Cloud-based security still lacking
27 July, 2016
category: Corporate, Digital ID, Financial, Government
Cloud-based computing is increasingly important for enterprises but security is still a concern, according to findings from a Ponemon Institute study titled “The 2016 Global Cloud Data Security Study,” commissioned by Gemalto.
Some 73% of respondents, cloud-based services and platforms are considered important to their organization’s operations and 81% said they will be more so over the next two years. In fact, 36% of respondents said their companies’ total IT and data processing needs were met using cloud resources today and that they expected this to increase to 45% over the next two years.
Although cloud-based resources are becoming more important to IT operations and business strategies, 54% of respondents did not agree their companies have a proactive approach to managing security and complying with privacy and data protection regulations in cloud environments. This is despite the fact that 65% of respondents said their organizations are committed to protecting confidential or sensitive information in the cloud. Furthermore, 56% did not agree their organization is careful about sharing sensitive information in the cloud with third parties such as business partners, contractors and vendors.
Part of the problem is that conventional security practices do not apply in the cloud. In 2014, 60% of respondents felt it was more difficult to protect confidential or sensitive information when using cloud services. This year, 54% said the same. Difficulty in provisioning access controls and restricting end-user access increased from 48% in 2014 to 53 percent of respondents in 2016.
The other major challenges that make security difficult include the inability to apply conventional information security in cloud environments – 70% of respondents — and the inability to directly inspect cloud providers for security compliance.
Security departments are also left in the dark when it comes to buying cloud services. Only 21% of respondents said members of the security team are involved in the decision-making process about using certain cloud application or platforms. The majority of respondents — 64 percent — also said their organizations do not have a policy that requires use of security safeguards, such as encryption, as a condition to using certain cloud computing applications.
Companies are also still relying on passwords to secure user access to cloud services. Sixty-seven percent of respondents said the management of user identities is more difficult in the cloud than on-premises. However, organizations are not adopting measures that are easy to implement and could increase cloud security.
Just over half of companies – 55% — are using multi-factor authentication to secure employee and third-party access to applications and data in the cloud, which means many companies are still relying on just user names and passwords to validate identities. This puts more data at risk because fifty-eight percent of respondents say their organizations have third-party users accessing their data and information in the cloud.
The new realities of Cloud IT mean that enterprises need to set policies for data governance and compliance, create guidelines for the sourcing of cloud services, and establish rules for what data can and cannot be stored in the cloud.
IT organizations can accomplish their mission to protect corporate data while also being an enabler of their “Shadow IT” by implementing data security measures such as encryption that enable them to protect data in the cloud in a centralized fashion as their internal organizations source cloud-based services as needed.
As companies store more data in the cloud and utilize more cloud-based services, IT organizations need to place greater emphasis on stronger user access controls with multi-factor authentication. This is even more important for companies that give third-parties and vendors access to their data in cloud.
The survey was conducted by the Ponemon Institute on behalf of Gemalto and surveyed 3,476 IT and IT security practitioners in the United States, Brazil, United Kingdom, Germany, France, Russian Federation, India, Japan and Australia who are familiar and involved in their company’s use of both public and private cloud resources.
Industries represented among the respondents include Financial Services, Retail, Technology & Software, Public Sector, Healthcare and Pharmaceutical, Utilities & Energy, Education, Transportation, Communications, Media & Entertainment, and Hospitality.