A report looks at the perceptions and actions of IT professionals regarding cloud data security and cloud data protection measures. Overview.
Close to all organizations have adopted cloud computing and cloud services. Moreover, the cloud is increasingly embraced for critical workloads and important data.
On average, only two-fifths (40%) of the data stored in the cloud is secured with encryption and key management solutions (Gemalto and Ponemon Institute survey PR)
Although concerns regarding security are still regularly mentioned the benefits of cloud outweigh the concerns and ample perceptions do not correspond with the reality of cloud security.
The benefits of the cloud are known as its importance in many evolutions. No cloud, no digital transformation. No cloud, no IoT. No cloud, no Industry 4.0. No cloud, no business agility, marketing automation, collaboration tools and other SaaS applications, no cloud data storage, we can go on as the list is indeed long.
Obviously the adoption of cloud services requires the necessary security precautions, including on the cloud data security level. Cloud providers have a task, cloud users, in the scope of our article mainly data processors and data controllers have a task too.
As more sensitive and important data are stored in the cloud the perceived risks regarding all these data increase. Needless to say that this is key from various perspectives, not in the least regulatory compliance as there is, among others, this pretty massive piece of personal data protection legislation around the corner, the General Data Protection Regulation (GDPR) indeed. And when cloud data security perceptions change, among others due to concerns that cloud will make compliance hard, there is of course an issue.
The importance of cloud data security and security in the cloud regarding sensitive data
GDPR compliance by definition also means that all appropriate safeguards are in place to protect personal data, cloud or no cloud.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate the pseudonymisation and encryption of personal data (GDPR Article 32)
Obviously, there are other types of sensitive data which need solid cloud data security and protection as well and which in several cases are (or will need to be) covered by regulatory requirements. Moreover, no one wants a data breach when important data are concerned.
So, when it boils down to cloud data security one might expect that confidential or sensitive information is highly secured.
And, with that GDPR around the corner one would also expect that security measures, which are explicitly recommended such as data encryption (and even ways to demonstrate compliance, specifically for instance pseudonymization) get more attention and are properly done, in cloud data security, for example by using multi-factor authentication, good encryption key management etc.
One would also expected that recommended practices for sensitive personal data processing such as Data Protection Impact Assessments and so forth are being used where needed.
However, cloud data security overall nor techniques such as encryption and tokenization are what they should be it seems, from the user (data controllers and processors) perspective in the scope of this article.
And this while most organizations think that using the cloud increases compliance and data protection risks. The question: do they use the proper techniques and the right measures regarding them?
Cloud data security perceptions and debates in the scope of the GDPR
As per usual when new regulations or important laws relating to data are coming, discussions about security in the cloud – and mainly perceptions, fears and discussions regarding who is responsible for what do pop up.
77% of organizations recognize the importance of having the ability to implement cryptologic solutions, such as encryption. This is only set to increase, with 91% believing this ability will become more important over the next 2 years
It’s inevitable, despite, among others, a more than healthy growth in cloud security solutions and an increasing focus on endpoint protection with security solutions IN the cloud, as offered by players such as Zscaler, Forcepoint, Cisco and more.
While the traditional perimeter is gone it’s not as if the perimeter is gone, the perimeter is simply ubquituous and security is a holistic given which includes the cloud and the various possible endpoints too (think about edge computing as well in the earlier mentioned scope of IoT and Industry 4.0).
Not all cloud computing providers, applications, environments and goals are the same of course. This is also the case within specific applications such as cloud data storage. And not all have the same approaches and techniques with regards to encryption and so forth either.
Back to cloud data security and the protection of data in the cloud (which does not mean cloud data storage solutions alone obviously) with a focus on the protection of personal data, the perceptions, views and actions of data controllers and data processors – and a link to the GDPR and the many data subject rights which need to be enabled and data processing principles which need to be taken into account, whereby the appropriate security and data protection measures include the cloud and encryption is one way to balance data subject related risks and proper measures, indeed in the cloud as well.
Cloud data security and prioritization
Obviously being compliant, in the cloud, outside of the cloud and during movement from and to the cloud or between different clouds, and cloud data security in general also mean that measures need to be taken by organizations to ensure both compliance and security in an end-to-end way. Especially when it concerns critical corporate data, overall sensitive data and personal data.
And aren’t close to all data in today’s business sensitive, in the sense of important, valuable and important to protect nowadays? Data generated and enriched by cloud applications and analysis in the scope of IoT. Customer data. Email data. Employee records. You name it. Yet, one needs to prioritize of course, in the scope of the GDPR where it is simply mandatory, and in general. Measures such as encryption (which comes in many flavors) aren’t always possible or needed either.
Putting the proper cloud data security in place starts with realizing that importance of data and which data are more sensitive than others; in the context of the GDPR: which personal data and processing activities could pose the highest risks from the data subject perspective.
Whether it concerns personal data protection, IoT data security or other types of data, including sensitive corporate data, it seems that some additional attention for all this might still be needed though.
Cloud data security and protection in numbers, facts and perceptions
Enter another big security player: Gemalto. Born in The Netherlands, very active in IoT security and also active in, among other cloud data security with secure cryptographic keys in the cloud, encryption for sensitive data in the cloud and, on top of key management and encryption, HSM on demand.
On January 16, 2018, Gemalto announced the results of a study it conducted with Ponemon Institute. The major topics: the state of cloud security across the globe, cloud security perceptions and, in the scope of cloud data security, special attention for sensitive data, personal data and encryption – with a few references to the GDPR as well
We start with some more general findings from the report. When it boils down to the importance of cloud computing, 79 percent of surveyed IT and IT security professionals state that cloud applications and platforms are important or very important to business operations. Within two years, it is expected, this will be the case for 87 percent.
