Cloud security data still pose challenge for many companies: study

New Delhi: Despite the continued importance of cloud computing resources to organizations, companies are not adopting appropriate governance and security measures to protect sensitive data in the cloud.

A study titled ‘The 2016 Global Cloud Data Security’ by Ponemon Institute and commission by Gemalto, a security research firm, showed the appalling condition of security for cloud-based services. It is based on a survey of more than 3,400 IT and IT security practitioners worldwide.

According to 73 per cent of respondents, cloud-based services and platforms are considered important to their organization's operations and 81 per cent said they will be more so over the next two years.

In fact, thirty-six per cent of respondents said their companies' total IT and data processing needs were met using cloud resources today and that they expected this to increase to forty-five per cent over the next two years.

Although cloud-based resources are becoming more important to companies' IT operations and business strategies, 54 per cent of respondents did not agree their companies have a proactive approach to managing security and complying with privacy and data protection regulations in cloud environments.

This is despite the fact that 65 per cent of respondents said their organizations are committed to protecting confidential or sensitive information in the cloud.

Furthermore, 56 per cent did not agree their organization is careful about sharing sensitive information in the cloud with third parties such as business partners, contractors and vendors.

"Cloud security continues to be a challenge for companies, especially in dealing with the complexity of privacy and data protection regulations," said Larry Ponemon, chairman and founder, Ponemon Institute.

"To ensure compliance, it is important for companies to consider deploying such technologies as encryption, tokenization or other cryptographic solutions to secure sensitive data transferred and stored in the cloud."

"Organizations have embraced the cloud with its benefits of cost and flexibility but they are still struggling with maintaining control of their data and compliance in virtual environments," said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto.

"It's quite obvious security measures are not keeping pace because the cloud challenges traditional approaches of protecting data when it was just stored on the network. It is an issue that can only be solved with a data-centric approach in which IT organizations can uniformly protect customer and corporate information across the dozens of cloud-based services their employees and internal departments rely every day."

Some of Key findings of the study are listed below:

Cloud security is stormy because of shadow IT

According to respondents, nearly half (49 per cent) of cloud services are deployed by departments other than corporate IT, and an average of 47 per cent of corporate data stored in cloud environments is not managed or controlled by the IT department.

However, confidence in knowing all cloud computing services in use is increasing.

Fifty-four per cent of respondents are confident that the IT organization knows all cloud computing applications, platform or infrastructure services in use – a nine per cent increase from 2014.

Conventional security practices do not apply in the cloud

In 2014, 60 per cent of respondents felt it was more difficult to protect confidential or sensitive information when using cloud services.

This year, 54 per cent said the same. Difficulty in controlling or restricting end-user access increased from 48 per cent in 2014 to 53 per cent of respondents in 2016.

The other major challenges that make security difficult include the inability to apply conventional information security in cloud environments (70 per cent of respondents) and the inability to directly inspect cloud providers for security compliance (69 per cent of respondents).

More customer information is being stored in the cloud

The survey also pointed out that customer information; emails, consumer data, employee records and payment information are the types of data most often stored in the cloud.

Since 2014, the storage of customer information in the cloud has increased the most, from 53 per cent in 2014 to 62 per cent of respondents saying their company was doing this today. Fifty-three per cent also considered customer information the data most at risk in the cloud.

Security departments clueless when it comes to buying cloud services

Only 21 per cent of respondents said members of the security team are involved in the decision-making process about using certain cloud application or platforms.

The majority of respondents (64 per cent) also said their organizations do not have a policy that requires use of security safeguards, such as encryption, as a condition to using certain cloud computing applications.

Encryption is important but not yet pervasive in the cloud

Seventy-two per cent of respondents said the ability to encrypt or tokenize sensitive or confidential data is important, with 86 per cent saying it will become more important over the next two years, up from 79 per cent in 2014.

While the importance of encryption is growing, it is not yet widely deployed in the cloud. For example, for SaaS, the most popular type of cloud-based service, only 34 per cent of respondents say their organization encrypts or tokenizes sensitive or confidential data directly within cloud-based applications.

Many companies rely on passwords to secure user access to cloud services

Sixty-seven per cent of respondents said the management of user identities is more difficult in the cloud than on-premises.

However, organizations are not adopting measures that are easy to implement and could increase cloud security. About half (forty-five per cent) of companies are not using multi-factor authentication to secure employee and third-party access to applications and data in the cloud, which means many companies are still relying on just user names and passwords to validate identities.

This puts more data at risk because fifty-eight per cent of respondents say their organizations have third-party users accessing their data and information in the cloud.