The survey reveals 95% of global companies have adopted cloud services but there is a wide gap in the level of security precautions applied in different markets.
Fifty-four percent of global organisations believe payment information is at risk in the cloud, and 49% believe customer data is at risk. Fifty-seven percent think using the cloud increases compliance risk, though this is reduced from 62% last year.
Perhaps part of the problem is revealed by the survey: companies admitted on average, only 40% of the data stored in the cloud is secured with encryption and key management solutions.
“While it’s good to see some countries like Germany taking the issue of cloud security seriously, there is a worrying attitude emerging elsewhere,” said Jason Hart, chief technology officer, Data Protection at Gemalto. “This may be down to nearly half believing the cloud makes it more difficult to protect data, when the opposite is true.
Fortunately, 77% of organisations across the globe recognised the importance of being able to implement cryptologic solutions such as encryption and 91% believe this will become more important over the next two years.
Graeme Pyper, regional director, Australia and New Zealand, Gemalto, said “The reasons why people are using the cloud has not really changed – pretty much all the decisions to go to cloud-based services are to do with reducing cost and time to delivery. However, if you are delivering something faster you have less opportunity to do your due diligence before you start consuming.”
“What jumped out for me,” Pyper says, “was 73% of Australian respondents said they were committed to protecting the information they have in the cloud. However, when you delve deeper into the numbers only half of that 73% have people and policies in place to manage the security of the information in the cloud. That’s a large number of companies using the cloud without any controls whatsoever and that concerns me.”
Pyper adds, “Thirty-five percent of Australian companies were proactive in terms of looking at security within cloud-based services. That didn't seem to be an awful lot to me. Normally the organisations I deal with have a framework for security and risk governance. Instead, the agile framework of the cloud has people going through a very assuming or tick-box exercise where they simply say ‘our cloud security is good enough’.”
Pyper emphasis this point by referring to data breaches that occurred over the last 12 months. “A lot of it is down to human error when someone hasn’t changed the default password on an account.”
“If only 35% of companies are looking at the security assessments then there’s an awful lot of applications people aren’t looking at, at all, so there is so much more to be done there,” Pyper says.
Eighty-eight percent of respondents believe the new General Data Protection Regulation will require changes in cloud governance, and 37% said it would require significant changes. Seventy-five percent of companies reported it is more complex to manage privacy and data protection regulations in the cloud than on-premise, particularly France (97%) and the US (87%).
Worryingly, only 25% of IT and IT security practitioners said they were very confident they knew all the cloud services their business is using. This was especially pronounced in Australia (61%), Brazil (59%) and Britain (56%).
Perhaps to mitigate their concerns over not knowing all the "shadow IT" apps on their network, 81% of companies said having the ability to use strong authentication methods for cloud-based data and applications was essential or very important. This was strongest in Australia (92%) followed by India (85%) and Japan (84%).
In Australia, the big news is the imminent data breach amendment to privacy rules, and the research raises concerns. “I’m reluctant to say everybody is ready for that,” Pyper says. “I don’t think people have done enough to protect the information they’re putting in places where they have lesser control.”
“Companies really need to up their game from lip service to encryptable security, on-premises or in the cloud.”.
It’s very important, Pyper says, to make sure your company follows this process:
- classify your data and determine, based on your risk appetite, what you put where;
- perform a cloud security assessment;
- implement strong authentication;
- implement encryption, no matter where your data resides; and
- manage your own encryption key yourself, on-premises.
This latter step means you can move encrypted data from one cloud provider to another without exposing it. “You’re not giving your house keys to your next-door neighbour so they can water the plants,” Pyper says.
Some companies might say they have no time to classify, or they will do it over time but have to put their application in the cloud now. “The simple answer,” Pyper states, “is if you’re going to be using the cloud or any other third party you need to ensure you’ve encrypted your data either at source or rest. Generally, if information is lying around, that’s the point where it is vulnerable.”