Ponemon Cloud

Scary Data Security and Privacy Practices in the Cloud Put Sensitive Information at Risk

Add Your Comments

Privacy and data protection regulations in the cloud are neglected by over half of the organizations using cloud services, according to a survey released this week by SafeNet and conducted by the Ponemon Institute. These organizations are not “proactive” in managing compliance with regulatory requirements.

Cloud regulation compliance neglect is merely the first in a number of revelations showing general disorganization at companies using cloud services in the US, UK, EMEA and APAC regions. Types of corporate data stored in the cloud such as emails and payment information are also “believed to pose the greatest security risk” making it especially important for organizations to have a clearly defined plan for protecting sensitive data in the cloud.

Ponemon surveyed IT and IT security professionals involved with their company’s use of public and private cloud services. Nearly three-quarters of the respondents were involved in organizations with moderate to heavy cloud use.

The purpose of the The Challenges of Cloud Information Governance: A Global Data Security Study is to “focus on how organizations are putting confidential information at risk in the cloud because of the lack of appropriate governance policies and security practices,” according to the report.

The survey uncovered many disturbing practices. Only 38 percent of respondents said their company has clearly defined accountability for keeping confidential or sensitive information safe. Less than half agreed that the company is careful about sharing sensitive information with third-parties in the cloud environment.

It’s scary to think that sensitive data might be at risk in the cloud but its something that’s being proven more each day. Data breaches happen at even the largest companies with many IT resources. Recent hacks include established companies such as JP Morgan, Kmart and Dairy Queen and startup CurrentC. Simple, well-organized IT measures could mitigate cloud risk at many companies.

According to several reports, cloud adoption is growing all over the world. Asia, Europe and the US all report increased use to cloud services that is expected to increase. Cloud usage in Canada is increasing despite some decision makers not fulling understanding what using cloud services means. Executives not understanding what cloud is may help explain the lack of policies to keep data safe.

Shadow IT is also a contributing factor. “IT is losing control of corporate data stored in the cloud,” said the study. About half of cloud services are deployed by individual departments and 44 percent of data stored in the cloud isn’t even “managed or controlled by the IT department.”

“Cloud usage grows without the support of necessary governance practices. On average the use of cloud computing resources for total IT and data processing requirements will increase from 33 percent to 41 percent in the next two years,” according to the Ponemon report. “Seventy-one percent of respondents say cloud computing applications or platform solutions are very important or important and over the next two years 78 percent of respondents say cloud solutions will be very important or important.”

The report made several recommendations to improve cloud governance. Encryption was mentioned in several of the points. This is consistent with IT professionals promoting the use of simple, easily implemented technologies that are often overlooked as new cloud services are added.

Solutions that allow for encryption across multiple cloud environments may be especially useful. “With the increasing use cases of encryption, companies will need solutions that enable them to centralize key management across multiple encryption platforms in order to ensure better control and security of their encryption keys.” Companies may also wish to use new technologies such as Keyless SSL that further increase the safety of encryption.

Perhaps the most important point is for organizations to get a handle on all cloud services that are actually being used and have a clearly defined roles/departments accountable for cloud security.

Add Your Comments

  • (will not be published)