Data encryption in a cloud

2016: Research Gemalto and Ponemon Institute: More than 60% of confidential data of the companies in a cloud are not protected by enciphering

In spite of the fact that cloud computing resources still remain very important an asset for many organizations, the company is not implemented by the corresponding politicians and do not implement the necessary measures for security for confidential data protection which are stored in cloud infrastructure. Only some of outputs are like that "A global research of data security provision in a cloud in 2016 ^[1]"(The 2016 Global Cloud Data Security Study), Ponemon Institute the custom-made by institute Gemalto, world leader in the field of a digital security. Within the research more than 3400 IT-spetsialistov-praktikov and also information security experts were polled worldwide that allowed to receive more complete understanding of top trends in the field of data management and techniques of security of cloud services.

According to 73% of respondents, cloud services and platforms are considered as an important factor in activity of their organizations, at the same time 81% of respondents consider that in the next two years the role of cloud services in work of the companies will become even more significant. In effect, 36% of respondents told that all IT requirements of their companies, as well as the needs for data processing are completely satisfied using cloud resources today. Moreover, it is expected that within the next two years this digit will grow to 45%.

Though cloud resources play more and more important role in the solution of corporate IT tasks and in implementation of business strategy, according to 54% of respondents today, in their companies there is no anticipatory approach to security management and observance of the requirements for ensuring confidentiality and data protection which are stored in cloud environments. And all this in spite of the fact that 65% of respondents declared commitment of their organizations to ensuring protection of confidential and other crucial information in a cloud. Moreover, 56% do not consider that their organizations show care concerning placement of similar information in a cloud environment for access for the third parties, for example, of business partners, contractors or suppliers.

Main outputs

Development of shadow IT create threat for security in a cloud

According to survey results, approximately in half of cases (49%) cloud services is implemented not corporate IT departments, but other divisions of the companies, and about 47% of the corporate data which are stored in cloud environments are not controlled and is not controlled by IT departments. Nevertheless, confidence of respondents that they have the complete information on the services of cloud computing used in their organizations increases. 54%respondentov are sure that their IT organizations know about all used applications, platforms and infrastructure services of cloud computing that is nine percent higher, than in 2014.

Traditional techniques of security are not applicable in a cloud

In 2014 60% of respondents considered that protection of the confidential or service information during the work with cloud services represented more difficult task. This year so considers 54%. If in 2014 48% of respondents complained about the difficulties connected with monitoring or restriction of the user access, then in 2016 declare such difficulties already 53% of respondents. Among other large problems doing security more difficult call impossibility of use of traditional tools of information security in cloud environments (70% of respondents) and impossibility to directly control suppliers of cloud services on observance of requirements for security (69% of respondents).

More and more information on customers is stored in a cloud, and these data are considered as the most subject to risk

On survey results, most often such types of data as information on customers, the e-mail addresses, consumer these, personal records of employees and payment information are stored in a cloud. Since 2014 the greatest gain was recorded concerning information on customers which is stored in a cloud: if in 2014 that their company stores such information in a cloud, approved 53% of respondents, then in 2016 so approves 62% of respondents. Besides, according to 53% of respondents, information on customers is most subject to risk in a cloud.

Divisions of security remain in ignorance about the purchased cloud services

Only 21% of respondents told that the staff of divisions of security in their companies takes part in decision making concerning use of these or those cloud applicaions or platforms. Most of respondents (64%) also said that in their organizations there are no rules or the politicians demanding application of security technologies, such as enciphering as a condition for use of certain cloud applicaions.

Enciphering is considered an important factor, but still did not gain universal distribution in a cloud

72% of percent of respondents claim that for them an important factor is an opportunity to perform enciphering or tokenization of confidential or service data, at the same time 86% consider that in the next two years such opportunity will become even more relevant. For comparison, in 2014 so considered 79% of respondents. In spite of the fact that more and more respondents realize importance of enciphering, this technology is still not so widely used in a cloud. For example, concerning the most popular type of cloud services, SaaS, only 34% of respondents say that their organization performs enciphering or tokenization of confidential or service data directly in cloud applicaions.

Many companies still use passwords for protection of the user access to cloud services

According to sixty seven percent of respondents, user account control in a cloud is more difficult task in comparison with management of these records in local infrastructure. However the organizations do not accept even the simplest in implementation of measures which would help to increase security in a cloud. About a half (45%) of the companies does not use technologies of multifactor authentication for protection of access for the employees or the third parties to cloud applications or to data, and it means that the companies still rely only on logins and passwords for validation of accounting records. As a result of it, more and more data are exposed to risk as 58% of respondents recognize that in their organizations access to corporate data and information in a cloud is resolved also for third-party users.

Recommendations about security in a cloud

New realities of cloud information technologies mean that the IT organizations need to develop and implement complex politicians in the field of data management and observance of regulatory requirements, to develop the uniform principles and standards concerning acquisition and use of cloud services, to set rules which would regulate what data are admissible to be stored in a cloud.

IT departments will be able to execute the mission for protection of corporate data, and at the same time to promote development of "shadow IT" if they implement measures for data security provision, for example, to implement technologies of enciphering which would allow to protect on a centralized basis data in a cloud how other divisions of the company independently purchase necessary cloud services.

As the companies store more and more data in a cloud and even more often use cloud services, the IT organizations need to pay more attention to strengthening of mechanisms of control of the user access using multifactor authentication. It is especially relevant for the companies which provide access to the data in a cloud to the third-party companies and suppliers.

Notes