Making the Cloud Secure for Sensitive Data

Jonathan Camhi

The cloud offers undeniable economic benefits for IT organizations, and those benefits seem to be overwhelming any security concerns about using the cloud, according to a new study from Thales e-Security and the Ponemon Institute. The eighth annual “Global Trends in Cloud Encryption” study found that 53% of the more than 4,000 respondents from eight countries and more than a dozen industry verticals are currently sending sensitive data to the cloud. But a third (36%) of the respondents sending sensitive data to the cloud admitted that doing so had a negative impact on their security posture.

One of the reasons that those respondents may be right is because most of the sensitive data these organizations are storing in the cloud is unencrypted. More than half of the organizations in the study that are sending sensitive data to the cloud said that their data is completely readable. That broke down to 59% of the organizations using the cloud for infrastructure-as-a-service and platform-as-a-service, and 45% of them using the cloud for software-as-a-service, that said their data in the cloud was unencrypted.


So why is so much data going to the cloud being stored without encryption? Much of that could be caused by a lack of understanding about what security in the cloud actually means, says Richard Moulds, VP of product marketing and strategy at Thales e-Security. Many companies using the cloud don’t know much about the security measures their provider has in place. Only a third of the respondents in the study said they know what steps their provider is taking to secure their sensitive data.

This problem of opaqueness could me more acute in banking, Moulds added. “Banks don’t like to talk about their security, and neither do cloud providers. They don’t want to give up their security secrets,” he explained.

Beyond being unwilling to talk openly about security measures, it’s also difficult for cloud providers to explain their security measures to other organizations, Moulds said. “With Saas there’s so many moving parts in terms of security, there’s a lot of baggage with the platform that the cloud provider uses and the employees working for the provider. So quantifying the security posture of a cloud provider is difficult,” he noted.

And cloud providers also face completely different threats than those banks have to deal with because of they’re multi-tenant, according to Moulds. “The bank security professionals now how to secure their infrastructure against the threats they face, but they don’t know about securing a cloud environment,” Moulds shared. “It’s like, I know how to secure my own house, but if someone asked me to secure a battleship or a space station, I’d be completely lost.

Many of the larger banks that are currently building their own private clouds will eventually acquire more of the knowledge and expertise needed to understand the security situation of a cloud provider, Moulds noted.

Another issue facing organizations that sending unencrypted is lack of centralized management for encryption keys, Moulds said. “Some of these organizations have millions of keys, an if you lose one then key retrieval and provisioning can be a real problem area. Then if you think about encryption in the cloud, it becomes even more complicated because you have to share those keys with different cloud providers,” he remarked.

New standards are being developed though that could help in this area such as the OASIS Key Management Interoperability Protocol, which will allow keys to managed in a centralized location outside of the system they are used in. This will help organizations break down key management silos, Moulds suggested.