2019 Thales Cloud Security Study · 2020. 3. 25. · 17 Most organizations are adopting a security first approach for the cloud. 17 The use of encryption, tokenization and other cryptologic

thalescpl.com

Global Edition

#CloudSecurity

Protecting Data In The Cloud2019 Thales Cloud Security Study

About Ponemon InstitutePonemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

We uphold data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

About ThalesThe people you rely on to protect your privacy rely on Thales to protect their data. When it comes to data security, organizations are faced with an increasing amount of decisive moments. Whether the moment is building an encryption strategy, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.

Decisive technology for decisive moments.

Global Cloud Data Security Study - 2019 3

Contents04 Executive Summary

05 Key Findings 05 Organizations failing to protect sensitive data despite increasingly storing it in the cloud

07 The cloud is a valued part of an organization’s IT strategy 08 The cloud reduces costs, improves deployment time and makes organizations more efficient. 09 Virtually every organization represented in this study will be using cloud services within the next two years. 09 The use of cloud data resources for IT and data processing requirements continues to increase. 10 Organizations are not making progress in knowing all cloud computing services they use. 10 Software as a Service (SaaS) is now used in almost every organization. 11 The use of Platform as a service (PaaS) increases. 11 More companies are using Infrastructure as a Service (IaaS). 12 IT control of IT security spending declines. 12 More corporate data is stored in the cloud.

13 Cloud security practices remain stormy and uneven 14 More corporate data is being stored in the cloud and the use of cloud platforms and applications is pervasive in organizations. 15 Most organizations still believe the use of cloud resources affects compliance risk. 16 Organizations are storing corporate data in the cloud they consider are at risk. 17 Most organizations are adopting a security first approach for the cloud. 17 The use of encryption, tokenization and other cryptologic tools increases. 18 More organizations find it difficult to protect confidential or sensitive information when using cloud services.

19 The Achilles heel of cloud security: Inadequate vetting of cloud providers 20 Organizations are not assuming responsibility for security in the cloud. 21 Organizations continue to select cloud providers based on efficiency and cost, not security. 22 There is no clear accountability for the evaluation of the cloud provider’s security capabilities. 23 Security evaluations of cloud providers rely increasingly on contractual negotiations and legal reviews. 24 Not enough resources is a barrier to evaluating cloud providers.

25 Cryptoagility, encryption and tokenization solutions increase in use and importance 26 Most organizations say cloud applications increase or have no effect on their organization’s cryptoagility. 27 Data at rest in the cloud is more likely to be protected than data within cloud applications. 27 The majority of data in the cloud is not encrypted. 28 Most organizations are in control of encryption keys when data is encrypted in the cloud.

29 Trends in identity and access management practices in the cloud 30 Most organizations have different approaches to control access to sensitive and confidential data in the cloud. 31 The importance of supporting multiple identity federation standards has increased in the past four years.

32 Country differences 33 German organizations understand the importance of taking care when sharing with third parties 34 Respondents in France, Germany and the United Kingdom say their organizations must make significant changes to cloud governance because of GDPR. 35 German organizations are the most proactive in managing compliance with regulations. 37 Organizations in Germany, India and France are most likely to evaluate the security capabilities of cloud providers. 38 How confident are respondents that they know all cloud computing applications, platforms or infrastructure services in use in their organizations? 39 Organizations in Australia and Germany are most likely to adopt a security first approach for the cloud. 40 German and US organizations are most likely to deploy a multicloud architecture or strategy. 41 The importance of cloud computing applications or platform solutions grows globally.

42 Demographics 43 Demographics


My organization is committed to protectingconfidential or sensitive information in the cloud

65%62% 72%67%We have defined roles & accountability for

safeguarding sensitive information stored in the cloud

43%38% 50%46%2017

2019

2016

2015

Executive Summary By Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute

The Ponemon Institute is pleased to present the findings of the 2019 Global Cloud Security Study sponsored by Thales. The purpose of this research is to understand trends in cloud governance and security practices since the study was first released in 2015. This year’s study reveals the increasing risk of non-compliance with new global privacy and data protection regulations. Another important trend over the past three years is the increasing use of cloud applications and platforms without the necessary security safeguards. We surveyed 3,346 IT and IT security practitioners in the United States, United Kingdom, Australia, Germany, France, Japan, India and Brazil who are familiar with and involved in their companies’ use of both public and private cloud resources. Seventy-six percent of respondents say their organizations are heavy (34 percent) or moderate (42 percent) users of cloud resources. Commitment to cloud security grows, but security safeguards are not keeping up with the increased use of the various cloud platforms. As shown in Figure 1, commitment to protecting confidential or sensitive information has increased significantly from 62 percent in 2015 to 72 percent of respondents in this year’s study. However, only half (50 percent of respondents) say their organizations have established clearly defined roles and accountability for safeguarding confidential or sensitive information stored in the cloud.

