Firms fall short of protecting sensitive data in the cloud

The disparity between the rapid growth of data stored in the cloud and an organisation’s approach to cloud security is increasing, a new study from Thales and Ponemon Institute shows.

Findings show that while nearly half (48%) of corporate data is stored in the cloud, only a third (32%) of organisations say they employ a security-first approach to data storage in the cloud.

The study — which surveyed over 3,000 IT and IT security practitioners in Australia, Brazil, France, Germany, India Japan, the United Kingdom and the United States — also found that only one in three (31%) organisations believe that protecting data in the cloud is their own responsibility.

With the proliferation of cloud-based services, businesses and other organisations are increasingly dependent on cloud providers. Nearly half (48%) of organisations have a multi-cloud strategy, with the average engaging three service providers.

While storing sensitive data in the cloud, organisations believe that cloud service providers bear the most responsibility for sensitive data in the cloud (35%), ahead of shared responsibility (33%) and themselves (31%).

“With businesses increasingly looking to use multiple cloud platforms and providers, it’s vital they understand what data is being stored and where,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

Roughly half (51%) of businesses and other organisations still do not use encryption or tokenisation to protect sensitive data in the cloud.

Nearly half of cloud companies (44%) provide the encryption keys when data is encrypted in the cloud, ahead of in-house teams (36%) and third parties (19%).

More than 70% believe that data in a cloud environment is harder to protect due to the complexity of managing privacy and data protection regulations, while an additional two-thirds (67%) cited the difficulty of applying conventional security methods in the cloud.

“Having pushed the responsibility towards cloud providers, it is surprising to see that security is not a primary factor during the selection process,” said Tina Stewart, vice president of market strategy for cloud protection and licensing activity at Thales. “It doesn’t matter what model or provider you choose, the security of your business’ data in the cloud has to be your responsibility.”