Surveyreveals current attitudes about who is responsible for protecting data in thecloud and how encryption is being used and controlled
WESTON,Fla. – August 7, 2012 – Thales, leader ininformation systems and communications security announces that eighty-twopercent of organizations already transfer, or plan to transfer, sensitive orconfidential data into the cloud environment according to Encryption in the Cloud, a global study of 4,000 business and ITmanagers conducted by the Ponemon Institute and commissioned by Thales.
The study examines perceptions and currentpractices surrounding the threats and protection issues relating to sensitiveor confidential data in the cloud. It reveals startling attitudes about who is consideredresponsible for protecting this valuable and often regulated class of data – thecloud service provider or cloud service consumer. The findings are also significantin explaining where data encryption is applied inside and outside the cloud and,most importantly who manages the associated encryption keys.
The study goes on to examine some of themore practical aspects of encryption deployment in particular, and specificallyaddresses questions about whether organizations apply encryption themselvesbefore data leaves the organization’s environment or whether encryption isexpected to be a component of the cloud services they use. In the case ofcloud-based encryption, the report considers the role of encryption forprotecting stored data as well as application-based encryption, which typicallyapplies protection more selectively, potentially protecting individual dataitems.
Larry Ponemon, chairman and founder, PonemonInstitute, says:
“It’s a rathersobering thought that nearly half of respondents say that their organizationalready transfers sensitive or confidential data to the cloud even thoughthirty-nine percent admit that their security posture has been reduced as aresult. This clearly demonstrates that for many organizations the economicbenefits of using the cloud outweigh the security concerns. However, it isparticularly interesting to note that it is those organizations that have astrong overall security posture that appear to be more likely to transfer thisclass of information to the cloud environment – possibly because they mostunderstand how and where to use tools such as encryption to protect their dataand retain control . What is perhaps most surprising is that nearly two thirdsof those that move sensitive data to the cloud regard their service providers asbeing primarily responsible for protecting that data, even though a similarnumber have little or no knowledge about what measures their providers have putin place to protect data. This represents an enormous opportunity for cloudproviders to articulate what they are doing to secure data in the cloud anddifferentiate themselves from the competition.”
RichardMoulds, vice president, strategy, Thales e-Security, says:
“Staying incontrol of sensitive or confidential data is paramount for most companiestoday. For any organization that is still weighing the advantages of using cloudcomputing with the potential security risks of doing so, it is important toknow that encryption is one of the most valuable tools for protecting data.However, just as with any type of encryption, it only delivers meaningful valueif deployed correctly and with encryption keys that are managed appropriately.Effective key management is emblematic of control and the need for centralizedand automated key management integrated with existing IT business processes isa necessity. Even if you allow your data to be encrypted in the cloud, it’simportant to know you can still keep control of your keys. If you control thekeys, you control the data.”
· Whatproportion of organizations are already transferring sensitive data to thecloud? About half of all respondents say theirorganizations currently transfer sensitive or confidential data to the cloudenvironment. Another one-third of respondents say their organizations are verylikely to transfer sensitive or confidential data to the cloud within the nexttwo years.
· Hasthe use of cloud computing for sensitive data increased or decreased overallsecurity? The survey found that thirty-nine percent ofrespondents believe cloud adoption has decreased their companies’ securityposture.
· Whois responsible for data security in the cloud?Sixty-four percent of organizations that currently transfer sensitive orconfidential data to the cloud believe the cloud provider has primaryresponsibility for protecting that data.
· Howmuch visibility do decision makers have regarding cloud security?Nearly two thirds of respondents say they do not know what cloud providers are actuallydoing in order to protect the sensitive or confidential data entrusted to them.
· Whereis data encryption applied? There is almost an evensplit between respondents who say their organization applies persistentencryption to data before it is transferred to the cloud provider and thosethat say they rely on encryption that is applied within the cloud environment.
· Whomanages the encryption keys when data is transferred to the cloud?Thirty-six percent of respondents say their organization has primaryresponsibility for managing the keys. Twenty-two percent say the cloud providerhas primary responsibility for encryption key management. Even in cases whereencryption is performed inside the enterprise, more than half of respondentshand over control of the keys to the cloud provider.
About the Study:
Organizations are increasingtheir investment in encryption across the enterprise in response to complianceregulations and cyber-attacks. Encryptionin the Cloud was
Commissioned as part of a larger international study onGlobal Encryption Trends, which many organizations see as a highly strategicissue. More than 4,000 business and IT managers were surveyed in the US, UK,Germany, France, Australia, Japan and Brazil and the study provides a breakdownof responses by country.
Cryptography and key management arecritical technologies to provide data protection in a cloud computingenvironment. Thales offers high assurance products and services that enable andsimplify the move from on-premise to cloud deployments. Our hardware dataprotection products bring the control and proof needed to demonstratecompliance with privacy regulations and essential standards of due care to thecloud environment, just as they have for decades in the global payments networkand for countless security applications. We invite cloud providers, enterprisesand other organizations considering the security posture of current servicesand the sensitivity of their data to learn more about the key role Thales solutionsplay in creating a secure, protected and compliant cloud infrastructure.
Larry Ponemon from the Ponemon Instituteand Richard Moulds from Thales will present results from Encryption in the Cloud at a webinar on Tuesday, September 25,2012. To register go to http://www.thales-esecurity.com/webinars
Aboutthe Ponemon Institute
The Ponemon Institute© is dedicated toadvancing responsible information and privacy management practices in businessand government. To achieve this objective, the Institute conducts independentresearch, educates leaders from the private and public sectors and verifies theprivacy and data protection practices of organizations in a variety ofindustries.
Thales e-Security is a leading globalprovider of data encryption and cyber security solutions to the financialservices, high technology, manufacturing, government and technologysectors. With a 40-year track record ofprotecting corporate and government information, Thales solutions are used byfour of the five largest energy and aerospace companies, 22 NATO countries, andsecure more than 80 percent of worldwide payment transactions. Thales e-Security has offices in Australia, France,Hong Kong, Norway, United States and the United Kingdom. www.thales-esecurity.com
Thales Media Relations – Security
+33 (0)1 57 77 90 89
Thales e-Security Media Relations
+44 (0)1223 723612