Figure 1 The commitment to safeguarding data in the cloud Strongly agree and agree responses combined


Key FindingsOrganizations are failing to protect sensitive data, despite increasingly storing it in the cloud New research from Thales and the Ponemon Institute has exposed a disparity between the rapid growth of data being stored in the cloud, and organizations’ approach to protecting sensitive information.

• Businesses are clearly taking advantage of the increasing cloud options out there, but they’re not adhering to their owns fears around its risk with adequate security.

• Having clearly pushed the responsibility for protecting their data to their cloud providers, it’s extremely concerning to see security is not a big factor when choosing them.

• Regardless of the Cloud Service Model or Provider, the security of your organization's data in the cloud is your responsibility.

• It’s the business’ reputation that will suffer if a data breach occurs, so they should be taking more control over their security and ownership of their encryption keys.

According to the research, organizations struggle to achieve a stronger security posture in the cloud because of their inability to do the following:

• Apply conventional security practices in the cloud environment

• Directly assess the compliance and security practices of cloud providers

• Have sufficient resources to be able to evaluate the security practices of cloud providers

• Control or restrict end-user access

• Know all cloud computing applications, platform or infrastructure services in use

• Reduce the complexity of managing privacy and data protection regulations in the cloud environment


49%of organizations are encrypting sensitive

data in the cloud

48%of all corporate data is stored in the

cloud compared to 35% three years ago

78%saying it’s important to retain

ownership of the encryption keys

53%of businesses are controlling the encryption

keys when data is encrypted in the cloud,

Businesses are taking advantage of the cloud, but not applying adequate security

Businesses remain responsible for security of data in the cloud regardless the provider

Some businesses push responsibility for data security to cloud providers, but do not consider security a big factor when choosing them

Businesses struggle to reduce complexity of managing privacy and data protection regulations in the cloud environment

despite

Businesses use 29 cloud applications on average - compared to 27 two years ago

10% have more than 50 and the

average U.S. business has 41over

44%of organizations are careful about sharing

sensitive information with third parties

46%revealed that storing customer data in the cloud makes

them more of a security risk and a compliance risk (56%)

Customer information 60%, emails 48% and consumer data 46%, are the biggest amounts of data stored in the cloud

32%don’t employ a security-first approach

to storing data in the cloud

30%of organizations have a unified system

for secure access to both cloud and

on-premise applications

dd

01 The cloud is a valued part of an organization’s IT strategy


Improve security

Increase efficiency

Increase flexibilityand choice

Comply with contractualagreements or policies

Improve customer service

Reduce cost

Faster deployment time

0% 20% 40% 60% 80%

2017 201920162015

Figure 2 The primary reasons cloud resources are used Two responses permitted

The cloud reduces costs, improves deployment time and makes organizations more efficient. As shown in Figure 2, the primary incentive to use the cloud is to reduce costs. However, as shown in this year’s research greater efficiency and improved security have increased over the past three years as reasons to move to the cloud.

What are the primary reasons why cloud resources are used withing your organization?


Today

73%72% 80%79%Over the next 2 years

81%78% 90%87%2017

2019

2016

2015

Figure 3 Trends in the importance of cloud computing applications or platform solutions Very important and Important responses combined

Figure 4Trends in use of cloud data resources for IT and data processing requirements Extrapolated values

Virtually every organization represented in this study will be using cloud services within the next two years. Today cloud computing applications and platform solutions are considered critical to their organizations’ operations, according to 80 percent of respondents and 90 percent of respondents say the cloud will increase in importance in the next two years.

The use of cloud data resources for IT and data processing requirements continues to increase.

As shown in Figure 4, in two years an average of 53 percent of all IT and data processing requirements will be in the cloud, a significant increase from an average of 41 percent today. The use of cloud services for IT and data processing has steadily increased over the past three years.

IT and data processing requirements are met by using cloud resources today

36%33% 41%39%IT and data processing requirements will be met by using cloud resources two years from today

45%41% 53%51%2017

2019

2016

2015


24%19% 24%25% 30%26% 30%31% 46%55% 46%43%Very confident Confident Not confident

2017 201920162015

Figure 5 How confident are you that your IT organization knows all cloud computing applications, platform or infrastructure services in use today?

