Many organizations are gradually setting aside their reservations about cloud security and storing more company data to the cloud. This move may confer numerous benefits to them, including reduced overhead in the management of on-premises storage, as well as overall reductions in IT costs. In addition, having larger stores of information in the cloud enables new opportunities for business engagement and communication across mobile devices.
An April 2014 Research and Markets report estimated that large enterprises would spend nearly $50 billion on cloud services for infrastructure, platforms and software by 2018. Similarly, surging demand for high-quality mobile applications – ones that leverage the cloud to do more than simply repackage websites or provide watered-down experiences – may drive the mobile engagement market past $32 billion by 2018.
This growing affinity for cloud computing isn't without its drawbacks, though. Just because companies are increasingly comfortable with having some assets in remote storage doesn't mean that they have been freed from risk. On the contrary, key vulnerabilities may be going overlooked as IT departments around the world profoundly change how they deliver and manage services. Encryption, already a prime cybersecurity issue in light of newly discovered issues with OpenSSL and revelations about the U.S. National Security Agency, in particular has taken a backseat in cloud security.
Companies keeping more data in public cloud, despite risks
Storing data in a public cloud is fast becoming the norm for businesses, despite the pitfalls. According to the results of a recent Ponemon Institute and Thales e-Security study, which surveyed more than 4,000 companies and IT managers around the world, found that 53 percent of them now put sensitive information in the cloud, up from 49 percent in 2011.
Respondents had mixed attitudes about how the cloud was influencing their respective organizations' security postures. Approximately half believed that more extensive use of the cloud would have little effect on cybersecurity, yet it is worth noting that the number that expected negative impact outnumbered the ones that foresaw positive changes by two to one (34 percent to 17 percent).
What types of risks do companies court when they rely more heavily on the cloud? For starters, they cede some degree of control to cloud service providers, which in many cases obfuscate their security responsibilities in service level agreements. Last year, Gartner reported that most buyers of commercial software-as-a-service solutions were unhappy with their SLAs and that 80 percent of them would remain so through 2015, due to issues such as ill-defined recovery policies and lack of regular third-party auditing.
More specifically, there's the possibility that security oversights can lead to mishandling or improper dissemination of data. Dropbox recently disabled the use of old sharing links after sensitive documents such as tax returns and mortgage applications were discovered via Google AdWords campaigns. Searching for particular queries could return the full URLs for associated files kept on the service, permitting access via a loophole that doesn't require users to authenticate themselves.
Surprising amounts of data in cloud storage are not protected by encryption
The Dropbox exploit (which also affects popular consumer and enterprise platforms such as Box) underscores how much data is readily available and unencrypted in cloud storage. The Ponemon/Thales survey examined this issue in depth, finding that slightly less than 40 percent of SaaS users encrypt data at rest. There were similar figures for how many of them encrypted their assets before sending them to the cloud.
"You would think that a higher percent of companies would have data encryption or a similar form of protection, because it does present a risk," stated Larry Ponemon, lead author on the study and founder of the Ponemon Institute. "Especially if the data sent to them is confidential, as we found."
Key management was a primary impediment to the adoption of encryption. Organizations are also struggling to determine where sensitive data resides and how to best protect it. Essentially, while companies have many incentives to implement encryption – many of the survey's respondents cited customer privacy and prevention of data breaches as leading drivers of their approaches to cybersecurity – they may be getting bogged down in technical aspects.
Still, there is good news amid this lagging adoption of encryption. The number of companies with an encryption strategy, while low at just 35 percent of the Ponemon/Thales respondents, rose between 2013 and 2014. Plus, the motivations for using encryption are changing, with organizations now more concerned about blunting the fallout of data breaches than preventing reputational damage.
This shift is promising, since many incidents are still the result of improperly secured assets, such as unencrypted laptops, which facilitated the theft of sensitive information on roughly 74,000 individuals from Coca-Cola in early 2014. Moreover, companies are discovering that reducing exposure to data breaches and preserving reputation are often the same thing – just look at the holiday season attacks on Target and Neiman-Marcus, both of which capitalized on weak security to damage those retailers' brands.
Cloud storage is just one area of many to address when implementing comprehensive cybersecurity. As businesses change the way they do IT and work with an increasing range of partners and service providers, it will be critical for all parties to push for encryption by default. That way, they can be sure that critical data is not hung out to dry as assets are moved off premises and into the cloud.
"Encryption by default in the cloud is rarely a bad idea, and most of the major cloud providers have been making what hay they can out of professing to encrypt everything at rest," wrote InfoWorld's Serdar Yegulalp. "But the trick is to provide it in such a way that end-users can confirm encryption is taking place and can't easily be defeated on the cloud provider's side. Even if encryption isn't employed unilaterally by cloud customers and uptake for same remains modest, they'll scarcely be indifferent to the option to become that much more secure – and to control the parameters for that security."