
“Consumers need to start demanding, and businesses need to start providing, additional security beyond the password such as multi-factor authentication and encryption. Many companies already offer these tools, but they only work if the user remembers to activate them. In order for data to be truly protected, in the cloud or on your own servers, these techniques must be implemented from the start across all sensitive data, not just a small percentage,” Pindar continued.
Nearly a quarter (73 percent) of respondents stated that cloud-based services and platforms are considered important to their organisations' operations and 81 percent said they will be more so over the next two years. Thirty-six percent said their companies' total IT and data processing needs were met using cloud resources today and that they expected this to grow to 45 percent over the next two years.
When asked what cloud resources are used to meet IT and data processing needs, Pindar told SC, “There are two different types of customer. The first one is a very traditionally focused customer that works on premise and will only go out into cloud environments if it's necessary. But then there are other organisations that have started to see key benefits in terms of the efficiency of the operation, the way in which the business is charged even for using cloud environments versus what they can provide on premise. That's where high-order services are like ‘how do you handle customer support tickets?' and ‘how do you handle billing?' and those kind of things. That's where technologies such as Service Now, for example, are really coming into their own and I think we all know from the broader business context that sales teams seem to be switching by default to technologies like Salesforce.com.”
Over half (54 percent) did not agree their companies have a proactive approach to managing security and complying with privacy and data protection regulations in cloud environments despite 65 percent saying that their organisations are committed to protecting confidential or sensitive information in the cloud. A further 56 percent don't agree that their organisation is careful about sharing sensitive information in the cloud with third parties.
“Cloud security continues to be a challenge for companies, especially in dealing with the complexity of privacy and data protection regulations. To ensure compliance, it is important for companies to consider deploying such technologies as encryption, tokenisation or other cryptographic solutions to secure sensitive data transferred and stored in the cloud,” said Dr Larry Ponemon, chairman and founder of Ponemon Institute.
Nearly half (49 percent) of cloud services are deployed by departments other than corporate IT, and an average of 47 percent of corporate data stored in cloud environments is not managed or controlled by the IT department. Fifty-four percent of respondents are confident that the IT organisation knows all cloud computing applications, platform or infrastructure services in use.
Over half of respondents (54 percent) said it's more difficult to protect confidential or sensitive information when using cloud services. Nearly the same (53 percent) said it is difficult to control or restrict end-user access. The inability to apply conventional information security in cloud environments (70 percent) and the inability to directly inspect cloud providers for security compliance (69 percent) are other major challenges that make security difficult.
Only 21 percent of respondents said their organisation's security team is involved in the decision-making process about using certain cloud application or platforms. Most (64 percent) said their organisations don't have a policy that requires use of security safeguards such as encryption.
Just over two-thirds (67 percent) of respondents said the management of user identities is more difficult in the cloud than on-premises. About half (45 percent) of companies are not using multi-factor authentication to secure employee and third-party access to applications and data in the cloud, meaning companies are still relying solely on usernames and passwords for validation, putting more data at risk.
When asked why almost half of companies have not adopted multi-factor authentication, Ponemon told SC, “Things that would be rational like making investments in high-performing, low-cost solutions aren't done either because it's on the to-do list but it's not the highest priority. Multi-factor authentication is the standard. The results were 50 vs 51 percent of responding companies said they were doing it, which means the other half are not. I think they need to make more of an effort to make the numbers more like 80 or 90 percent.”
Recommendations for data security in the cloud:
IT organisations need to set comprehensive policies for data governance and compliance, create guidelines for the sourcing of cloud services and establish rules for what data can and cannot be stored in the cloud.
Implement data security measures such as encryption that allow them to protect data in the cloud in a centralised fashion as their internal organisations source cloud-based services as needed.
Place greater emphasis on stronger user access controls with multi-factor authentication, especially for companies giving third-parties and vendors access to their data in cloud.