Over one third, 39 percent to be precise, estimates that cloud resources meet their organizations’ total IT and data processing needs, a number that should increase to little over half in two years (51 percent).
Then come the results regarding the protection and sharing of confidential or sensitive information in the cloud with two data points:
- A third (33 percent) of respondents are unsure or don’t agree regarding the statement that their organization is committed to protecting confidential or sensitive information in the cloud.
- Over half (57 percent) of respondents do not believe that their organization is careful about sharing confidential or sensitive information in the cloud with third parties.
These are strictly speaking two different issues from a compliance perspective where personal data and sensitive personal data would be included. Obviously there is also a difference between confidential or sensitive information on one hand and confidential personal or sensitive personal data on the other.
Still, while the first part touches more upon those data protection measures regarding data in the cloud, such as encryption (and of course non-technical measures), the second part touches upon the practices regarding sharing with third parties.
Only 25% of IT and IT security practitioners are very confident they know all the cloud services their business is using (Gemalto and Ponemon Institute survey PR)
The latter, from a personal data perspective at least, is one of the major concerns of organizations in the context of the GDPR and includes the challenges with regards to shadow IT and usage of file sharing and data storage cloud tools which could be used by workers for personal data as well (often unknowingly or without any intent to ‘do wrong’) but with, as a de facto consequence, non-compliance with the GDPR. It is clear that, as far as such cloud tools are used, policies and limits need to be in place and education on how to deal with personal data in any GDPR awareness program must include file sharing.
What IT and IT security professionals reports, thinks and feels regarding cloud data protection
Shadow IT is also mentioned in the research. A not so surprising but still pretty risky fact in the scope of any data protection policies and rules, as well as potential data breaches and other reasons for administrative fines under the GDPR where personal data is concerned: the majority of corporate data stored in a cloud environment is not managed or controlled by the IT department.
More precisely: 43 percent of all corporate data is stored in the cloud, which is a quite significant increase in comparison with previous years. Of that 43 percent stored in the cloud , 53 percent sits in some cloud environment that isn’t managed/controlled by IT. This does not by definition mean that all the latter data pose a risk of course (especially as information management folks are involved more and more) but knowing that the main responsible for security and compliance, according to other research at least, still is IT and that compliance all too often is far from an enterprise-wide effort including the stakeholders and the realities of the usage of cloud apps, you can guess what we’re talking about.
Due to the perceived risk that using the cloud makes organizations more likely to fall foul of privacy and data protection regulations, 88% believe that the General Data Protection Regulation will require changes in cloud governance, with 37% stating it would require significant changes (Gemalto and Ponemon Institute survey PR)
It certainly doesn’t come as a surprise that, also according to the survey, 43 percent of respondents isn’t confident regarding IT knowing all cloud computing services in use. And of course there is de facto also a part of sensitive data, personal data, sensitive personal data and so forth sitting in cloud services where they shouldn’t sit at all.
If we would want to know how much personal data is at risk or in breach with GDPR compliance rules, we’d of course at least have to know how much of the mentioned data is personal, how much of that personal data concerns EU citizens, what types of data we talk about, under which legal basis for lawful processing they are processed, whether processing is done following the principles of personal data processing under the GDPR and far more.
However, that is not the scope of the survey, which on top is international, and would be pretty hard to do in a survey to begin with.
Yet, what the survey did find is that the types of corporate data stored in the cloud which are perceived as most at risk according to respondents are:
- Payment information (54 percent of respondents)
- Customer information (49 percent)
- Consumer data (39 percent)
- Email (37 percent)
- Employee records (37 percent).
Again, we need to emphasize that this does not by mean that they are at risk, it’s a perceived risk.
Global differences in perceived risks of cloud from a privacy and data protection regulation viewpoint
Talking about perceptions: 57 percent of global respondents believe that the usage of the cloud makes them more likely to fall out of privacy and data protection regulations. That’s less than in a previous edition but still over half of respondents.
Bringing the GDPR back in, a whopping 88 percent believes that the new Regulation requires changes in cloud governance, as a consequence of this perceived risk. 75 percent of respondents overall also stated that it is more complex to manage privacy and data protection regulations in a cloud environment, which does need the proper attention of cloud providers, IT and so forth of course (with on top disagreements on who is responsible of cloud data protection, provider, controller/processor or shared – do think liability). It’s one of many reasons why (public) cloud providers such as Microsoft stated their cloud services will be ready for GDPR.
The survey as said was conducted across several countries and also wanted to see how far various countries (and companies) are in taking cloud data security measures, including the more technical ones such as encryption, multi-factor authentication to ensure secure access to data in the cloud and non-technical ones such as third party sharing practices.
Germany by far is ahead of all others – and German respondents overall also feel more confident. As the press release states: German businesses are almost twice as likely to secure confidential or sensitive information in the cloud (61%) than British (35%), Brazilian (34%) and Japanese (31%) organizations.
Cloud data security, encryption and tokenization
A last word on those cloud data security measures. Virtually all respondents seemed to agree that the ability to encrypt data will become more important over the next two years with 77 percent overall saying it is already important now.
On average, responding organizations have 9 key management systems or encryption platforms.
However, only 47 percent uses encryption to secure sensitive data in the cloud and companies put their encrypted data at risk due to not centrally securing and storing encryption keys.
Jason Hart, CTO, Data Protection at Gemalto, comments: “While it’s good to see some countries like Germany taking the issue of cloud security seriously, there is a worrying attitude emerging elsewhere…This may be down to nearly half believing the cloud makes it more difficult to protect data, when the opposite is true…No matter where data is, the appropriate controls like encryption and tokenization need to be placed at the source of the data.”
Top image: Shutterstock – Copyright: Natali_ Mis – All other images are the property of their respective mentioned owners.