Software Monetization Featured Article

SafeNet Research and Ponemon Institute Find IT is Losing the Battle on Cloud Security

October 29, 2014

With Halloween approaching things tend to take on a spooky flavor. Such is unfortunately the case as it turns out when it comes to IT’s efforts to deal with security issues relating to the cloud, according to new research security solutions provider SafeNet (News - Alert) commissioned by the Ponemon Institute. The study, titled “The Challenges of Cloud Information Governance: A Global Data Security Study,” surveyed more than 1800 IT and IT security professionals worldwide, and if are an IT professional you should be a bit spooked by the findings.

At a high level here is what the survey found:

  • IT departments find it difficult to control corporate data in the cloud as more than 40 percent of corporate data stored in the cloud is not managed by corporate IT.
  • Companies lack a single point of accountability when it comes to data security in the cloud.
  • Conventional data security measures are more difficult in the cloud with more organizations turning to encryption and multi-factor authentication to secure data.

 In short, what the researchers found is that a majority of IT organizations are kept in the dark when it comes to protecting corporate data in the cloud. This is more than just highlighting the security issues regarding “Shadow IT” activities by LOB employees seeking ways to use apps that IT has yet to certify for use, it highlights the increased risks to organizations that such lack of visibility and control can create.

Before getting to some of the findings and recommendations an infographic from the researchers tells it all.

Source (News - Alert):  Ponemon/SafeNet study: The Challenges of Cloud Information Governance: A Global Data Security Study, October 2014 (click to enlarge)

Cloud security concerns are getting the best of IT

Among the key findings were the following:

  • Only 38 percent of organizations have clearly defined roles and accountability for safeguarding confidential or sensitive information in the cloud.
  • As noted above, 44 percent of corporate data stored in cloud environments is not managed or controlled by the IT department. 
  • The aggregated total shown in the infographic is that 71 percent of respondents say it is more difficult to protect sensitive data in the cloud using conventional security practices.  They also agree that the types of corporate data stored in the cloud, such as emails, and consumer, customer, and payment information, are the types of data most at risk. 
  • Nineteen percent of respondents are very confident they know about all cloud computing applications, platforms, or infrastructure services in use in their organizations today.

 “The findings reveal that global organizations are struggling to secure data in the cloud due to the lack of critical governance and security practices in place,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute (News - Alert). “To create a more secure cloud environment, organizations can begin with simple steps such as including IT security in establishing security policies and procedures; increasing visibility into the use of cloud applications, platforms, and infrastructure; and protecting data with encryption and stronger access controls, such as multi-factor authentication.”

Encryption, multi-factor authentication seen as strong alternatives

On the less spooky side of things there was additional food for thought on the use of encryption and multi-factor authentication as tools for protecting enterprise data when on the move. The survey results that are food for thought on this critical subject include:

  • 48 percent say it’s more difficult to control or restrict end-user access to cloud data. 
  • 34 percent of respondents say their organizations already have a policy in place that requires the use of security safeguards such as encryption as a condition for using certain cloud computing resources.
  • 71 percent say the ability to encrypt or tokenize sensitive or confidential data is important
  • 79 percent say it will become more important over the next two years.

 In addition, when it comes to cloud security currently adoption of better practices is at least directionally correct: 43 percent say their organization is using private data network connectivity; 39 percent say their organizations use encryption, tokenization or other cryptographic tools to protect data in the cloud. Disturbingly, 33 percent say they don’t know what security solutions they use. However, the encouraging news is that 29 percent say they use premium security services provided by their cloud provider.

There is further granularity in the survey regarding safeguards that is more than worth a read.  This was commented on by Tsion Gonen, chief strategy officer, SafeNet, who noted “While the cloud has revolutionized the way IT is delivered, many IT organizations are finding it difficult to keep up with demand for these services and the security implications that are created when critical data is stored in the cloud.” He added, “And as we’ve seen in 2014 with a raft of record-breaking data breaches, organizations are attacked frequently from different angles. In order to mitigate risk, there needs to be focused coordination and new approaches to securing data in the cloud, and IT needs to be at the center of this migration.”

Recommendations for Data Security in the Cloud

So much for the trick, the authors did provide a treat in the form of some recommendations for those with concerns as to what to do to mitigate cloud security risks. They were:

  • The role of IT organizations is changing and they need to adapt to the new realities of cloud IT by educating employees on security, setting comprehensive policies for data governance and compliance, creating guidelines for the sourcing of cloud services, and establishing rules for what data can and cannot be stored in the cloud.
  • IT organizations can accomplish their mission to protect corporate data while being an enabler of “Shadow IT” by implementing data security measures such as “encryption-as-a-service” that allow them to manage the protection data in the cloud in a centralized fashion as their internal organizations source cloud-based services as needed.
  • As companies store more data in the cloud and utilize more cloud-based services for their employees, IT organizations need to place greater emphasis on stronger user access controls with multi-factor authentication.  This is even more important for companies that give third-parties and vendors to access their data in cloud. Multi-factor authentication solutions can be managed centrally to provide more secure access to all applications and data whether in the cloud or on-premises.

As we head toward the gift-giving season, the list above is something worth considering. After all the gift of peace of mind is one that keeps on giving.

In several previous articles and during many of the webinars I have moderated on the subject, the case has been made that when properly implemented, e.g. with enhanced encryption and strong authentication, in many ways the cloud is actually more secure than relying on legacy solutions for protecting data, both at rest and on the move. Indeed, it is one of the reasons why there is so much interest in premium services being provided by cloud solutions providers in general and security as a service (that other SaaS (News - Alert)) solutions in particular.

The cloud does not have to be a scary place.  Happy Halloween!

Edited by Maurice Nagle