Encryption in the Cloud : Who is responsible for data protection in the cloud?

Chers Collègues,

Un rapport d'enquête très utile a été réalisé sur la sécurité des données via le chiffrage sur le web 2.0, notamment les services du cloud computing  tels que les SAAS, par Thales s-Security et Ponemon Institute (date de publication Juillet 2012).

Ce rapport relevant d'une étude intitulée "2011 Global Encryption Trends  Study", publiée en février 2012, pourrait être téléchargée sur le site : www.ponemon.org.

Cette enquête témoigne de la responsabilité partagée de la sécurité des données des fournisseurs de services et des utilisateurs.

Ci-après, les principales conclusions extraites du rapport en question :

Following is a summary of key findings relating to data protection, encryption and key management activities in the cloud :

1. Currently, about half of all respondents say their organizations transfer sensitive or confidential data to the cloud environment. Within the next two years, another one-third of respondents say their organizations are very likely to transfer sensitive or confidential to the cloud. At 56 percent, German companies appear to have the highest rate of sensitive or confidential data transferred to the cloud.

2. Thirty-nine percent of respondents believe cloud adoption has decreased their companies’ security posture. However, 44 percent of respondents believe the adoption of cloud services has not increased or decreased their organization’s security posture. Only 10 percent of respondents believe the move to the cloud has increased their organization’s security posture. With respect to country differences, results suggest that French organizations are most likely to view cloud deployment as diminishing the effectiveness of data protection efforts.

3. Forty-four percent of respondents believe the cloud provider has primary responsibility for protecting sensitive or confidential data in the cloud environment and 30 percent believe it is the cloud consumer. There are also differences among countries as to who is most responsible. Sixty-seven percent of French companies appear to be the most likely to hold the cloud provider responsible for data protection activities. In contrast, 48 percent of Japanese companies hold the cloud consumer primarily responsible for data protection.

4. Companies that currently transfer sensitive or confidential data to the cloud are much more likely to hold the cloud provider primarily responsible for data protection. In contrast, companies that do not transfer sensitive or confidential information to the cloud are more likely to hold the cloud consumer with primary responsibility for data protection.

5. Sixty-three percent of respondents say they do not know what cloud providers are doing to protect the sensitive or confidential data entrusted to them. Once again, French respondents (76 percent) are least likely to say they know what their cloud providers do to safeguard their organization’s information assets.

6. In general, respondents who select the cloud provider as the most responsible party for protecting data are more confident in their cloud provider’s actual ability to do so (51 percent) compared to only 32 percent of respondents who report confidence in their own abilities to protect data even though they consider their own organization to be primarily responsible for protecting data.

7. Where is data encryption applied? According to 38 percent of respondents, their organizations rely on encryption of data as it is transferred over the network (typically the internet) between the organization and the cloud. Another 35 percent say the organization applies persistent encryption data before it is transferred to the cloud provider. Only 27 percent say they rely on encryption that is applied within the cloud environment.

8. Among the companies that encrypt data inside the cloud, nearly 74 percent believe the cloud provider is most responsible for protecting that data. However, only 34 percent of organizations that encrypt data inside their organization prior to sending it to the cloud hold the cloud provider primarily responsible for data protection.

9. Who manages the encryption keys when sensitive or confidential data is transferred to the cloud? Thirty-six percent of respondents say their organization is most responsible for managing the keys. Twenty-two percent say the cloud provider is most responsible for encryption key management. Another 22 percent says a third party (i.e. another independent service provider) is most responsible for managing the keys. Even in cases where encryption is performed outside the cloud, more than half of respondents hand over control of the keys. With respect to country differences, German organizations appear to be the least likely to relinquish control of encryption keys to the cloud provider. Companies in Australia and Brazil appear to be the most likely to transfer control of encryption keys to the cloud provider.

10. Companies with the characteristics that indicate a strong overall security posture appear to be more likely to transfer sensitive or confidential information to the cloud environment than companies that appear to have a weaker overall security posture. In other words, companies that understand security appear to be willing and able to take advantage of the cloud. This finding appears to be at odds with the common suggestion that more security aware organizations are the more skeptical of cloud security and that it is the less security aware organizations are willing to overlook a perceived lack of security. Here, we use the Security Effectiveness Score (SES) as an objective measure of each organization’s security posture.

Bonne lecture