Report: Responsibility for Cloud Security Depends on Type of Service

Who is responsible for protecting sensitive or confidential data transferred to the cloud -- the provider or the consumer?

According to a recent survey of 4,275 business and IT managers around the globe, the answer to that question depends on the type of service, be it Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS).

"In a SaaS environment, more than half view the cloud provider as being primarily responsible for security and less than a quarter view cloud consumers as being primarily responsible," states the third annual Trends in Cloud Encryption Study. "Only 19 percent see this as a shared responsibility.

"In contrast, nearly half of users of IaaS/PaaS environments for sensitive data view security as a shared responsibility between the user and provider of cloud services. Only 22 percent see this as the sole responsibility of the cloud provider."

The report was commissioned by Thales e-Security and conducted independently by Ponemon Institute LLC, which surveyed companies in the United States, United Kingdom, Germany, France, Australia, Japan, Brazil and Russia.

The research indicated slow growth in the number of organizations transferring sensitive data to cloud providers -- 53 percent in 2013 as opposed to 49 percent in 2011 -- and in those planning to do so in the next couple of years -- 36 percent compared to 33 percent in 2011. Only 11 percent of respondents do not plan on using any cloud services in the next couple of years, down from 19 percent in 2011.

Three-year trend analysis also shows some growth in the percentage of respondents who know the steps taken by cloud service providers to protect their data. Consolidated results show 35 percent of respondents claimed to know this information, compared to 33 percent in 2012 and 29 percent in 2011.

Meanwhile, fewer respondents believe the cloud has decreased their security posture, with 34 percent answering in the affirmative compared with 35 percent in 2012 and 39 percent in 2011.

Other questions answered in the report, free for download with registration, include:

• Do organizations have the ability to safeguard sensitive or confidential data before or after it is transferred to the cloud?
• Do respondents believe their cloud providers have the ability to safeguard sensitive or confidential data within the cloud?
• Where is encryption applied to protect data that is transferred to the cloud?
• Who manages encryption keys when sensitive and confidential data is transferred to the cloud?

"In our research we consider how encryption is used to ensure sensitive or confidential data is kept safe and secure when transferred to external-based cloud service providers," the report's executive summary stated. "We believe these findings are important because they demonstrate the relationship between encryption and the preservation of a strong security posture in the cloud environment. As shown in this research, organizations with a relatively strong security posture are more likely to transfer sensitive or confidential information to the cloud. In addition, they are more likely to encrypt data at rest in the cloud ecosystem."

Posted by David Ramel on 05/14/2014 at 9:44 AM