Does your company use a cloud service to store sensitive or
confidential data? If so, where does the responsibility lie for keeping
that data secure? These are a couple of the questions addressed in a
new study released by Thales e-Security.
The study, titled "Encryption in the Cloud," also focused on data
encryption with cloud solutions and where such encryption is applied.
One of the big surprises in the survey data comes from how many
companies are using the cloud for sensitive or confidential data: nearly
half, 49 percent, of respondents do so currently, and another third
said their companies likely would do so within the next two years. With
that amount of sensitive corporate data going to the cloud, data
security must be a primary concern -- or so you might think.
Another section of the survey, which was conducted by the Ponemon Institute,
looked at where companies felt the responsibility fell for keeping
safe that data they were sending to the cloud. Here, 44 percent of
respondents said they felt the primary responsibility for data security
was with the cloud provider, while only 30 percent thought primary
responsibility was with the data owner (i.e., the company that's sending
sensitive data to the cloud). Another 24 percent thought there should
be a shared responsibility.
I would have thought that businesses that had strong concerns for the
security of their data would have answered more towards keeping
responsibility for themselves, or possibly sharing responsibility --
after all, regardless of where the data is, your company is still the
one on the hook if your customers' data gets loose. When you couple that
possibility with another finding from the research -- namely, that 63
percent of respondents said they had no idea what security measures
cloud providers used to secure the sensitive data entrusted to them --
it begins to look like companies are simply taking an easy solution by
sending data to the cloud and washing their hands of responsibility.
They're hoping the hammer of data loss won't fall on them.
Richard Moulds, vice president of product management and strategy for
Thales e-Security, had another possibility in mind. "It may be the case
that the companies that are sending data to the cloud today are the
ones that are encrypting it themselves and keeping hold of the keys," he
said, "and therefore have a pretty high security posture and feel
pretty good about it because they know that they are in control." Key
management is, uh, key, according to Moulds, when using encryption: Make
sure you're not storing the key with the encrypted data.
"Encryption is a very definitive approach to security," Moulds said.
"It's either encrypted or it's not, it's black or white. It's a very
binary type of security. I think that's why regulators like it -- it's
the reason it's mandated in policies like PCI DSS. Mandating the use of a
firewall is a bit wishy-washy because you can have a good or bad
firewall. You don't see the use of firewalls or intrusion detection as
factors in data breach disclosure law." Of course, when considering a
cloud solution, data encryption can be applied at different points: on
the customer side before transmission; during transmission; or in the
cloud itself.
Regardless of which method (or methods) you choose, Moulds believes
it's important for the enterprise to maintain control of the encryption
keys. "I can imagine a world where data is shared with the cloud in
encrypted form and is selectively decrypted by the enterprise giving out
keys on demand to cloud providers or applications in the cloud -- then
they can do something with that data. So the data is still, as it
lies, protected. It's protected by default, and it's selectively
unprotected just to the point of use," Moulds said.
The level of control Moulds envisions is not, perhaps, borne out by the
survey data of what businesses are currently doing -- but then, he did
say he was imagining. Encryption is clearly useful for protecting
data, but James D. Brown, CTO for StillSecure,
believes that taking a layered approach to security is best, whether
in the cloud or on the local network. Brown also said he felt the job
of managing data security should be in the hands of security experts.
"Security really needs to be a 24 by 7 operation," Brown said. "It's
not something where you set up a product and leave it sitting in a
closet somewhere and check it once in a while. If you do that, chances
are you're going to be attacked and compromised and you'll be looking at
that information after the fact. It really needs to be monitored 24 by
7, and it needs to be monitored by experts, and it needs to be
deployed by experts."
As more companies move important chunks of their business processes and
corresponding data to cloud providers, questions about cloud security
can only increase. If you're interested in more findings from "Encryption in the Cloud,"
be sure to download the complete report. And if you're interested in a
little extra chilling factor, consider this: This study addresses the
data organizations knowingly transfer to cloud sites; it doesn't
consider the corporate data your employees might be sending to personal
data sharing sites, and the related risks associated with such
behavior. That, of course, is a topic for another day.
Ref: http://www.windowsitpro.com
