SaaS security fears: Is your data exposed to potential risk?

IT executives have rising SaaS security fears, and worry about cloud security, proprietary data encryption, as well as the loss of independent control due to access limitations, according to Archive360.

SaaS security fears

The research surveyed more than 100 enterprise IT executives worldwide, to identify the leading security challenges they face with their SaaS vendors.

Overall, those surveyed said they are troubled by the current level of security and accountability provided by their SaaS vendors. Nearly two-thirds are so concerned that they intend to retire applications that do not provide the level of security control they want.

Further, nearly all executives surveyed stressed the importance of maintaining ownership of their own encryption keys. Yet in third-party SaaS private cloud deployments, the SaaS vendor (not the enterprise) maintains access to and ownership over encryption keys. In fact, only 26 percent of those surveyed stated that they have control of their encryption keys, and 74 percent stated that control is maintained entirely by their SaaS vendors.

This risk is compounded by the fact that many vendors often use the same encryption keys for multiple customers. When companies unlock data for one customer using keys that also protect other customers’ archives, they are exposing other tenants’ data to potential risk.

As one Director of IT at a large U.S.-based manufacturing company commented, “I’ve seen too many strong companies go out of business, and have also audited our vendors and seen great vendors fall out of compliance. Having them in control is just one more additive risk.”

Encryption key ownership and access worries

When asked about their top worries when it comes to encryption key ownership and access, IT executives listed the following:

• Loss of independent control of data security.
• Concern of my privacy.
• Past history of compromises.
• Trust for data breach and confidentiality of data.
• Potential conflict with my company’s standards.
• Without internal controls, you do not know where the information goes.

“In light of the widespread threats of increasingly sophisticated malicious cyber groups, and corporate risk relating to global data privacy laws, IT teams are under immense pressure to plug any holes in their security practices and mitigate all vulnerabilities,” said Tibi Popp, CTO at Archive360.

“The positive news is that our survey shows that IT executives not only understand the importance of security as it relates to today’s SaaS applications, but that they are taking swift and necessary steps to protect their enterprises by retiring these applications as quickly as possible.”

Additional findings

• Nearly all executives surveyed (92 percent) believe they will require SaaS vendors to provide more tailored and flexible security options in the future.
• Only 19 percent of respondents said 75 percent or more or more of their SaaS vendors meet all of their security requirements.
• Seventy percent of companies said they have made at least one security exception for a SaaS vendor.