Gemalto & Ponemon Institute Study: Cloud Data Security Remains Big Issue for Enterprises

By Peter Bernstein
Senior Editor

Frequent visitors to the Cloud Security Resource Community are aware that I try to keep a collection of “must have and read” industry resources that are recommended for community members.  A  real keeper from the prestigious Ponemon Institute (News - Alert) has just been released, The 2016 Global Cloud Data Security Study, commissioned by digital security solutions market leader Gemalto that is worth the download and some quality time.

The study surveyed more than 3,400 IT and IT security practitioners worldwide. The goal was to gain a better understanding of key trends in data governance and security practices for cloud-based services. Unfortunately, at a very high level, the findings are disconcerting.  In fact, the lead-in to the announcement of the study sums it up well: “Despite the continued importance of cloud computing resources to organizations, companies are not adopting appropriate governance and security measures to protect sensitive data in the cloud.”  In a word, “YIKES!”

Not ready for what lies ahead

At the risk of depressing readers, below are some of the key findings from this year’s study.

Cloud security is stormy because of shadow IT:  This one was surprising.  Who knew that so many cloud services (49 percent) are deployed by departments other than corporate IT?  Or that an average of 47 percent of corporate data stored in cloud environments is not managed or controlled by the IT department.  

If there is a silver lining here it is the fact that at least IT has confidence in knowing all cloud computing services in use is increasing. Fifty-four percent of respondents are confident that the IT organization knows all cloud computing applications, platform or infrastructure services in use – a 9 percent increase from 2014.

Conventional security practices do not apply in the cloud: In 2014, 60 percent of respondents felt it was more difficult to protect confidential or sensitive information when using cloud services. This year, 54 percent said the same. Difficulty in controlling or restricting end-user access increased from 48 percent in 2014 to 53 percent of respondents in 2016. The other major challenges that make security difficult include the inability to apply conventional information security in cloud environments (70 percent of respondents) and the inability to directly inspect cloud providers for security compliance (69 percent of respondents).

More customer information is being stored in the cloud and is considered the data most at risk: Respondents said customer information, emails, consumer data, employee records and payment information are the types of data most often stored in the cloud.  In looking at the trends, it is noted that, since 2014, the storage of customer information in the cloud has increased the most, from 53 percent in 2014 to 62 percent. In addition, 53 percent also considered customer information the data most at risk in the cloud.

Security departments left in the dark when it comes to buying cloud services:  Now for the rather disturbing part.  The survey found only 21 percent of respondents who said members of the security team are involved in the decision making process about using certain cloud application or platforms.  And, it gets worse with the finding that 64 percent also said their organizations do not have a policy that requires use of security safeguards, such as encryption, as a condition to using certain cloud computing applications.

Encryption is important but not yet pervasive in the cloud: Confirming what other reports have found, and which is also cause for some consternation given how high the stakes are, 72 percent of respondents said the ability to encrypt or tokenize sensitive or confidential data is important, with 86 percent saying it will become more important over the next two years, up from 79 percent in 2014. However, encryption is not yet widely deployed in the cloud. The authors cite as an example, SaaS (News - Alert) which only 34 percent of respondents say their organization encrypts or tokenizes sensitive or confidential data directly within cloud-based applications.

Just as a personal observation,  while the case can be made that not everything needs to be encrypted—and there are questions surrounding, where, when, why, how and at what cost—this lack of encryption for data which we have seen on an almost daily basis is being breached and sold on the dark web is troubling.

Many companies still rely on passwords to secure user access to cloud services: On a practical note, 67 percent said the management of user identities is more difficult in the cloud than on-premises.

Here to there is a “however.”  In this case, it relates to the findings that organizations are not adopting measures that are easy to implement and could increase cloud security. The study found that 45 percent of companies are not using multi-factor authentication to secure employee and third-party access to applications and data in the cloud. This means they are relying on easily compromised user names and passwords.  With 58 percent of respondents saying their organizations have third-party users accessing their data and information in the cloud, this is perilous.

What to do?

The report has some recommendations on how to improve cloud data security.  The main one is that there must be an establishment of by IT of comprehensive policies for data governance and compliance, with specific guidelines for the sourcing of cloud services along with rules for what data can and cannot be stored in the cloud.

The authors say that IT organizations can accomplish their mission to protect corporate data while also being an enabler of  their "Shadow IT" by, “implementing data security measures such as encryption that allow them to protect data in the cloud in a centralized fashion as their internal organizations source cloud-based services as needed.”  In addition, possibly in the category of having a keen grasp of the obvious, IT needs to beef up access controls both for internal employees and third-party vendors.  Indeed, one would have thought that the Snowden leaks would have caused a spike investment in enhanced authentication capabilities.

“Cloud security continues to be a challenge for companies, especially in dealing with the complexity of privacy and data protection regulations,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “To ensure compliance, it is important for companies to consider deploying such technologies as encryption, tokenization or other cryptographic solutions to secure sensitive data transferred and stored in the cloud.”

“Organizations have embraced the cloud with its benefits of cost and flexibility but they are still struggling with maintaining control of their data and compliance in virtual environments,” said Jason Hart, vice president and chief technology officer for Data Protection at Gemalto (News - Alert). “It’s quite obvious security measures are not keeping pace because the cloud challenges traditional approaches of protecting data when it was just stored on the network. It is an issue that can only be solved with a data-centric approach in which IT organizations can uniformly protect customer and corporate information across the dozens of cloud-based services their employees and internal departments rely every day.”

What the study found is that, thus far when it comes to cloud security, while there may be a will there has not been a way.  It also points out that when it comes to risk management of cloud services excluding IT from the discussions about acquiring such services is counter-productive. 

As a snap shot in time the results of the study are illuminating.  Hopefully for cloud security professionals the information can be used as a call to action by their management to enable IT to be not just accountable for data protection and compliance, but have the responsibility to assure policies, rules and tools are in place to enable them to best do their job.