Alarming cloud encryption misconceptions revealed
Businesses have a high level of concern about the exposure of sensitive and regulated data in the cloud to security threats. Yet despite this, the majority of data owners outsource responsibility for data protection, even though they still bear full legal liability if there is a breach.
A new Osterman Research survey also revealed that encryption is not well understood, with misconceptions about where encryption takes place, who manages the keys, and which parties can decrypt sensitive data.
Enterprises are worried about cloud data protection and threats to SaaS applications. More than 70 percent of respondents are concerned about data breaches, threats to the application layer, and system vulnerabilities.
Despite these concerns, organizations have significant data protection gaps. While encryption is frequently cited as a critical component for data protection, only 37 percent reported encrypting data persistently while in use in the cloud. This represents a disconnect with concerns about protecting data while in use in the SaaS application layer.
Survey respondents are not comfortable with outsiders being able to decrypt data, yet keys are largely shared. The majority of respondents expressed discomfort with third parties being able to decrypt corporate data—53% said they would not be comfortable with government agencies decrypting their data, for example. At the same time, 75 percent of respondents rely on keys managed by cloud providers, third-parties, or shared with either.
Data owners rely on others for security, while still bearing legal responsibility if their data is breached. Only 32 percent of respondents believe that data owners are responsible for protecting confidential data. Yet, a growing number of compliance regulations make data owners bear the ultimate responsibility if there is a breach.
“As cloud adoption continues to grow, so does the amount of sensitive and regulated data going into the cloud. This survey uncovers significant data protection gaps and misconceptions around encryption usage that are putting that sensitive data at risk,” said Michael Osterman, president of Osterman Research. “Organizations that operate multiple cloud applications—particularly those in heavily regulated industries—must identify multi-cloud security solutions that can help them close their data protection gaps.”