Security concerns still surround the Cloud

RSS

Though all eyes are on the unveiling of the Grow America Act by the Department of Transportation this week – the Obama Administration’s stab at laying out a four-year, $302 billion surface transportation reauthorization bill – there’s a lot going on in the digital world right now that may affect trucking just as much as the debate over how to raise monies needed to building and repair roadways and bridges across the U.S.

The biggest “digital” issue in this regard revolves around a growing reluctance by companies across a wide range of industries to make the leap to so-called “Cloud” computing – generally regarded as the next important step in making information technology (IT) work faster, cheaper and more efficiently.

Yet a new report by IT security firm Bitglass finds that a majority of companies are delaying deployment of cloud applications due to security and compliance concerns.

“We wanted to separate hype from reality with regard to cloud adoption in the enterprise [and] we found that while more strategic, company-wide adoption of the cloud is starting to take hold, there are still basic security mechanisms that have not been put into place,” noted Nat Kausik, CEO of Bitglass. “As new technologies to secure cloud apps gain footing, we expect accelerated adoption to occur, especially among larger companies and those in regulated industries.”

Using real world and survey data aggregated by Bitglass’ data analytics team, the firm’s inaugural Cloud Adoption Report sampled 81,253 companies across a range of industries and varying sizes.

Bitglass found that private companies are more likely to have adopted cloud-based email than public companies, with gmail adopted by 16.5% of private companies sampled compared to 11.9% among all companies sampled.

“Since public companies are generally larger and older, they are more likely to have history and substantial ties to Microsoft,” Kausik added. “We believe that the lower rate of cloud adoption among public companies is due to additional regulatory and reporting burdens that private companies do not face. Given the compliance and audit capabilities lacking in most cloud apps, we expect third-party security technology will be required to help close this gap.”

Yet the leading reason both large-sized companies (more than 1,000 employees) and small to medium-sized companies (under 1,000 employees) are not moving to the cloud is security concerns, according to ChangeWave Research.

More than half of large-sized companies (52%) and approximately one-third of small to medium-sized companies (33%) cite security as their primary concern. In addition, the percentage of companies concerned about security is increasing, not decreasing, for while 25% of companies expressed concern in October 2011, this figure increased to 42% in July 2013.

“Because larger companies have more established IT processes, they generally have a higher amount of paranoia with respect to cloud security issues. However, they also have the largest economic gains to be had from moving to cloud,” Bitgalss’ Kausik pointed out.

As a result, his firm recommends companies take a strategic approach to cloud and suggests five security areas that must be addressed before moving to the cloud:

  • Identity & Single Sign-On – Companies must use a single sign-on (SSO) service, which authenticates employees via existing identity management infrastructure while adding convenience for employees by no longer requiring them to remember passwords.
  • Visibility – Visibility should be comprehensive, providing insight into all user activity across all cloud apps in an organization. Regulatory compliance requires detailed audit logs, including user information, location, IP [internet protocol] address, type of device, application accessed and any other available parameters.
  • Cloud Data Security – Data leakage prevention technology enables dynamic redaction of sensitive data, ensuring compliance and data confidentiality. Data tracking technologies allow sensitive data to be downloaded, but maintain visibility of the data anywhere it goes. These measures protect against cloud vendor data breaches.
  • Encryption – Regulated industries require that data be encrypted prior to upload to the cloud, and decrypted upon download prior to viewing.
  • Access Control – Companies need to invest in solutions that provide the ability to restrict suspicious behaviors and activities via rich, contextual access controls that allow the enterprise to decide who gets access to what, and under which conditions.

Those are the kinds of efforts that can help remove what cybersecurity firm Thales dubs the “scare factor” for businesses regarding Cloud computing.

According its updated Encryption in the Cloud study, more and more organizations are transferring sensitive or confidential information to public cloud services even though more than a third are expecting a negative impact on security posture.

In response, however, the use of encryption is increasing but more than half of respondents still admit their sensitive data goes unprotected when it is stored in the cloud, despite data security topping the global news agenda.

The independent global study of more than 4,000 organizations conducted by Thales and the Ponemon Institute reveals differing opinions over who is responsible for security in the cloud – the cloud provider, or the cloud consumer and how best to protect the sensitive data that is sent there.