Organizations are not making progress in knowing all cloud computing services they use.

As shown in Figure 5, 54 percent of respondents are either very confident (24 percent) or confident (30 percent) that the IT organization knows all cloud computing applications, platform or infrastructure services in use today. This is almost unchanged from 56 percent of respondents in the previous study.

Software as a Service (SaaS) is now used in almost every organization. Since 2016, the percentage of respondents reporting their organizations do not use SaaS1 decreased from 54 percent to 9 percent in this year’s study.

On average, organizations in this study are using 29 cloud applications. Business applications including cloud infrastructure applications, such as online backup, virtual desktop and email texting and other communication tools have increased significantly since 2016. The use of email, texting and other communication tools also grew in value to organizations.

91%of responding organizations are using SaaS

1 SaaS is software deployment whereby a provider licenses an application to customers for use as a service on demand. SaaS software providers may host the application on their own web servers or upload the application to the consumer device, disabling it after use or after the on-demand contract expires.

29average number of cloud applications that organizations are using


The use of Platform as a service (PaaS) increases.

Since 2016, the percentage of respondents using PaaS2 has increased. The percentage of respondents reporting their organizations are not using PaaS has declined from 54 percent to 44 percent. Services such as identity management, payments and search have increased from 24 percent to 32 percent over the past three years.

More companies are using Infrastructure as a Service (IaaS). Organizations represented in this study use an average of 13 cloud computing infrastructure/provider services. Respondents reporting they don’t use IaaS3 has declined from 41 percent in 2016 to 28 percent in 2019. The use storage and computing services increased steadily since 2016.

Almost half (48 percent) of organizations represented in this study are using a multicloud4 architecture or strategy and are using an average of 3 different clouds. Of the 50 percent who are not using multiple clouds, 60 percent of respondents say they will deploy a multicloud architecture in the next 6 months (37 percent) or 12 months (23 percent).

56%of respondents say their organizations are using PaaS

4 Multicloud is the use of multiple cloud computing and storage services in a single heterogeneous architecture. This also refers to the distribution of cloud assets, software, applications, etc. across several cloud-hosting environments. With a typical multicloud architecture utilizing two or more public clouds as well as multiple private clouds, a multicloud environment aims to eliminate the reliance on any single cloud provider. It differs from hybrid cloud in that it refers to multiple cloud services rather than multiple deployment modes (public, private, legacy).

3 IaaS is the delivery of a computer infrastructure as a service. Rather than purchasing servers, software, data center space or network equipment, clients instead buy those resources as a fully outsourced service. The service is typically billed on a utility computing basis and the amount of resources consumed (and therefore the cost) will typically reflect the level of activity.

2 PaaS is the delivery of a computing platform and solution stack as a service. It often goes further by provisioning a software development platform that is designed for the cloud computing environment.

28%

48%

of respondents say their organizations don't use IaaS

of organizations are using a multicloud architecture or strategy13

average number of cloud computing infrastructure/provider services used


Percent of total corporate IT spending is controlled by the IT department

53%51% 36%40%

Percent of cloud services deployed by departments other than corporate IT

49%50% 54%58%2017

2019

2016

2015

2017

2019

2016

2015

Percent of total corporate IT spending is controlled by the IT department

53%51% 36%40%

Percent of cloud services deployed by departments other than corporate IT

49%50% 54%58%2017

2019

2016

2015

2017

2019

2016

2015

Percent of corporate data stored in the cloud

35%30% 48%43%2017

2019

2016

2015

Figure 6 Percent of total corporate IT spending is controlled by the IT departmentExtrapolated values

Figure 8 Percent of corporate data stored in the cloud Extrapolated values

Figure 7Percent of cloud services deployed by departments other than corporate ITExtrapolated values

IT control of IT security spending declines. The average percent of total corporate IT spending controlled by the IT department has decreased to an average of 36 percent from an average of 40 percent in last year’s study, as shown in Figure 6.

According to Figure 7, the percent of cloud services deployed by departments other than corporate IT decreased from an average of 58 percent in last year’s study.

More corporate data is stored in the cloud. As shown in Figure 8, the percent of corporate data stored in the cloud environment has grown from an average of 30 percent in 2015 to an average of 48 percent.

dd

02 Cloud security practices remain stormy and uneven


44%say the new General Data Protection

Regulation (GDPR) will require my

organization to make significant changes

in its cloud governance

70%say it is more complex to manage

privacy and data protection regulations

in a cloud environment than on-premise

networks within my organization

44%of organizations are careful about sharing

confidential or sensitive information with third

parties such as business partners, contractors,

and providers in the cloud environment

46%of organizations are proactive in

managing compliance with privacy

and data protection regulations in the

cloud environment

More corporate data is being stored in the cloud and the use of cloud platforms and applications is pervasive in organizations.

