Businesses get comfy with cloud, but at what cost?

CloudsThere may still be factors giving users pause about putting their data in the cloud, but it appears security of even the most common-sense variety is no longer among them.

In a stunning display of imprudence, a new large-scale global survey finds a growing number of organizations are pushing sensitive and/or confidential data into the cloud with few protections and a full awareness that such practices damage their overall security posture.

It’s a radical reversal of the days of the cloud “scare factor” when concerns about data security, integrity and availability kept many businesses on the cloud computing sidelines.

“Staying in control of sensitive or confidential data is paramount for most organizations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud,” said Larry Ponemon, chairman and founder of the Ponemon Institute, which conducted the global study of more than 4,000 organizations. “Many organizations continue to believe that their cloud providers are solely responsible for protecting their sensitive data even though the majority of respondents claim not to know what specific security measures their cloud provider is taking.”

Ponemon called it “encouraging” that relaxed attitudes about the cloud are boosting adoption rates. More than half of respondents said they transfer critical data to the cloud; only 11 percent had no cloud plans, down from 19 percent two years ago.

But the researcher added that the optimistic mindset comes at a cost. More than a third of those surveyed (34 percent) were moving data to the cloud despite their sense that it was having a negative effect on their security posture. Only about 17 percent felt the cloud actually improved organizational security.

In SaaS environments more than half of respondents said the cloud provider should be primarily responsible for security, even though half of those SaaS users had no knowledge of what their providers were doing to secure sensitive data.

By contrast, nearly half of IaaS and PaaS users view security as a shared responsibility between the user and the cloud service provider.

Organizations seem to be slowly getting a handle on the cloud security problem, with 39 percent of SaaS users saying their cloud data is encrypted, up from just 32 percent in 2011. Still more than half of respondents say their sensitive and confidential information sits in the in the clear and easily readable when stored in the cloud.

For those who are using encryption in the cloud, about a third manage their own encryption keys, but that their own organization is in control of encryption keys when data is encrypted in the cloud, but a notable 18 percent say their cloud service provider has full control over keys.

“Encryption is the most widely proven method to secure sensitive data in the enterprise and in the cloud, and yet more than half of respondents report that sensitive data in the cloud goes unprotected,” said Richard Moulds, vice president of strategy at Thales e-Security, which sponsored the Ponemon survey. “Those that are using encryption have adopted a variety of deployment strategies but once again a universal pain point is key management.

“Very often, the way that keys are managed makes all the difference with poor implementations dramatically reducing effectiveness and driving up costs,” Moulds said.

This article originally appeared on