Enterprise cloud use is full of contradictions, according to new research.
The "2017 Global Cloud Data Security Study," conducted by Ponemon Institute and sponsored by security vendor Gemalto, found that one reason enterprises use cloud services is for the security benefits, but respondents were divided on whether cloud data security is realistic, particularly for sensitive information.
"More companies are selecting cloud providers because they will improve security," the report stated. "While cost and faster deployment time are the most important criteria for selecting a cloud provider, security has increased from 12% of respondents in 2015 to 26% in 2017."
Although 74% of respondents said their organization is either a heavy or moderate user of the cloud, nearly half (43%) said they are not confident that their organization's IT department knows about all the cloud computing services it currently uses.
In addition, less than half of respondents said their organization has defined roles and accountability for cloud data security. While this number (46%) was up in 2017 -- from 43% in 2016 and from 38% in 2015 -- it is still low, especially considering the type of information that is stored in the cloud the most.
Customer data is at the highest risk
According to the survey findings, the primary types of data stored in the cloud are customer information, email, consumer data, employee records and payment information. At the same time, the data considered to be most at risk, according to the report, is payment information and customer information.
"Regulated data such as payment and customer information continue to be most at risk," the report stated. "Because of the sensitivity of the data and the need to comply with privacy and data protection regulations, companies worry most about payment and customer information."
Jason Hartvice president and CTO of data protection, Gemalto
One possible explanation for why respondents feel that sensitive data is at risk is that cloud data security is tough to actually achieve.
"The cloud is storing all types of information from personally identifiable information to passwords to credit cards," said Jason Hart, vice president and CTO of data protection at Gemalto. "In some cases, people don't know where data is stored, and more importantly, how easy it is to access by unauthorized people. Most organizations don't have data classification policies for security or consider the security risks; instead, they're worrying about the perimeter. From a risk point of view, all data has a risk value."
The biggest reason it is so difficult to secure the cloud, according to the study, is that it's more difficult to apply conventional infosec practices in the cloud. The next most cited reason is that it is more difficult for enterprises to assess the cloud provider for compliance with security best practices and standards. The majority of respondents (71% and 67%, respectively) feel those are the biggest challenges, but also note that it is more difficult to control or restrict end-user access to the cloud, which also provides some security challenges.
"To solve both of these challenges, enterprises should have control and visibility over their security throughout the cloud, and being able to enforce, develop and monitor security policies is key to ensuring an integrity," Hart said. "People will apply the appropriate controls once they're able to understand the risks towards their data."
Despite the challenges in cloud data security and the perceived security risks to sensitive data stored in the cloud, all-around confidence in cloud computing is on the rise -- slightly. The 25% of respondents who said they are "very confident" their organization knows about all the cloud computing services it currently uses is up from 19% in 2015. Fewer people (43%) said they were "not confident" in 2017 compared to 55% in 2015.
"Having tracked the progress of cloud security over the years, when we say 'confidence in the cloud is up,' we mean that we've come a long way," Hart said. "After all, in the beginning, many companies were interested in leveraging the cloud but had significant concerns about security."
Hart noted that, despite all the improvements to business workflows that the cloud has provided, security is still an issue. "Security has always been a concern and continues to be," he said. "Security in the cloud can be improved if the security control is applied to the data itself."
Ponemon sampled over 3,200 experienced IT and IT security practitioners in the U.S., the United Kingdom, Australia, Germany, France, Japan, India and Brazil who are actively involved in their organization's use of cloud services.