Business use of cloud services for handling sensitive infomation is skyrocketing, and a new study finds that corporate anxiety about the security of that information is rising right along with it.
In the survey conducted by the Poneman Institute for the encryption key management company Thales e-Security, more than half (53 percent) of the 4,205 business and IT managers surveyed said they were already sending sensitive data to the cloud. Another 31 percent of the respondents, from seven countries—the United States, Australia, Brazil, France, Germany, Japan, and the United Kingdom—said they expected to do so within the next two years. But what's even more interesting is that 35 percent of the companies surveyed said their firm’s security exposure was worse as a result.
Richard Moulds, vice president in charge of strategy for Thales e-Security, said businesses should be concerned about the security of sensitive data in the cloud, even though most services promise to encrypt it. Once data leaves the premises, he said, businesses have little way of knowing how the encryption is managed. Small businesses in particular face increased security risks because their data is often kept on servers that host multiple customers.
Moulds likened most cloud encryption guarantees to providing a door lock without safeguarding the key. “It isn’t about how well your door lock works. If you’ve got your key under a flowerpot on the front doorstep, there’s not much point.”
What small businesses can do
While small businesses generally cannot afford the enterprise-level encryption-key management that Thalus provides, Moulds said they can take steps to ensure the safety of data sent to the cloud, either through hosted infrastructure or specific applications.
First, a business should assess the level of sensitivity in the types of data it entrusts to the cloud in order to develop an encryption-key policy. Data can be encrypted in multiple places—for example, you might encrypt a credit card database on your own servers, in cloud storage, and in the applications that use credit card info. Businesses might spend less on encryption services for less sensitive data.
Mould also suggested that businesses that use cloud-based infrastructure consider using a different provider to manage encryption.
You can learn more about emerging standards and practices for cloud security at the web site of the Cloud Security Alliance, an industry trade group.