Cloud Risks Worry Firms, but Sensitive Data Still Cloud-Bound

Businesses aware of the threats to data are more likely to put their sensitive information in the cloud, a new study finds.


More companies are moving their sensitive data into the cloud, although nearly half do not know how their cloud provider protects their data and more than a third believe that their security posture has suffered from using the cloud, according to a report published April 29.

The report, based on survey data gathered by the Ponemon Institute and sponsored by cyber-security firm Thales, showed that 49 percent of companies do not know how their cloud provider secures customer data, a slight improvement from the 52 percent that were in the dark in 2012. A little more than a third, 35 percent, of companies had actually conducted the due diligence to discover how their data was protected.

"Many companies thought the cloud provider was responsible for security, yet they know very little about what the cloud provider is doing to secure their data," Richard Moulds, vice president of strategy for Thales e-Security, told eWEEK. "If you choose to use the cloud, you need to know how your data is being secured."

In its third year, the Ponemon Institute's Encryption in the Cloud report shows that companies are still trying to come to grips with securing their data stored in cloud services, said Moulds. Overall, the trends have been positive. More companies know their cloud providers' security methods (35 percent, up from 29 percent in 2011) and encrypt their data in the cloud (39 percent in 2013, compared with 32 percent in 2011).

Opinions continue to be split over who—the cloud provider or the cloud consumer—has responsibility for data in the cloud. For software-as-a-service (SaaS) offerings, 54 percent of cloud consumers argue that the cloud provider should be responsible, down from 60 percent in 2012. Companies that believed they should be responsible for data in SaaS offerings increased 3 percentage points to 24 percent in 2013, according to the report.

One seeming paradox is that more security-focused companies are more likely to put their data in the cloud. The Ponemon Institute assigned a so-called Security Effectiveness Score, a measure of a business' security posture, that ranged from +2 to -2. Almost two-thirds of the most security-conscious companies put sensitive data in the cloud, while only 40 percent of the least security-conscious companies put their data in the cloud.

"It is perhaps a sign of confidence that organizations with the highest overall security posture were most likely to use the cloud for operations involving sensitive data," Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. "It is encouraging to find that significantly fewer respondents believe that use of the cloud is weakening their security posture."

While the largest fraction of companies are managing their own encryption keys, an equal number rely on a third-party service or the cloud provider themselves to manage encryption keys, the report stated.

"If you are encrypting your data before it goes to the cloud, and you keep a firm grip on the keys, you can make it secure," Moulds said. "But if you want to be deriving some benefit from putting your data in the cloud, it becomes more complicated."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...