Yet, Figure 9 shows the barriers to safeguarding confidential and sensitive data in the cloud environment. Specifically, 70 percent of respondents find it more complex to manage privacy and data protection regulations in a cloud environment than on-premises. Further, only 44 percent of respondents say their organization is careful about sharing sensitive information with third parties and 46 percent of respondents say their organization is proactive in managing compliance with privacy and data protection regulations in the cloud.

Figure 9 Perceptions about governance practices in the cloud Strongly agree and Agree responses combined


Most organizations still believe the use of cloud resources affects compliance risk.

According to Figure 10, Fifty-six percent of respondents say the use of cloud resources increases compliance risk. As discussed on the previous page, it is difficult to manage privacy and data protection regulations in the cloud.

Figure 10 How does the use of cloud resources affect compliance risk?

62%61% 56%57% 10%8% 13%13% 28%31% 31%30%Increases compliance risk Decreases compliance risk Does not affect compliance risk

2017 201920162015

56%of respondents say the use of cloud resources increases compliance risk


Financial information

Consumer data

Payment information

Employee records

Intellectual property

Health information

Research data

Other

Customer information

Email messages

0% 20% 40% 60% 80%

Corporate data that presents the greatest security risk when stored in the cloud

Corporate data stored in the cloud

Organizations are storing corporate data in the cloud they consider are at risk.

Customer information, email messages and consumer data are the top three data types stored in the cloud. Less likely to be stored in the cloud are such confidential data as payment information, employee records, intellectual property and health information, as shown in Figure 11.

Figure 11 also shows the data types considered most at risk, led by payment information, according to 51 percent of respondents followed by customer and consumer data (46 percent and 33 percent, respectively).

Figure 11 Corporate data stored in the cloud vs. Corporate data that presents the greatest security risk when stored in the cloudMore than one choice permitted Only two choices permitted

What type of corporate data does your organization store in the cloud?


Yes, and each cloud provider manages encryption and key management mechanisms

Yes, and a managed security service provider (MSSP) manages encryption and key management mechanisms

Yes, and our organization manages encryption and key management mechanisms

No, we have not adopted a security first approach32%

29%

21%

18%

Most organizations are adopting a security first approach for the cloud.

While 32 percent of respondents have not adopted a security first approach, 68 percent of respondents are adopting some form of it. According to Figure 12, 39 percent are either having their cloud provider (21 percent) or their managed security service provider (18 percent) manage encryption and key management mechanisms.

Figure 12 Has your organization adopted a security first approach for the cloud?

32%of respondents have not adopted a security first approach

The use of encryption, tokenization and other cryptologic tools increases.

Over the past three years, the use of encryption, tokenization or other cryptologic tools to protect data in the cloud has increased. Data is also protected with private data networks, and premium security services provided by cloud providers. There is also greater awareness about the steps taken to protect sensitive or confidential information in the cloud. In 2016 and 2017, 35 percent of respondents said they did not know. This declined to 4 percent in this year’s research.

96%of organizations know that they are protecting confidential or sensitive information in the cloud


More organizations find it difficult to protect confidential or sensitive information when using cloud services.

This year, 56 percent of respondents believe cloud services make it more difficult to protect sensitive and confidential information, an increase from 49 percent of respondents in last year’s study.

Reasons for the increase in the difficulty in safeguarding data in the cloud are: the difficulty of applying conventional information security in the cloud computing environment (67 percent) and the inability to directly inspect cloud providers for security compliance (64 percent). Fifty percent of respondents say it is more difficult to control or restrict end-user access.

56%believe cloud services make it more difficult to protect sensitive and confidential information

“Over the past three years, the use of encryption, tokenization or other cryptologic tools to protect data in the cloud has increased. Data is also protected with private data networks, and premium security services provided by cloud providers.“

03 The Achilles heel of cloud security: Inadequate vetting of cloud providers


33%32% 35%34% 36%33% 33%34% 31%35% 33%32%The cloud provider The cloud user Shared responsibility

2017 201920162015

Organizations are not assuming responsibility for security in the cloud.

As shown in Figure 13, thirty-five percent of respondents believe the cloud provider should be held responsible for protection of sensitive or confidential information or it should be a shared responsibility (33 percent of respondents). Only 31 percent of respondents say their organizations should assume full responsibility.

