While the vast majority (95%) of global companies have adopted cloud services, there is a wide disparity in the level of security precautions applied by companies in different countries, according to a new study.
The organisations admitted that on average, only 40% of data stored in the cloud is secured with encryption and key management solutions. Those in Germany (61%) were found to be significantly more cautious than countries like the UK (35%), Brazil (34%) and Japan (31%) when sharing sensitive and confidential cloud data with third parties, said the 2018 Global Cloud Data Security Study, conducted by the Ponemon Institute and commissioned by digital security firm Gemalto, which surveyed close to 3,300 IT practitioners across the US (575), UK (405), Australia (244), Germany (492), France (293), Japan (424), India (497) and Brazil (355) to better understand their data governance and security practices for cloud-based services.
Germany leads in cloud security
Germany’s lead in cloud security extends to its application of controls such as encryption and tokenisation. The majority (61%) of German organisations revealed they secure sensitive or confidential information while being stored in the cloud environment, ahead of the US (51%) and Japan (50%). The level or security applied increases further still when data is sent and received by the business, rising to 67% for Germany, with Japan (62%) and India (61%) the next highest.
Crucially, however, over three quarters (77%) of organisations across the globe recognise the importance of having the ability to implement cryptologic solutions, such as encryption. This is only set to increase, with nine in 10 (91%) believing this ability will become more important over the next two years.
Belief that GDPR will change cloud governance
Despite the growing adoption of cloud computing and the benefits that it brings, it seems that global organisations are still wary. About half report that payment information (54%) and customer data (49%) are at risk when stored in the cloud. Over half (57%) of global organisations also believe that using the cloud makes them more likely to fall foul of privacy and data protection regulations, slightly down from 62% in 2016.
Due to this perceived risk, a significant majority (88%) believes that the new EU General Data Protection Regulation (GDPR), will require changes in cloud governance, with two in five (37%) stating it would require significant changes. As well as difficulty in meeting regulatory requirements, three-quarters of global respondents (75%) also reported that it is more complex to manage privacy and data protection regulations in a cloud environment than on premise networks, with France (97%) and the US (87%) finding this the most complex, just ahead of India (83%).
Businesses recognise importance of authentication
Despite the prevalence of cloud usage, the study found that there is a gap in awareness within businesses about the services being used. Over half of Australian (61%), Brazilian (59%) and British (56%) organisations are not confident they know all the cloud computing apps, platform or infrastructure services their organisation is using. Confidence is higher elsewhere, with only around a quarter in Germany (27%), Japan (27%) and France (25%) not confident.
Fortunately, four out of five (81%) believe that having the ability to use strong authentication methods to access data and applications in the cloud is essential or very important. Businesses in Australia are the keenest to see authentications put in place, with 92% agreeing it would help ensure only authorised people could access certain data and applications in the cloud, ahead of India (85%) and Japan (84%).
"While it's good to see some countries like Germany taking the issue of cloud security seriously, there is a worrying attitude emerging elsewhere," said Mr Jason Hart, CTO, Data Protection at Gemalto. "This may be down to nearly half believing the cloud makes it more difficult to protect data, when the opposite is true."
"The benefit of the cloud is its convenience, scalability and cost control in offering options to businesses that they would not be able to access or afford on their own, particularly when it comes to security. However, while securing data is easier, there should never be an assumption that cloud adoption means information is automatically secure. Just look at the recent Accenture and Uber breaches as examples of data in the cloud that has been left exposed. No matter where data is, the appropriate controls like encryption and tokenisation need to be placed at the source of the data. Once these are in place, any issues of compliance should be resolved."