Less Than Half Of Cloud Data Secure: Study

More than half of U.S. organizations are adopting cloud services, but only 47 percent of IT professionals believe that those services are properly secured before they're deployed.

In addition, more than 50 percent of U.S. respondents say that their organization is unaware of all of the cloud services incorporated in their IT infrastructure.

These and other findings were revealed in a study, called "Security of Cloud Computing Users," sponsored by CA and independent research firm the Ponemon Institute, which specializes in privacy, data protection and information security.

Specifically, the study examined a group of 642 IT and IT security professionals in an effort to analyze security concerns regarding cloud services in an enterprise environment.

Overall, the study indicated that organizations needed to closely examine their IT infrastructure, scrutinize cloud providers based on security, identify sensitive data and then take necessary steps to mitigate risks. Ultimately, the study suggested that organizations should prioritize the data that's not appropriate for cloud use and evaluate cloud deployments before they are made, the study's sponsors said.

Above all, the findings showed that there was overwhelming concern about mission critical data, such as customer information or intellectual property. Altogether, the survey showed that 68 percent of those surveyed thought that cloud computing was too risky to store financial information and intellectual property, while 55 percent had concerns about storing health records in the cloud, and 43 percent said that they opposed storing credit card information in the cloud.

The study also indicated that organizations lack awareness about their sensitive data and the benefits of cloud services. Only 14 percent of respondents said they thought cloud computing would actually improve their organization’s security posture. And less than 30 percent of respondents said that they were confident they could control privileged user access to sensitive data in the cloud, while just 38 percent of respondents agreed that their organization had successfully identified information deemed too sensitive to be stored in the cloud.

"The part that was definitely surprising, nearly half said they weren't vetting those systems for security services, 55 percent said they weren't 100 percent confident of all the cloud services and applications in use," said Lina Liberti, vice president of products at CA, security business unit. "There's this sense of 'I don't really know everything that's happening.'"

Liberti said that the study found that often organizations failed to impose or apply basic security best practices for the cloud, even if they had similar security policies for their physical IT environment.

"It's interesting, because when we looked at the study, basic best practices for security were not being adhered to," she said. "It's an obscure thing this cloud. Basic best practices aren't being applied. You need to have a security policy, you have to adhere to these polices," she said.

The study also found that organizations needed to assess and prioritize their data to determine which information was appropriate for the cloud and what should remain on local databases.

Liberti also said that organizations needed to further scrutinize cloud providers to assess whether they regularly apply appropriate security measures in an effort to ensure that they aligned with company policy.

"If one provider doesn't have the right requirements, find another one. Over time they'll have the security policies available," she said. "It's basically asking and making sure the security is in place. What will end up happening is that the providers who give the transparency to their consumers are going to have an advantage."

"Now is the time to make sure you have you have security policies well vetted," she added. "It's not a future state, it's here and now."