Figure 13 Who is most responsible for protecting sensitive or confidential data stored in the cloud?

35%of respondents believe the cloud provider should be held responsible for protection of sensitive or confidential information

Who is the most responsible for protecting sensitive or confidential data stored in the cloud?


Organizations continue to select cloud providers based on efficiency and cost, not security.

As discussed previously, many organizations expect the cloud provider to be responsible for security or it should be a shared responsibility. However, only 23 percent say security is a factor in selecting a cloud provider, according to Figure 14.

Interoperability

Financial stability of the cloud provider

Flexibility and choice

Security

Deployment time

Customer service

Reputation of the cloud provider

Efficiency

Cost

0% 20% 40% 60%

2017 201920162015

Figure 14 How do you select a cloud provider?Two responses permitted

23%of respondents say security is a factor in selecting a cloud provider

What factors are most important in the selection of a cloud provider?


There is no clear accountability for the evaluation of the cloud provider’s security capabilities.

The percentage of respondents who say their organizations evaluate cloud providers declined from 61 percent last year to 56 percent of respondents in this year’s study.

Of these respondents, 30 percent of respondents say it is the end-user that does the evaluation. In contrast, only 13 percent say it is IT security who is most responsible for evaluating the cloud provider’s security capabilities, as shown in Figure 15.

30%of respondents say it is the end-user that does the evaluation

Procurement

Legal

Internal audit

Information security

Compliance

No one person is responsible

Corporate IT

End-users

0% 20% 40% 60%

2017 201920162015

Figure 15 Who evaluates the cloud provider’s security capabilities?

Who in your organization is most responsible for evaluating the cloud provider's security capabilities?


Security evaluations of cloud providers rely increasingly on contractual negotiations and legal reviews.

Figure 16 reveals little change in how organizations go about evaluating cloud providers. Most companies continue to rely upon the use of contractual negotiation and legal reviews to evaluate cloud providers (61 percent of respondents). Word-of-mouth or market reputation is used to evaluate the provider by 54 percent of respondents, followed by availability of information security tools (49 percent).

Fewer organizations look at proof of security compliance (42 percent), a self-assessment security questionnaire (34 percent) and an assessment by in-house security team (24 percent). Similar to the previous study, only 19 percent of respondents say their organizations conduct a third-party assessment by security expert or auditor.

61%of companies continue to rely upon the use of contractual negotiation and legal reviews to evaluate cloud providers

Assessment by in-house security team

Self-assessment checklist or questionnairecompleted by provider

Third-party assessment bysecurity expert or auditor

Availability of information security tools

Proof of security compliance (such as SOC 2/3)

Word-of-mouth (market reputation)

Contractual negotiation and legal review

0% 20% 40% 60%

2017 201920162015

Figure 16 How does your organization go about evaluating cloud providers? More than one response permitted

How does your organization go about evaluating cloud providers?


Not enough resources is a barrier to evaluating cloud providers.

Not enough resources is a barrier to evaluating cloud providers. Forty-four percent of respondents say their organization does not evaluate cloud providers for security capabilities prior to engagement or deployment. Reasons for not evaluating providers are shown in Figure 17. Primarily it is not enough resources to conduct an evaluation (63 percent of respondents). The inability to control end-users has declined from 69 percent in 2016 to 59 percent in this year’s study.

44%of respondents say their organization does not evaluate cloud providers for security capabilities prior to engagement or deployment

Not enough resources to conduct evaluation

Not able to control end-users

Not considered a priority

Don’t know

0% 20% 40% 60% 80%

2017 201920162015

Figure 17 What are the reasons for not evaluating the security of cloud providers?More than one choice permitted

Why would your organization permit cloud resources to be deployed without first evaluating for security?


dd

04 Cryptoagility, encryption and tokenization solutions increase in use and importance


Most organizations say cloud applications increase or have no effect on their organization’s cryptoagility5.

As shown in Figure 18, 57 percent of respondents say deployment of cloud applications significantly increases (11 percent), increases (20 percent) or has no affect (26 percent) on their organization’s level of cryptoagility.

57%of respondents say deployment of cloud applications significantly increases, increases or has no affect on their organization’s level of cryptoagility.

5 Cryptoagility, or cryptographic agility, is the capacity for an information security system to adopt an alternative to the original encryption method or cryptographic primitive without significant change to system infrastructure. NIST guidelines state “maintaining cryptoagility is imperative” to prepare for the quantum computing era. Cryptoagility may be achieved through the adoption of new frameworks for incident response and application development, as well as the acquisition of a service software layer to facilitate cryptoagility in legacy and cloud applications.

