Many organizations are not responding to the continuing spread of “Shadow IT” and cloud use with appropriate governance and security measures, and more than half do not have a proactive approach, according to research released Tuesday. The 2016 Global Cloud Data Security Study, compiled by the Ponemon Institute on behalf of Gemalto, shows that nearly half of all cloud services (49 percent) and nearly half of all corporate data stored in the cloud (47 percent) are beyond the reach of IT departments.
The report is drawn from a survey of more than 3,400 IT and IT security practitioners from around the world. It shows only 34 percent of confidential data on SaaS is encrypted, and members of the security team are only involved in one-fifth of choices between cloud applications and platforms.
IT departments are making gains in visibility, with 54 percent saying the department is aware of all cloud applications, platforms, and infrastructure services in use, up from 45 percent two years ago. Also, the number of respondents saying it is more difficult to protect data using cloud services fell from 60 to 54 percent, however those gains were offset by more broadly reported challenges in controlling end-user access.
“Cloud security continues to be a challenge for companies, especially in dealing with the complexity of privacy and data protection regulations,” Dr. Larry Ponemon, chairman and founder, Ponemon Institute said. “To ensure compliance, it is important for companies to consider deploying such technologies as encryption, tokenization or other cryptographic solutions to secure sensitive data transferred and stored in the cloud.”
The number of companies storing customer data in the cloud is increasing, with nine percent more organizations reporting the practice than in 2014, despite 53 percent still saying that is where it is most at risk.
Almost three-quarters say encryption and tokenization are important, and even more think it will be important over the next two years. However, almost two-thirds (64 percent) said their company does not have policies requiring safeguards like encryption for certain cloud applications.
Seventy-seven percent say managing identities is harder in the cloud than on-premises, yet only 55 percent have adopted multi-factor authentication.
“Organizations have embraced the cloud with its benefits of cost and flexibility but they are still struggling with maintaining control of their data and compliance in virtual environments,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “It’s quite obvious security measures are not keeping pace because the cloud challenges traditional approaches of protecting data when it was just stored on the network. It is an issue that can only be solved with a data-centric approach in which IT organizations can uniformly protect customer and corporate information across the dozens of cloud-based services their employees and internal departments rely every day.”
The report recommends organizations set comprehensive policies for data governance and compliance, as well as guidelines for sourcing cloud services, and cloud data storage rules.
A study released in June by Alert Logic indicated that workloads were subject to the same security operations strategy regardless of the infrastructure they are on.