“Staying in control of sensitive or confidential data is paramount for most organizations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud,” noted Larry Ponemon, chairman and founder of the Ponemon Institute.

“It is perhaps a sign of confidence that organizations with the highest overall security posture were most likely to use the cloud for operations involving sensitive data and it is encouraging to find that significantly fewer respondents believe that use of the cloud is weakening their security posture,” he added.

“However there are still concerns that many organizations continue to believe that their cloud providers are solely responsible for protecting their sensitive data even though the majority of respondents claim not to know what specific security measures their cloud provider is taking,” Ponemon stressed.

“Encryption is the most widely proven method to secure sensitive data in the enterprise and in the cloud, and yet more than half of respondents report that sensitive data in the cloud goes unprotected,” added Richard Moulds, vice president strategy for Thales e-Security.

“Those that are using encryption have adopted a variety of deployment strategies but once again a universal pain point is key management,” he added. “Very often, the way that keys are managed makes all the difference with poor implementations dramatically reducing effectiveness and driving up costs. Key management is a critical control issue for respondents, who are increasingly focused on retaining ownership of keys as a way to control access to data. Deployed correctly encryption can help organizations to migrate sensitive data and high risk applications to the cloud, allowing them to safely unlock the full potential for economic benefit the cloud can deliver.”

Here are some other findings from the report crafted by Thales and the Ponemon Institute:

  • Cloud security is here to stay: The use of the cloud for processing and storing sensitive data seems inevitable. More than half of all respondents say their organization already transfers sensitive or confidential data to the cloud and only 11% say that their organization has no plans to use the cloud for sensitive operations, down from 19% only two years ago.
  • Cloud confidence is on the up, but at what cost? Although nearly half of respondents believe that their use of the cloud has had no impact on their overall security posture, those that believe it has had a negative effect (34%) on their security posture outnumbered those that experienced a positive effect (17%) by a factor of two to one.
  • Where does the security buck stop? The perceived responsibility for protecting sensitive data in the cloud is very dependent on the type of cloud service in question. In software-as-a-service (SaaS) environments more than half of respondents see the cloud provider as being primarily responsible for security. In contrast, nearly half of infrastructure-as-a-service/platform-as-a-service (IaaS/PaaS) users view security as a shared responsibility between the user and cloud provider.
  • Visibility improves but gaps remain: The good news is that visibility into the security practices of cloud providers is increasing with 35% of respondents considering themselves knowledgeable about the security practices of their cloud providers compared with 29% only two years ago. But, half of SaaS users still claim to have no knowledge of what steps their providers are taking to secure their sensitive data.
  • Encryption usage increases but data still exposed: The use of encryption to protect sensitive or confidential data stored in the cloud (data at rest) appears to be increasing. For SaaS users we see an increase from 32% in 2011 to 39% in 2013 and for IaaS/PaaS users respondents report an increase from 17% to 26% over the same period, but still, more than half of respondents report that their sensitive data is in the clear and therefore readable when stored in the cloud.
  • Treading a line between trust and control: There is currently an almost equal division in terms of how stored data is encrypted while in the cloud, with over half of those respondents that encrypt stored data applying encryption directly within in the cloud itself, while just over 40% elect to encrypt the data before it is sent to the cloud.
  • Who holds the key? When it comes to key management there is a clear recognition of the importance of retaining ownership of encryption keys with 34% of respondents reporting that their own organization is in control of encryption keys when data is encrypted in the cloud. Only 18% of respondents report that the cloud provider has full control over keys.
  • Standards enable trust in a shared environment: The need to share keys between organizations and the cloud highlights the growing interest in key management standards – in particular OASIS Key Management Interoperability Protocol (KMIP) – where 54% of respondents identify cloud based applications and storage encryption as the area to be most impacted by the adoption of the KMIP standard.

Only one thing is for certain – the need to digitally move more and more data within the freight industry is only going to keep increasing, so it’s best to start thinking now about how to improve data encryption and overall security methods.

Please or Register to post comments.

What's Trucks at Work?

Trucks at Work: Sean Kilcarr comments on trends affecting the many different strata of the trucking industry.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×