No affect

Decrease

Increase

Significant decrease

Significant increase

17%11%

20%

26%

26%

Figure 18 How does the deployment of cloud applications affect your organization’s level of cryptoagility?


Data at rest in the cloud is more likely to be protected than data within cloud applications.

According to Figure 19, respondents who say their organizations encrypt, tokenize and use cryptologic solutions has increased since 2015. However, encryption of confidential data in cloud applications has decreased to 29 percent of respondents. According to these respondents, an average of 10 applications require encryption.

The majority of sensitive data in the cloud is not encrypted.

Eighty percent of respondents say the ability to encrypt or tokenize sensitive or confidential data is either very important or important to their organization’s decision to use cloud resources. However, as shown in Figure 20, less than an average of 46 percent of such data is encrypted when transferred to the cloud environment and only an average of 43 percent is secured with encryption and key management.

10average number of applications that require encryption

Sensitive or confidential information transferred to the cloud environment that is protected by encryption,

tokenization or other cryptologic solution

34%33% 46%42%Data in cloud environments is secured with encryption and key management

43%40%2017

2019

2016

2015

Encryption, tokenization or other cryptologic solution is used to secure sensitive or confidential information

at rest in the cloud environment

42%36% 49%47%Encrypt or tokenize sensitive or confidential data

directly within cloud applications (SaaS)

34%28% 29%36%2017

2019

2016

2015

Figure 20 The percentage of all sensitive information encrypted in the cloudExtrapolated values presented

Figure 19 The use of encryption to secure sensitive or confidential information Yes responses


Important

Not important

Very important

Irrelevant

Essential

4%20%

28%30%

18%

A combination of my organizationand the cloud provider

A third-party (i.e. neither you or your cloud provider)

Other

Your organization

The cloud provider

0% 20% 40% 60%

2017 201920162015

Figure 21 Who is in control of encryption keys when data is encrypted in the cloud?

Only half of organizations are in control of encryption keys when data is encrypted in the cloud.

Just over half of organizations are in control of encryption keys when data is encrypted in the cloud. Figure 21 reveals that 53 percent of respondents say their organization is in control of encryption keys. Only 20 percent of respondents say the cloud provider is in control and 16 percent of respondents say it is a third party.

Consistent with the above finding, almost half (48 percent of respondents) say it is essential or very important for their organization to retain custodianship of the security and encryption keys, according to Figure 22.

53%of respondents say their organization is in control of encryption keys

Figure 22 How important is it for your organization to retain custodianship of the security and encryption keys?


dd

05 Trends in identity and access management practices in the cloud


Don’t know

Hybrid combination ofthe above two choices

Separate identity management interfaces for thecloud and on-premise environment

Unified identity management interface for boththe cloud and on-premise environment

0% 20% 40% 60%

2017 201920162015

Figure 23 What best describes your organization’s approach to user access and identity management in the cloud environment?

Most organizations have different approaches to control access to sensitive and confidential data in the cloud.

As shown in Figure 23, 50 percent of respondents say their organizations have separate identity management interfaces for the cloud and on-premise environment. Only 30 percent of respondents say they have a unified identity management interface for both the cloud and on-premise environment.

50%of respondents say their organization have separate identity management interfaces for the cloud and on-premise environment

What best describes your organization's approach to user access and identity management in the cloud environment?


82%Control strong authentication prior to

accessing data and applications in the cloud 72%Support multiple identity federation

standards including SAML

70%Ensure consistently high availability

of IT resources

56%Accelerate on-boarding process

for new users

58%Expand or contract usage based on the

organization’s current needs/demands

62%Utilize social identities provided by

trusted third parties

63%Deploy short cycles and the ability to add

new identity management services quickly

The importance of supporting multiple identity federation standards has increased in the past four years.

While the importance of supporting multiple identity federation standards has increased significantly, the most important feature is the ability to control strong authentication prior to accessing data and applications in the cloud (an increase from 73 percent of respondents to 82 percent of respondents). SAML has increased significantly in the past four years (from 56 percent to 72 percent). The most essential and important features for controlling and securing access to cloud resources are shown in Figure 24.

