Study finds data moving to cloud, encrypted or not

Study finds data moving to cloud, encrypted or not

Summary: A study for Thales e-Security by the Ponemon Institute shows that organizations, particularly those strong security postures, are moving data to the cloud, but much of that data is unencrypted at rest.

TOPICS: Security

Enterprise cloud adoption is moving faster than enterprise cloud security, according to the third annual Trends in Cloud Encryption Study from the Ponemon Institute, sponsored by Thales e-Security.

A majority of respondents of the survey are transferring sensitive or confidential data to the cloud; only 11% say they are not and have no plans to do so. While some may view the cloud as a potential security risk, in the survey organizations with a stronger security posture were more likely to transfer sensitive or confidential data to the cloud environment.

Depending on the form of cloud service — SaaS or IaaS generally — respondents see the responsibility for protecting data in the cloud, either in use or at rest, as being with different parties. An IaaS or PaaS server is largely the responsibility of the subscriber, and only 22 percent of respondents saw it as the sole responsibility of the provider. SaaS, on the other hand, was seen as a shared responsibility by only 19 percent.

Data at rest in the cloud is likely not to be encrypted, but many say they are encrypting data using tools provided either by the subscriber organization or the provider. The nature of the service greatly affects how one would apply such encryption. With simple cloud storage one might be able to encrypt the data before it is transmitted, but any service that needs to access the data will need to be able to decrypt it. With a service like Salesforce, encryption of data at rest can only be provided by the service.


Even with strong encryption applied at a cloud server, bugs like Heartbleed show that keys may be accessible. The ideal solution is an HSM (Hardware Security Module), a device which performs the encryption internally and which never exposes the keys to the general computing environment. Thales provides such HSMs which integrate with Microsoft's RMS (Rights Management Service) in the Azure cloud.

The full survey goes into far more detail on many issues. For the study, Ponemon surveyed 4,275 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan, Brazil and Russia.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Encryption within SaaS

    First of all thanks for spotting the study and quickly summarizing it.
    I just wanted to follow up shortly on your view regarding encryption in the SaaS environments, specifically encryption at rest. Based on an ongoing initiative we found solutions that separated the security from the SaaS vendor and further allowed to encrypt data at rest as well as integrate these solutions into HSMs and DLP solutions.
    Gartner calls this category "Cloud Encryption Gateway" which is a part of their idea of a future Cloud Security Broker.
    My question would be, have you come around those solutions already and further could get a more detailed view of them?