A new study by Ponemon Institute and Gemalto has gone a long way in pinpointing the reasons why so many organizations struggle with cloud security. One of the findings in The 2016 Global Cloud Data Security Study is that our approach to cloud security doesn’t follow the organization’s regular security practices. While that isn’t the only finding in the study, I believe that the other issues build off that one point.
The majority of respondents said they struggle with controlling or restricting end-user access and protecting sensitive data, and find that they are unable to apply conventional information security in cloud environments or to inspect their cloud providers for compliance concerns directly – all areas that you’d expect in-house security practices to cover.
But here is the particular finding that I think strayed the most from conventional security practices. The study revealed that those in charge of an organization’s security aren’t involved in the cloud adoption or migration process. Again, could you imagine that being the case for other security matters? It could be that decision makers think that security in the cloud is controlled by the provider, but do you want someone else to be in charge of the security of your data? Especially with this revelation:
Confirming what other reports have found, and which is also cause for some consternation given how high the stakes are, 72 percent of respondents said the ability to encrypt or tokenize sensitive or confidential data is important, with 86 percent saying it will become more important over the next two years, up from 79 percent in 2014. However, encryption is not yet widely deployed in the cloud. The authors cite as an example, SaaS which only 34 percent of respondents say their organization encrypts or tokenizes sensitive or confidential data directly within cloud-based applications.
The lack of encryption dovetails on other studies from this past year that have found similar results. This could be because companies struggle to know where their sensitive data is, according to a study from Thales e-Security and the Ponemon Institute that was released earlier this year.
All of these results, when looked at together, show why shadow cloud use is so risky – and about half of the organizations surveyed admit that shadow cloud is a problem. If we can’t secure the data in the clouds the organization is controlling, then how can we secure it in clouds the security or IT department doesn’t know about?
I’ve had a number of security experts tell me that cloud security is getting better, but this study shows that there is still a long way to go and a lot to learn about security in the cloud. That begins with treating cloud security like we would any other networking system.