The latest SC survey looked at approaches and attitudes to data management and storage. Concerns surrounding cloud and access policies came under particular scrutiny.
Data is the centre of the information security professional's world. Strip away the noise of security management theory, changing threat vectors and the competing claims of the vendor community, and what's left is a fundamental purpose and intent: protect business data at all times.
With this in mind, our latest survey, taken in conjunction with SafeNet, focuses on the data and how security managers are coping with the increasing demands of compliance laws, access management complexities and the shift to the cloud.
The survey asked to what extent PCI had impacted on respondents' risk management and compliance strategies. The results were inconclusive, with 36.5 per cent saying it had no impact at all – which was surprising given that a good proportion of respondents worked in the retail sector.
The suspicion is that PCI has still failed to find its teeth and that while major brands are ethically bound to be compliant, many more much smaller payment card processors remain indifferent.
More conclusive was the fact that an overwhelming 90.6 per cent of respondents still store sensitive data in conventional databases – comforted no doubt by the fact that they know where it is, how it is protected and who has access.
Other traditional solutions, such as file servers, SAN and applications, also figure highly as repositories of data. Our respondents are a conservative bunch!
This is confirmed by the fact that both the private and public clouds have yet to fully impact on enterprise data storage and management strategies. The survey shows that fewer than ten per cent of respondents are using public clouds and only around 24 per cent of them are willing to commit to private clouds. So much for the age of the cloud.
Undoubtedly then, the fears that security professionals have around the risks to data stored in the cloud are a long way from being resolved. The gap between vendor hype around fluffy cloud solutions and the reality on the ground is some way from being closed.
Concerns around the cloud are numerous and is spread evenly across all respondents, according to our survey. Security managers are understandably worried about multi-tenant environments, cloud administrators having too much access, the lack of visibility and simply losing data forever in the fog of the cloud. There also remain concerns that security professionals don't fully understand or trust what the cloud providers are doing.
These are serious and big concerns, and until such time as they can be allayed, vendors and cloud providers would do well to stop portraying the cloud as a done and dusted, safe and secure vestibule for sensitive data. They might pay attention to the 30 per cent who answered “My knowledge is limited – i.e. I don't know what I don't know”.
Elsewhere, industry watchers looking for radical shifts away from access policies may be disappointed at the 68.8 per cent who use username and password. They may not be happy with it, but it seems the default and best choice for now. The other options – OTP, certificates – barely register with just ten per cent of respondents.
Some 60 per cent were concerned that data at rest could be at risk in the business, and nearly as many felt the need to address regulatory compliance issues in virtual environments.
The SC/SafeNet survey ran during June 2011 and analysed the responses of 170 UK IT security managers.