As organizations increasingly turn to the cloud to store data, a new global study from Thales, with research from the Ponemon Institute, has revealed that only a third (32%) of organizations employ a security-first approach to data storage in the cloud.
To compile its 2019 Thales Global Cloud Security Study, the firm surveyed more than 3,000 IT and IT security practitioners from Australia, Brazil, France, Germany, India, Japan, the UK and the US. Of those surveyed, only one in three (31%) organizations believe that protecting data in the cloud is their own responsibility.
Thales’ study found that nearly half (48%) of organizations have a multi-cloud strategy with AWS, Microsoft Azure and IBM being the top three cloud providers. On average, organizations use three different cloud computing service providers and 28 percent are using four or more.
Despite storing sensitive data in the cloud, almost half (46%) of respondents revealed that storing consumer data in the cloud makes them more of a security risk with 56 percent noting that it poses a compliance risk as well. Additionally, organizations believe that cloud service providers bear the most responsibility for sensitive data in the cloud (35%), ahead of shared responsibility (33%) and themselves (31%).
Although businesses are pushing the responsibility of securing data in the cloud onto cloud providers, only 23 percent of respondents said security is a factor when choosing a cloud service.
Lack of encryption
Thales discovered that a little over half (51%) of businesses and other organizations still do not use encryption to protect sensitive data in the cloud. However, the study uncovered regional disparities in terms of data security with German organizations being the most advanced in their use of encryption at 66 percent.
The study also revealed that organizations have begun to hand over the keys to their encrypted data to cloud providers. Nearly half of cloud companies (44%) provide encryption keys when data is stored in the cloud, ahead of in-house teams (36%) and third parties (19%). Additionally, 53 percent of cloud providers are controlling these encryption keys themselves despite the fact that 78 percent of respondents say it is important that their organization retains control of the keys.
Of those surveyed, 54 percent think cloud storage makes it more difficult to protect sensitive data and this figure is up from 49% last year.
Vice president of market strategy for cloud protection and licensing activity at Thales, Tina Stewart provided further insight on the study’s findings, saying:
“This study shows that businesses today are taking advantage of the opportunities that new cloud options offer, but aren’t adequately addressing data security. Having pushed the responsibility towards cloud providers, it is surprising to see that security is not a primary factor during the selection process. It doesn’t matter what model or provider you choose, the security of your business’ data in the cloud has to be your responsibility. Your organisation’s reputation is on the line when a data breach occurs, so it is critical to ensure in-house teams keep a close eye on your security posture and always retain control of encryption keys.”