11:15 AM
Connect Directly

Making the Cloud Secure for Sensitive Data

A new report shows that while more and more organizations are putting sensitive data in the cloud, few say that the data is being encrypted.

The cloud offers undeniable economic benefits for IT organizations, and those benefits seem to be overwhelming any security concerns about using the cloud, according to a new studyfrom Thales e-Security and the Ponemon Institute. The eighth annual “Global Trends in Cloud Encryption” study found that 53% of the more than 4,000 respondents from eight countries and more than a dozen industry verticals are currently sending sensitive data to the cloud. But 36% of the respondents sending sensitive data to the cloud admitted that doing so had a negative impact on their security posture.

One reason that those respondents may be right is that most of the sensitive data these organizations are storing in the cloud is unencrypted. More than half of the organizations in the study that are sending sensitive data to the cloud said that their data is completely readable. That broke down to 59% of the organizations using the cloud for infrastructure-as-a-service and platform-as-a-service, and 45% of them using the cloud for software-as-a-service, that said their data in the cloud was unencrypted.

[For More of Our Cloud Coverage, Check Out: Banking in the Cloud: 4 Hot Initiatives]

So why is so much data going to the cloud being stored without encryption? Much of that could be caused by a lack of understanding about what security in the cloud actually means, says Richard Moulds, VP of product marketing and strategy at Thales e-Security. Many companies using the cloud don’t know much about the security measures their provider has in place. Only one-third of the respondents in the study said they know what steps their provider is taking to secure their sensitive data.

This problem of opaqueness could me more acute in banking, Moulds added. “Banks don’t like to talk about their security, and neither do cloud providers. They don’t want to give up their security secrets,” he explained.

Beyond being unwilling to talk openly about security measures, it’s also difficult for cloud providers to explain those measures to other organizations, Moulds said. “With SaaS there’s so many moving parts in terms of security, there’s a lot of baggage with the platform that the cloud provider uses and the employees working for the provider. So quantifying the security posture of a cloud provider is difficult,” he noted.

And cloud providers also face completely different threats than those that banks have to deal with because they're multi-tenant, according to Moulds. “The bank security professionals know how to secure their infrastructure against the threats they face, but they don’t know about securing a cloud environment,” Moulds shared. “I know how to secure my own house, but if someone asked me to secure a battleship or a space station, I’d be completely lost."

Many of the larger banks that are currently building their own private clouds will eventually acquire more of the knowledge and expertise needed to understand the security situation of a cloud provider, Moulds noted.

Another issue facing organizations that send unencrypted is lack of centralized management for encryption keys, Moulds said. “Some of these organizations have millions of keys, and if you lose one then key retrieval and provisioning can be a real problem area. Then if you think about encryption in the cloud, it becomes even more complicated because you have to share those keys with different cloud providers,” he remarked.

New standards are being developed though that could help in this area such as the OASIS Key Management Interoperability Protocol, which will allow keys to be managed in a centralized location outside of the system they are used in. This will help organizations break down key management silos, Moulds predicted.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
5/1/2014 | 2:42:56 AM
re: Making the Cloud Secure for Sensitive Data
Banks are probably much more likely than other industries to encrypt data before sending it to their cloud provider. But the last issue about centralized key management is a big one for banks. They have so many encryption keys, it's hard to keep track of them, and then they have to share them with different cloud providers. A lot of opportunities there for keys to get stolen. The other issue about lack of visibility is a problem too. Banks are probably better at other industries at securing data before sending it to the cloud, but some probably don't know much about what happens to the data once it's in the cloud. And as Richard said the banks are able to secure the data against the threats they face. But they don't know about the threats that cloud providers face or how to protect against those.
User Rank: Author
5/1/2014 | 2:35:51 AM
re: Making the Cloud Secure for Sensitive Data
Banks are probably one of the better industries as far as this goes. I would think that banks, which have a lot of experience with encryption, would encrypt data before ever handing it off to their cloud provider. Or at least they should. With banks I think the last point about key management is a much bigger issue. They have so many encryption keys, and if an employee were to give one to a criminal it could be a disaster.
Nathan Golia
Nathan Golia,
User Rank: Author
4/30/2014 | 10:11:33 PM
re: Making the Cloud Secure for Sensitive Data
This is another thing you can't believe is happening in 2014... How can a bank or anyone send data to the cloud unencrypted in good conscience? It seems very irresponsible.
User Rank: Author
4/29/2014 | 8:03:31 PM
re: Making the Cloud Secure for Sensitive Data
It's kind of ironic that, a few years ago, security concerns were causing businesses -- certainly in financial services -- from taking advantage of the benefits of the cloud, and now the benefits of the cloud are overcoming security concerns. The question I have about some of these findings -- I find it hard to believe that banks and other FS firms are among the respondents that aren't applying necessary security (encryption, etc.) to the information they are sending to the cloud. That just doesn't square with everything we're hearing from the banking community about how FIs are approaching the cloud and other as-a-service offerings. I'd be interested to know what percent of the 36% that say moving to the cloud has jeopardized their security are actually bankers.
User Rank: Apprentice
4/29/2014 | 4:51:15 PM
re: Making the Cloud Secure for Sensitive Data

Many organizations are concerned about moving their production data to the cloud for many of the reasons that you mention as well as some additional ones that include:
- Will I be subject to any cross border violations if the cloud environment is spread across national boundaries?
- Are images of my environment that are taken for Disaster recovery purposes, fully encrypted?
- What happens to my data when I leave the cloud?

A good first step to the cloud is to move test and development environments to the cloud. in this way:
- You gain experience with cloud vendors while greatly reducing the risk.
- You gain the benefits of cloud computing for environments that are 2 - 5 times as large as your production environment.
- Infrastructure Management focus is on production environments where it should be.

Key to this is to ensure that the data is irreversibly masked (aka de-identified or anonymized) prior to being provisioned to the cloud. Then you get all the benefits of cloud computing with the knowledge that your data is secure and your developers, testers, business associates and outsourcer can all do their jobs.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.