Almost two-thirds of businesses that transfer sensitive or confidential data to the cloud believe the provider is responsible for protecting that data.

According to a global study of 4,000 business and IT managers conducted by the Ponemon Institute and commissioned by Thales, 64 per cent believe that their cloud provider has primary responsibility for protecting that data.

It also found that among those companies that encrypt data inside the cloud, nearly 74 per cent believe the cloud provider is most responsible for protecting that data, while only 34 per cent of organisations that encrypt data inside their organisation prior to sending it to the cloud hold the cloud provider primarily responsible for data protection.

Regarding who manages the encryption keys when the data is transferred to the cloud, 36 per cent said that their organisation has primary responsibility for managing the keys, while 22 per cent said the cloud provider has primary responsibility for encryption key management. Another 22 per cent said that a third party is most responsible for managing the keys.

Even in cases where encryption is performed inside the enterprise, more than half of respondents hand over control of the keys to the cloud provider.

Richard Moulds, vice president of strategy at Thales e-Security, told SC Magazine that the main message from the research was that it does matter where the encryption is done and who controls the keys.

He said: “Staying in control of sensitive or confidential data is paramount for most companies today. For any organisation that is still weighing the advantages of using cloud computing with the potential security risks of doing so, it is important to know that encryption is one of the most valuable tools for protecting data.

“However, just as with any type of encryption, it only delivers meaningful value if deployed correctly and with encryption keys that are managed appropriately. Effective key management is emblematic of control and the need for centralised and automated key management, integrated with existing IT business processes, is a necessity. Even if you allow your data to be encrypted in the cloud, it's important to know you can still keep control of your keys. If you control the keys, you control the data.”

In terms of where data encryption is applied, the survey found that 38 per cent of respondents rely on encryption of data as it is transferred over the network (typically the internet) between the organisation and the cloud, while 35 per cent said the organisation applies persistent encryption data before it is transferred to the cloud provider. Only 27 per cent said they rely on encryption that is applied within the cloud environment.

Larry Ponemon, chairman and founder of the Ponemon Institute, said: “What is perhaps most surprising is that nearly two-thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data. This represents an enormous opportunity for cloud providers to articulate what they are doing to secure data in the cloud and differentiate themselves from the competition.”