As more and more organisations transfer sensitive or confidential data to the cloud, whether it is encrypted or not, important questions about who is responsible for securing and protecting this data are being asked.
In line with this increase in cloud adoption, we are also seeing the creation of a more stringent regulatory environment, which rather than clarifying roles and responsibilities, is in fact muddying the waters – leaving many organisations unclear and confused as to who should be protecting their data in the cloud.
This confusion is highlighted in a recent report by the Ponemon Institute, commissioned by Thales e-Security. The research, which surveyed more than 4,000 organisations globally, found that over half of all respondents said they currently transfer sensitive or confidential data to the cloud.
Overall, the cloud provider is considered most responsible for protecting this data, according to a third (33 per cent) of respondents. In fact, just 12 per cent of those surveyed felt it was the job of the cloud user to protect their own information, although this was up a promising four per cent over last year's figures.
Things start to get interesting when the report looked at responsibility based on type of cloud service. When it came to software as a service (SaaS), almost two-thirds (60 per cent) believed the SaaS providers should be responsible for protecting data, while nearly half (43 per cent) expected the users of IaaS to be responsible for securing information.
It is common for cloud users to assume that by working with a third party cloud provider, it is the responsibility of the provider to ensure that their data is both protected and compliant. The Ponemon report even reinforced this point, by saying that confidence is high among users in cloud providers' abilities to do this job. Well over half of organisations saw their provider as capable of safeguarding data, a shift from just over 40 per cent last year.
Responsibility – ignorance or neglect?
What is clear is that the growing raft of regulations and privacy laws that make organisations directly responsible for protecting regulated information in the cloud, is going unnoticed or ignored – or both.
In the UK, the Information Commissioner's Office (ICO) has the ability to levy severe financial penalties of up to half a million pounds for companies that breach the Data Protection Act. It has published guidance that also puts the onus on the companies owning the data, assigning responsibility for securing information in the cloud unequivocally to the company that owns the data – not the cloud provider on whose systems it resides.
The European Union has sanctioned both the Data Protection Directive of 1995 (46/ EC) and Internet Privacy Law of 2002 (58/EC), which cover the electronic processing and storage of personal information. Organisations are required to notify data owners if their personal data is being collected, secure data from potential abuses and only share data with the subject's consent.
Then there's the PCI DSS a worldwide information security standard every organisation must be aware of if they are to protect their credit card and customer account data from unauthorised access and abuse. To meet the PCI specification, companies must protect card data from logical or physical access, and use access controls to separate the duties between administrators and users who access credit card numbers.
For businesses, understanding how they should be compliant and meeting regulations for protecting sensitive data in the cloud is one thing, but acting on it is another, and whether down to ignorance or sheer neglect, some organisations have been severely penalised for their failings.
The keys to the door
Another interesting aspect of the Ponemon/Thales e-Security report is the question of cloud encryption and particularly key management. The research suggests that both encryption and formal key management strategies are becoming more common among cloud users. This is a promising sign, especially as in most cases where encryption is being applied, the enterprise manages its own keys.
What is a concern however, is the reported shift to key management being a shared responsibility between the cloud provider and the cloud user.
This strikes at the heart of the responsibility question. Protecting data in the cloud is all about having the correct tools in place to protect the right information. Cloud encryption and tokenisation tools are key to protecting sensitive information and will also help eliminate any additional barriers to cloud adoption. Encryption allows you to scramble sensitive information into undecipherable gibberish to protect it from unauthorised viewers.
Who holds the keys is crucial, especially with sophisticated attackers now looking to steal encryption keys, as well as trying to break the encryption itself. By retaining the keys that encrypt and decipher information, organisations can ensure that all information requests must involve the owner, even if information is stored on a third-party cloud.
With just over half of the respondents in the research admitting they do not know what their cloud provider actually does to protect their data, and less than a third saying they do, it reinforces the importance of staying in full control of your data, and taking responsibility for protecting it wherever it is.
Paige Leidig is chief marketing officer of CipherCloud