A majority of respondents of the survey are transferring sensitive or confidential data to the cloud; only 11% say they are not and have no plans to do so. While some may view the cloud as a potential security risk, in the survey organizations with a stronger security posture were more likely to transfer sensitive or confidential data to the cloud environment.
Depending on the form of cloud service — SaaS or IaaS generally — respondents see the responsibility for protecting data in the cloud, either in use or at rest, as being with different parties. An IaaS or PaaS server is largely the responsibility of the subscriber, and only 22 percent of respondents saw it as the sole responsibility of the provider. SaaS, on the other hand, was seen as a shared responsibility by only 19 percent.
Data at rest in the cloud is likely not to be encrypted, but many say they are encrypting data using tools provided either by the subscriber organization or the provider. The nature of the service greatly affects how one would apply such encryption. With simple cloud storage one might be able to encrypt the data before it is transmitted, but any service that needs to access the data will need to be able to decrypt it. With a service like Salesforce, encryption of data at rest can only be provided by the service.
Even with strong encryption applied at a cloud server, bugs like Heartbleed show that keys may be accessible. The ideal solution is an HSM (Hardware Security Module), a device which performs the encryption internally and which never exposes the keys to the general computing environment. Thales provides such HSMs which integrate with Microsoft's RMS (Rights Management Service) in the Azure cloud.
The full survey goes into far more detail on many issues. For the study, Ponemon surveyed 4,275 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan, Brazil and Russia.