Figure 24Most important identity and access management featuresEssential and Very important responses combined


dd

06 Country differences


51%49%47%45%34%28%28%

63%

FR

UK

US

JP

IN

DE

AU

BZ

Figure 25 My organization is careful about sharing confidential or sensitive information with third parties Strongly agree and Agree responses combined

63%of German respondents agree that their organizations are careful when sharing sensitive and confidential information with third parties

In this section, we analyze the differences among the following countries included in this research: United States (US), United Kingdom (UK), Australia (AU), Germany (DE), France (FR), Japan (JP), India (IN) and Brazil (BZ). As shown, German organizations seem to be the most proactive in securing sensitive and confidential information in the cloud, managing the complexity of privacy and data protection regulations in the cloud environment, ensuring security policies for the cloud are in place and having confidence in knowing all cloud computing applications in use.

German organizations understand the importance of taking care when sharing with third parties

As shown in Figure 25, 63 percent of German respondents agree that their organizations are careful when sharing sensitive and confidential information with third parties. Only 34 percent of respondents in Brazil and 28 percent of Japanese respondents agree their organizations are careful when sharing sensitive information.


57%56%45%41%33%27%24%

63%FR

UK

US

JP

IN

DE

AU

BZ

Figure 26 GDPR will require significant changes in our organization’s cloud governance Strongly agree and Agree responses combined

Respondents in France, Germany and the United Kingdom say their organizations must make significant changes to cloud governance because of GDPR.

Respondents in France, Germany and the United Kingdom say their organizations must make significant changes to cloud governance because of GDPR. India, Australia and Brazil respondents are far less likely to believe changes will be required, as shown in Figure 26.


65%47%44%37%37%36%33%

67%

FR

UK

US

JP

IN

DE

AU

BZ

Figure 27 My organization is proactive in managing compliance with privacy and data protection regulations in the cloud environment Strongly agree and Agree responses combined

67%of respondents in Germany agree their organizations are most proactive in managing compliance with privacy and data protection regulations in the cloud environment

German organizations are the most proactive in managing compliance with regulations.

Sixty-seven percent of respondents in Germany agree their organizations are most proactive in managing compliance with privacy and data protection regulations in the cloud environment. Only 36 percent of US and 33 percent of Brazilian respondents say their organizations are proactive in making sure the handling of sensitive and confidential information is in compliance, as shown in Figure 27.


81%79%70%68%64%61%45%

98%

FR

UK

US

JP

IN

DE

AU

BZ

Figure 28 It is more complex to manage privacy and data protection regulations in a cloud environment than in on-premises networks within my organizationStrongly agree and Agree responses combined

98%of organizations in Australia say managing privacy and data protection regulations is more complicated in the cloud than on-premises

Virtually all organizations in Australia say managing privacy and data protection regulations is more complicated in the cloud than on-premises. In contrast, only 45 percent of respondents in Brazil say it is more complex, as shown in Figure 28.


64%63%58%58%52%47%42%

65%

FR

UK

US

JP

IN

DE

AU

BZ

Figure 29Are cloud providers evaluated for security capabilities prior to engagement or deployment within your organization? Yes responses

65%of German respondents say their organizations evaluate the security capabilities of cloud providers

Organizations in Germany, India and France are most likely to evaluate the security capabilities of cloud providers.

As shown in Figure 29, Sixty-five percent of German respondents, 64 percent of Indian respondents and 63 percent of French respondents say their organizations evaluate the security capabilities of cloud providers. Only 42 percent of Brazilian respondents say their organizations evaluate cloud providers prior to deployment or engagement.


55%55%52%48%46%30%26%

58%

FR

UK

US

JP

IN

DE

AU

BZ

Figure 30Are you confident your IT organization knows all cloud computing applications, platforms or infrastructure services in use today?Not confident responses

58%of respondents in Brazil are not confident that their organizations have visibility into the use of cloud computing applications, platform or infrastructure services

How confident are respondents that they know all cloud computing applications, platforms or infrastructure services in use in their organizations?

Fifty-eight percent of respondents in Brazil are not confident that their organizations have visibility into the use of cloud computing applications, platform or infrastructure services. Germany is the most confident (only 26 percent of respondents say they are not confident), as revealed in Figure 30.


18%

38%

16%

16%

34%

21%

18%

32%

20%

20%

34%

15%

27%

24%

15%

21%

25%

19%

23%

17%

20%

Yes, and each cloud provider manages encryption and key management mechanisms

Yes, and our organization manages encryption and key management mechanisms

Yes, and a managed security service provider manages encryption and key management mechanisms

30%

19%

27%

UKIndiaGermany Japan USAustralia BrazilFrance

Figure 31Are you confident your IT organization knows all cloud computing applications, platforms or infrastructure services in use today?Not confident responses

68%of respondents in the consolidated findings say they have adopted some form of security first for the cloud

Organizations in Australia and Germany are most likely to adopt a security first approach for the cloud.

