Should cloud vendors cooperate with the government?

More than one in three IT pros believe cloud providers should turn over encrypted data to the government when asked, according to Bitglass and the Cloud Security Alliance (CSA).

35 percent believe cloud app vendors should be forced to provide government access to encrypted data while 55 percent are opposed. 64 percent of US-based infosec professionals are opposed to government cooperation, compared to only 42 percent of EMEA respondents.

“Forcing cloud app vendors to comply with government or law enforcement access requests to data has provided a real mixed bag of responses, with everything to no way, to help yourself, and even to I don’t care. This really makes no sense because surely with so much debate about the challenges facing law enforcement, to the privacy considerations that have dominated the press we would have expected at least some common consensus. This of course creates a challenge for app vendors, because it will not be possible to create models to suit all opinions. It therefore demands some form of open debate on the best approach to take in terms of addressing this most challenging issue,” Raj Samani, CTO EMEA at Intel Security, told Help Net Security.

Cloud visibility is lacking

Government intervention aside, many organizations have experienced cloud security incidents, though these aren’t the widespread breaches many anticipated – the majority of incidents stem from inappropriate use of the cloud, led by unwanted external sharing and access from unmanaged devices.

Cloud visibility is lacking – less than half (49 percent) of organizations know even the basics, such as where and when sensitive data is being downloaded from the cloud.

“The fact that 42% either prohibit cloud apps or are doing nothing is disturbing when it comes to cloud apps being compromised,” says Yoran Sirkis, CEO of Covertix. “You cannot forbid cloud activities forever, and those doing nothing are about to get burned very severely. Security is becoming an ever-increasing focus of overall corporate budgets, and the CEO, CIO, and CSO need to take advantage of the trend, sitting down to create a workable strategy to present to their board. Otherwise, they will fall victim to a critical breach that will cost much more in the long run.”

Cloud Access Security Brokers (CASBs) are on the rise. 60 percent of organizations have deployed or plan to deploy a CASB, with data leakage prevention cited as the most important capability.

Shadow IT threats

Few have taken action to mitigate Shadow IT threats, with 62 percent relying on written policies rather than technical controls.

“The survey is another data point showing the strong growth of cloud services across the enterprise. Shadow IT remains a concern, but is often a symptom of IT and security departments failing to meet the business need – which is forcing lines of business to route around the problem ‘to get the job done’. One theme that stands out in the survey is that data leakage of sensitive data is a concern. Almost three in five organisations encountered unwanted sharing of data, and less than half know where or when sensitive data is being downloaded from the cloud. What is really important though, is that we no longer treat security as a dark art,” said Joe Pindar Director Product Strategy, CTO at Gemalto.

“There are simple solutions that are easy to implement and use. This means that when organisations no longer want to use a cloud service – they do not leave a trail of sensitive data behind them. Deleting an encryption key that the organisation controls and protects the encryption process, kills the data — so there is no need to worry about who has access to it,” he concluded.