Comprehensive policies are needed for data governance and compliance, and encryption, tokenisation and other cryptographic solutions should be used to secure sensitive data transferred and stored in the cloud.
Those are among the recommendations following a new report which shows concerns about cloud security are grounded in reality, with many companies lacking appropriate governance and security measures to protect cloud data.
The 2016 Global Cloud Data Security Study, commissioned by digital security vendor Gemalto and carried out by Ponemon Institute, found that while organisations are embracing cloud, cloud security was proving challenging for many companies.
Customer information, emails, consumer data, employee records and payment information were the types of data most often stored in the cloud, and the report says 50% of respondents considered customer information – which 64% said their company now stored in the cloud – the data most at risk.
The report, which surveyed more than 3400 IT and IT security professionals worldwide, including 240 in Australia, found 57% of respondents don’t believe their companies have a proactive approach to managing security and complying with privacy and data protection regulations in cloud environments, despite cloud being an increasingly important part of business for the majority of respondents.
That comes despite 71% of respondents saying their organisations are committed to protecting confidential or sensitive information in the cloud.
Furthermore, 57% did not agree that their organisation was careful about sharing sensitive information in the cloud with third parties such as business partners, contractors or vendors.
The security concerns come as demand for cloud runs high, with 69% of respondents saying cloud based services and platforms were considered important to their companies’ operations and 82% saying they will be more so over the next two years.
For 31% of respondents, cloud resources are already providing the companies total IT and data processing needs – a number expected to increase to 37% over the next two years.
But the report also highlights that IT departments now have less control over cloud services and corporate data stored in the cloud, with 47% saying cloud services were deployed by departments other than IT, and an average of 46% of corporate data stored in cloud environments not managed or controlled by the IT department. Forty-one percent were, however, confident their IT organisation knows all the cloud computing applications, platform or infrastructure services in use.
However, only 20% said members of the security team are involved in the decision-making process about using specific cloud applications or platforms, and 63% said their organisation doesn’t have a policy that requires use of security safeguards such as encryption.
Jason Hart, Gemalto vice president and chief technology officer for data protection, says while organisations have embraced the cloud for the benefits of cost and flexibility, they’re still struggling with maintaining control of their data and compliance in virtual enviornments.
“It’s quite obvious security measures are not keeping pace because the cloud challenges traditional approaches of protecting data when it was just stored on the network,” Hart says.
“It is an issue that can only be solved with a data-centric approach in which IT organisations can uniformly protect customer and corporate information across the dozens of cloud-based services their employees and internal departments rely on every day.”
Gemalto and Ponemon say IT organisations need to set comprehensive policies for data governance and compliance, create guidelines for the sourcing of cloud services and establish rules for what data can and can’t be stored in the cloud.
Larry Ponemon, Ponemon chairman and founder, says to ensure compliance, companies need to consider deploying technologies such as encryption, tokenisation or other cryptographic solutions to secure sensitive data transferred and stored in the cloud.
Implementing measures such as encryption enables IT to protect corporate data while still being an enabler of shadow IT, protecting data in the cloud in a centralised fashion as their internal organisations source cloud-based services as needed.
The companies say as more data is stored in the cloud and even more cloud based services are used, IT departments will need to place greater emphasis on stronger user access controls with multi-factor authentication.
“This is even more important for companies that givve third parties and vendors access to their data in the cloud.”