Significant security challenges confront organizations as they migrate their IT needs and processing resources to the cloud. They must first select a cloud service provider that can hopefully ensure security of the cloud and thereby fulfill their half of the Shared Responsibility Model. Next, they must implement appropriate security controls such as encryption, access management and multi-factor authentication in their effort to secure corporate and customer data.
This process is becoming more and more complicated as time goes on. On the one hand, IT personnel no longer have the control over data in the cloud and IT spending they once had, which is shaping the types of security process in which organizations are investing. On the other hand, external forces like new data protection regulations such as the European Union’s General Data Protection Regulation (GDPR) will likely affect cloud storage practices, yet it’s unclear how organizations’ efforts to comply with the regulation could change cloud governance.
These are some of the realities in Gemalto’s 2018 Global Cloud Data Security Study.
For the report, Gemalto commissioned the Ponemon Institute to survey 3,621 IT and information security practitioners in the United States, the United Kingdom, Australia, Germany, France, Japan, India, and Brazil about their organizations’ use of the cloud and the security challenges they are facing as a result. The survey yielded several key trends. Here are four that are particularly relevant for organizations and their cloud data security strategies:
Organizations Are Not Fulfilling Their Commitment to Cloud Data Security
For Gemalto’s 2018 study, Ponemon Institute found that 67% of respondents say their organizations are committed to protecting confidential and sensitive information in the cloud. That pledge notwithstanding, fifty-three percent of respondents do not agree their companies have a proactive approach to compliance. Even more than that (57%) do not believe their organizations are careful enough when sharing sensitive information with third parties.
As a result, many respondents are concerned about the security of the data their employers store in the cloud. Organizations primarily store customer information (59%), email (49%), consumer data (47%) employee records (38%), and payment information (39%) in the cloud. Approximately half of participants in Gemalto’s study worrying most about payment information and customer information at 54% and 49%, respectively. Eighty-eight percent of respondents are also concerned the European Union’s GDPR will play some role in demanding more from organizations and their commitment to cloud data security.
The IT Department Is Losing Control of Cloud Security Practices and Budget
Gemalto’s report reveals that IT is losing control of both its budget and corporate data stored in the cloud. Indeed, the average percent of IT spending controlled by the IT department was fifty-three percent in 2016. That proportion declined to under half (40%) of spending in 2017.
At the same time, functions outside of information technology are deploying an average of fifty-eight percent of cloud services. This figure represents a significant increase over 2016. So too does the fact that the average percent of corporate data stored in cloud environments and not managed by IT has grown from 44 percent to 53 percent.
Challenges and a Lack of Focused Practices Abound in Cloud Security
Survey respondents report the difficulty in protecting confidential information when using cloud services has decreased in several key areas. 54% of IT and infosec professionals say it’s more difficult to defend cloud data in Gemalto’s 2018 study. That figure is down from sixty percent the previous year. At the same time, the difficulties in restricting end-user access decreased from 53% of respondents in 2016 to 51% of participants in 2017.
Even so, challenges still abound in cloud security. Seventy-one percent of survey respondents say it’s difficult to apply conventional information security principles in a cloud environment, with close to that same percentage of participants (62%) saying their organization’s use of cloud resources increases compliance risk. Meanwhile, sixty-seven percent of IT professionals cite their companies’ inability to directly inspect cloud providers for security compliance as a source of difficulty, though 61% of respondents say their organizations now evaluate the security capabilities of a cloud provider prior to engaging their services and deploying their technology.
Encryption and Access Management Solutions Are Growing in Use and Importance
Seventy-seven percent of those who participated in Gemalto’s 2018 study think the ability to encrypt or tokenize sensitive or confidential data stored in the cloud is important, with more than nine in ten (91%) saying it will become more important in the next two years. At this time, 47 percent of respondents say they use encryption or similar tools to secure data at rest in the cloud; 58% report that encryption is used for data sent and received by the cloud provider. Encryption or tokenization of data within cloud applications has also increased by eight percentage points (from 28% to 36%) over the last two years.
In addition, strong user access controls and access management to data stored in the cloud has increased in importance according to the study. The ability to control strong authentication prior to accessing data and applications in the cloud has increased from 73 percent of respondents to 81 percent of respondents over the past few studies. In addition, 53 percent of respondents say their organization uses multi-factor authentication to secure access to data in the cloud environment. Just under that percentage of respondents (47 percent) say their organizations use multi-factor authentication for employees’ access to the cloud. When asked the percent of cloud applications that have user-enabled access controls, the average is only 19 percent.
The Tip of the Iceberg
The findings presented above are just a snapshot of Gemalto and Ponemon Institute’s study on the ever-evolving cloud data security landscape. The report also investigates what organizations look for when choosing a cloud service provider (CSP) and what IT professionals consider to be the most important identity and access management features for the cloud. It also delves into organizations’ engagement with the cloud differentiated by respondents’ country of origin.
For insight into these and many other issues, download Gemalto’s Cloud Governance and Security Research.
This blog post also appears on the Gemalto Security blog here.