Enterprise Cloud Encryption is a Shared Responsibility

Posted by AdamChriss on July 15th, 2014

According to a study conducted to the Ponemon Institute, around half the enterprises surveyed utilize cloud services to transfer sensitive information, and the confidence levels in the security of cloud service and storage providers has been steadily increasing. Despite increasing confidence levels, it’s important to question protection levels in the cloud.

Ponemon also conducted a survey that encompassed 4000+ information technology managers in several countries, including the US, the UK, Germany, France, Australia, Japan, Brazil, and Russia, asking questions regarding cloud services and cloud encryption procedures when dealing with client information. Questions regarding how companies encrypted data in the cloud - before of after pushing data to the cloud. Ponemon also noticed patterns off the past 3 years in conducting the survey. These trends included that companies trust the cloud with their confidential information more nowadays, likely in tandem with cloud security education also more prevalent. Furthermore, larger companies now have “a stronger security posture”, according to Ponemon, meaning that the likelihood of them using cloud services is greater. It’s interesting to note that enterprises in Germany were more trusting with the cloud over organizations in Russia. In addition, the type of service involved in cloud services plays a large role in data security. For example, in software as a service environments, more than 50% of respondents thought that the cloud provider held responsible for security. However, as for with IaaS or PaaS, about 50% of the respondents replied hinting that security of data is considered as a responsibility on the client and provider.

It was also interesting to see how survey participants felt about encryption key control. According to the study, for encryption and data at rest in the cloud, 34% were under the impression that they themselves possessed control of encryption keys. Then onwards, the largest section thought it to be in dual control of their enterprise and the cloud provider, at 28%.

Also important is to verify the quality of cloud encryption standards. According to security analyst Brian Hogan, “In many ways the key to effective cloud encryption is not just in the use of good encryption algorithms but also in implementation and management of the overall encryption infrastructure and that you as the customer has sole control on that”. “It is important to remember that not all cloud providers may be able to offer encryption, or indeed support third party encryption tools, with their product or service, “says Honan. This is supported by Alphapoint Associates analyst Lars Muller who states, “Its important that enterprises take control of their security by maintaining encryption on their hands, and be responsible for their own fate – and not pin it on the back of the cloud service providers’.”

In summary, if an organization is focused on customer data privacy and security, and wants to leverage the flexibility of the cloud, one should search for a cloud encryption solution that provides direct control of keys. Just as client’s sensitive and highly confidential is a highly defended asset, its important to keep the cloud encryption keys under one’s borders as well. Therefore, cloud encryption key access should be maintained under one’s control, not in the hands of one’s CSP.

Author :

Adam Chriss, a proud contributing author and a freelance writer with interests in various subjects and writes articles on several subjects including Cloud Technology, Cloud Security, Cloud Data Security, Cloud Encryptiondat etc,.