About half of the information technology and security professionals asked whether they use external cloud-based services for sensitive or confidential data said they did — but their approaches to encrypting data in the cloud vary widely, according to the findings of the survey published yesterday.
The “Encryption in the Cloud” survey done by Ponemon Institute sought the opinions of more than 4,000 IT professionals in seven countries, including the U.S. About 38% of the respondents said their organisations rely on encryption of data as it’s transferred, typically over the Internet, to the cloud.
Another 35% said their organisations encrypt data before it’s transmitted to the cloud provider so that it remains encrypted within the cloud. 27% answered their organisations perform encryption within the cloud environment, with 16% of those selectively encrypting at the application layer, and 11% letting the cloud provider encrypt stored data as a service.
The survey, sponsored by Thales e-Security, included the U.S., United Kingdom, Germany, France, Australia, Japan and Brazil.
When it comes to the question of managing encryption keys when sensitive or confidential data is transferred to the cloud, 36% of the survey respondents say their organisation is responsible for managing the keys. 22% say the cloud provider is the one most responsible for encryption key management. Another 22% say an independent third party in the role of a service provider is most responsible for the key management.
“Even in cases where encryption is performed outside the cloud, more than half of respondents hand over the keys,” the survey report says.
The trend to transfer sensitive or confidential data to cloud environments seems to be a growing trend, according to the survey, with another one-third of the survey’s respondents saying they, too, are likely to transfer sensitive or confidential data to the cloud over the next two years.
One finding in the survey poses a surprising contrast to the usual accepted notions of cloud services and security. “Companies with the characteristics that indicate a strong overall security posture appear to be more likely to transfer sensitive or confidential information to the cloud environment than companies that appear to have a weaker overall security posture,” the survey report states.
“In other words, companies that understand security appear to be willing and able to take advantage of the cloud. This finding appears to be at odds with the common suggestion that more security-aware organisations are the more skeptical of cloud security and that it is the less security-aware organisations that are willing to overlook a perceived lack of security,” it adds.