Protecting Data In The Cloud: 10 Top Security Measures10:00 AM EST Fri. Jul. 05, 2013
The Ponemon Institute issued a supplemental report to its 2012 Encryption in the Cloud Study published in February, identifying additional cloud data security trends. The study, sponsored by data protection vendor Thales e-Security, contacted more than 4,000 people in seven countries about their company's ongoing encryption projects. Trust in cloud providers is on the rise, but Ponemon noted that survey responses indicate additional education is needed on data protection measures and responsibilities.
Here are the survey's 10 top cloud data security trends.
The Ponemon study found that more than half of those surveyed transfer sensitive data to the cloud, and 31 percent said they would likely do so in the next 12 to 24 months. The steady migration to the cloud is forcing some companies to consider ways to double down on data security or seek assistance from cloud providers for data protection, the survey found.
Forty-three percent of survey respondents said the move from on-premise IT to the cloud has not changed their organization's security posture. Meanwhile, 35 percent of survey respondents said their organization's security posture decreased as a result of cloud adoption. One reason for the increased confidence in data security measures was the deployment of new security capabilities to control the flow and access to data, according to Ponemon.
Those surveyed by Ponemon were worried most about employee mistakes, followed by legal and law enforcement requests for data. System and process malfunction resulting in data exposure also was cited as a potential problem. Concerns over inadvertent exposure outweighed concerns over actual attacks by more than 2-to-1, according to the Ponemon survey. Survey respondents said hacking and insider threats concerned them the least.
The Ponemon study found that many organizations are relying on their cloud provider to protect sensitive or confidential data transferred to the cloud. Responsibility depends on the type of cloud service, according to Ponemon. Sixty percent of those surveyed said SaaS providers should be responsible for data security, but 43 percent said IaaS users should be responsible.
Despite relying on the cloud provider to protect sensitive data, those who took the survey indicated they did not know how data was protected. More than half (52 percent) of companies with SaaS implementations did not know what steps were taken to secure confidential data. Fifty-two percent of PaaS and 48 percent of IaaS adopters also indicated no knowledge of the data protection measures in place.
The Ponemon survey found increased confidence in the ability of the cloud provider to protect sensitive data. Fifty-seven percent of respondents strongly agreed or agreed that that the provider was capable of safeguarding data, Ponemon said. Financial services organizations had the most responsibility for maintaining data in the cloud, and had the most encryption deployments.
The Ponemon survey found that hardware security modules are likely to become more important for businesses that can afford the devices to manage encryption and keys. Thirty-seven percent of respondents said the organization encrypts data in motion during the transfer between the enterprise and the cloud. Thirty-one percent said their organization encrypts data persistently before it is transferred to the cloud provider, where it remains encrypted within the cloud.
Cloud providers and businesses are beginning to make key management a shared responsibility between the cloud provider and the cloud user. The goal is to reduce costs and improve efficiency as part of a formal key management strategy, Ponemon said. In IaaS deployments, 50 percent of those surveyed said the company handled key management.
The Ponemon survey found that the new cryptographic standard known as the Key Management Interoperability Protocol (KMIP) was gaining relevance in encryption key management among cloud environments. The standard was designed to make enterprise key management systems and encryption systems interoperate more efficiently, reducing vendor lock-in. Twenty-seven percent rated KMIP as very important or important today. Respondents said the KMIP standard was most important in the cloud, followed by enterprise storage infrastructure. KMIP was least important on end-user devices and remote point-of-sale systems.
Identity and access management was seen as the top data protection priority, followed by data discovery and data protection when in use within business applications, the Ponemon survey found. Businesses are searching for ways to federate identity across systems. Some firms added multifactor authentication measures to protect against password misuse. Meanwhile, encryption was used for data backup, on internal networks and within cloud services and databases.