Sixty-eight percent of respondents in the consolidated findings say they have adopted some form of security first for the cloud. As shown in Figure 31, Seventy-six percent of Australian respondents and 72 percent of German respondents have adopted a security first approach. Their organizations are also most likely to manage encryption and key management mechanisms.


54%50%48%47%44%43%36%

56%

FR

UK

US

JP

IN

DE

AU

BZ

Figure 32Does your organization deploy a multicloud architecture or strategy? Yes responses

56%of respondents in Germany have a multicloud strategy

German and US organizations are most likely to deploy a multicloud architecture or strategy.

As shown in Figure 32, 56 percent of respondents in Germany and 54 percent of respondents in the US have a multicloud strategy. India and Brazil are least likely to have such an architecture.


0%

25%

75%

100%

50%

Today Over the next 2 years

UK DEJP IN FRUS BZAU

0%

25%

75%

100%

50%

Control strong authentication prior to accessing data and applications in the cloud

Ensure consistently high availability of IT resources

UKDEJP INFR USBZAU

Figure 33 How important is the use of cloud computing applications or platform solutions for meeting business objectives today and over the next two years?Very important and important responses combined

Figure 34 What’s more important, strong authentication or high availability of IT resources? Essential and Very important ratings combined

The importance of cloud computing applications or platform solutions grows globally. The greatest growth in the use of cloud applications and platforms will be in the UK, US and Germany, as shown in Figure 33.

As shown in Figure 34, Japan, France and India are most likely to say it is essential or very important to have controls that result in strong authentication prior to accessing data and applications in the cloud are essential and very important. Ensuring high availability of IT resources is most important in Brazil, US and Germany.


dd

07 Demographics


DemographicsA sampling frame of 95,242 experienced IT and IT security practitioners located in the United States, the United Kingdom, Australia, Germany, France, Japan, India and Brazil who are familiar with their companies’ use of both public and private cloud resources were selected as participants in the research. Chart 1 shows 3,667 total returns. Screening and reliability checks required the removal of 321 surveys. Our final sample consisted of 3,346 surveys, a 3.5 percent response rate.

Chart 2 reports the respondent’s organizational level within participating organizations. By design, 59 percent of respondents are at or above the supervisory levels and 38 percent of respondents are at the staff/technician level.

Manager/Supervisor

Staff/Technician

Director

Contractor

Other

Senior Executive/VP

2% 3%

16%

40%

38%

1%

558494

421385

354305

239

590

UKIndia Germany JapanBrazil FranceUS Australia

Chart 2 Current position within the organization

Chart 1Number of respondents


As shown in Chart 3, 59 percent of respondents are from organizations with a global headcount of more than 1,000 employees.

Percentages below report the industry classification of respondents’ organizations. Chart 4 identifies financial services (15 percent of respondents) as the largest segment, followed by public sector (13 percent of respondents) and industrial/manufacturer (12 percent of respondents).

1,001 to 5,000

5,001 to 10,000

500 to 1,000

10,001 to 25,000

25,001 to 75,000

More than 75,000

Less than 5009%

17%

24%

21%

19%

3%6%

283

0 5 10 15 20

Financial services

Public sector

Industrial/Manufacturer

Retail

Technology & software

Health & pharmaceutical

Services

Utilities & energy

Consumer products

Transportation

Education & research

Communications

Media & entertainment

Hospitality

Other

Chart 3 Global employee headcount

Chart 4 Industry classification of respondents’ organizations

59%of respondents have a global headcount of more than 1,000 employees

Americas Arboretum Plaza II, 9442 Capital of Texas Highway North,

Suite 100 | Austin, TX 78759 USA Tel:+1 888 343 5773 or +1 512 257 3900

Fax:+1 954 888 6211 | E-mail: [email protected]

Asia Pacific - Thales Transport & Security (HK) Ltd Unit 4101-3, 41/F, Sunlight Tower, 248 Queen’s Road East

Wanchai, Hong Kong | Tel:+852 2815 8633 Fax:+852 2815 8141 | E-mail: [email protected]

Europe, Middle East, Africa Meadow View House, Long Crendon,

Aylesbury, Buckinghamshire HP18 9EQ Tel:+44 (0)1844 201800 | Fax:+44 (0)1844 208550

E-mail: [email protected]

> thalescpl.com <

© T

hale

s - O

ctob

er 2

019

• G

H -

v7

Documents

2019 Thales Cloud Security Study · 2020. 3. 25. · 17 Most organizations are adopting a security first approach for the cloud. 17 The use of encryption, tokenization and other cryptologic