Ponemon Institute, Sponsored by Thales,
Ponemon Institute is pleased to present second annual Trends in Cloud Encryption Study. This research is a supplementary report that is part of a larger study entitled the 2012 Encryption in the Cloud Study published in February 2013. In this study, we surveyed 4,205 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan and Brazil. The purpose of the presented research is to examine how organizations go about protecting a plethora of information assets entrusted to cloud providers.
In our research we consider how encryption is used to ensure sensitive or confidential data is kept safe and secure when transferred to external-based cloud service providers. We believe these findings are important because they demonstrate the relationship between encryption and the preservation of a strong security posture in the cloud environment. As shown in this research, organizations with a relatively strong security posture are more likely to transfer sensitive or confidential information to the cloud. The high-level questions asked and issues sought by this research are specified as follows:
- What percent of organizations currently transfer sensitive or confidential data to external cloud-based services?
- Who is most responsible for protecting sensitive or confidential data transferred to an external cloudbased service provider? Is it the cloud provider, the cloud consumer or is it a shared responsibility?
- Do organizations have the ability to safeguard sensitive or confidential data before or after it is transferred to the cloud?
- Do respondents believe their cloud providers have the ability to safeguard sensitive or confidential data within the cloud?
- In the eyes of respondents, does the adoption of cloud services impact their organization’s security posture?
- Where is encryption applied to protect data that is transferred to the cloud?
- Do organizations fully comprehend or even have visibility of the steps or measures taken by the cloud provider to protect sensitive or confidential data?
- Who manages encryption keys when sensitive and confidential data is transferred to the cloud?
Following is a summary of key findings relating to data protection, encryption and key management activities in the cloud.
- More organizations are transferring sensitive or confidential data to the cloud whether or not it is encrypted. Fifty-three percent of respondents say their organizations do these transfers (a 4 percent increase from last year) and another 31 percent say they are likely to do so in the next 12 to 24 months.
- While more sensitive and confidential data is moving to the cloud, many respondents say it decreases their security posture. Thirty-five percent of respondents say it has decreased their security posture and only 15 percent say it has been increased. However, this is an improvement from last year when 39 percent said it decreased their security posture.
- In general, the cloud provider is considered most responsible for protecting sensitive or confidential data transferred to the cloud, according to 33 percent of respondents. Twelve percent say it is the responsibility of the cloud consumer and this represents an increase from 8 percent in 2011. However, responsibility is dependent upon the type of cloud service. Specifically, 60 percent say SaaS providers should be responsible but 43 percent say the users of IaaS should be responsible. Those respondents who say their organizations do not use the cloud also see the users as having more responsibility.