Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
thalescpl.com
Global Edition
#CloudSecurity
Protecting Data In The Cloud2019 Thales Cloud Security Study
About Ponemon InstitutePonemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.
We uphold data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.
About ThalesThe people you rely on to protect your privacy rely on Thales to protect their data. When it comes to data security, organizations are faced with an increasing amount of decisive moments. Whether the moment is building an encryption strategy, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.
Decisive technology for decisive moments.
Global Cloud Data Security Study - 2019 3
Contents04 Executive Summary
05 Key Findings 05 Organizations failing to protect sensitive data despite increasingly storing it in the cloud
07 The cloud is a valued part of an organization’s IT strategy 08 The cloud reduces costs, improves deployment time and makes organizations more efficient. 09 Virtually every organization represented in this study will be using cloud services within the next two years. 09 The use of cloud data resources for IT and data processing requirements continues to increase. 10 Organizations are not making progress in knowing all cloud computing services they use. 10 Software as a Service (SaaS) is now used in almost every organization. 11 The use of Platform as a service (PaaS) increases. 11 More companies are using Infrastructure as a Service (IaaS). 12 IT control of IT security spending declines. 12 More corporate data is stored in the cloud.
13 Cloud security practices remain stormy and uneven 14 More corporate data is being stored in the cloud and the use of cloud platforms and applications is pervasive in organizations. 15 Most organizations still believe the use of cloud resources affects compliance risk. 16 Organizations are storing corporate data in the cloud they consider are at risk. 17 Most organizations are adopting a security first approach for the cloud. 17 The use of encryption, tokenization and other cryptologic tools increases. 18 More organizations find it difficult to protect confidential or sensitive information when using cloud services.
19 The Achilles heel of cloud security: Inadequate vetting of cloud providers 20 Organizations are not assuming responsibility for security in the cloud. 21 Organizations continue to select cloud providers based on efficiency and cost, not security. 22 There is no clear accountability for the evaluation of the cloud provider’s security capabilities. 23 Security evaluations of cloud providers rely increasingly on contractual negotiations and legal reviews. 24 Not enough resources is a barrier to evaluating cloud providers.
25 Cryptoagility, encryption and tokenization solutions increase in use and importance 26 Most organizations say cloud applications increase or have no effect on their organization’s cryptoagility. 27 Data at rest in the cloud is more likely to be protected than data within cloud applications. 27 The majority of data in the cloud is not encrypted. 28 Most organizations are in control of encryption keys when data is encrypted in the cloud.
29 Trends in identity and access management practices in the cloud 30 Most organizations have different approaches to control access to sensitive and confidential data in the cloud. 31 The importance of supporting multiple identity federation standards has increased in the past four years.
32 Country differences 33 German organizations understand the importance of taking care when sharing with third parties 34 Respondents in France, Germany and the United Kingdom say their organizations must make significant changes to cloud governance because of GDPR. 35 German organizations are the most proactive in managing compliance with regulations. 37 Organizations in Germany, India and France are most likely to evaluate the security capabilities of cloud providers. 38 How confident are respondents that they know all cloud computing applications, platforms or infrastructure services in use in their organizations? 39 Organizations in Australia and Germany are most likely to adopt a security first approach for the cloud. 40 German and US organizations are most likely to deploy a multicloud architecture or strategy. 41 The importance of cloud computing applications or platform solutions grows globally.
42 Demographics 43 Demographics
Global Cloud Data Security Study - 2019 4
My organization is committed to protectingconfidential or sensitive information in the cloud
65%62% 72%67%We have defined roles & accountability for
safeguarding sensitive information stored in the cloud
43%38% 50%46%2017
2019
2016
2015
Executive Summary By Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute
The Ponemon Institute is pleased to present the findings of the 2019 Global Cloud Security Study sponsored by Thales. The purpose of this research is to understand trends in cloud governance and security practices since the study was first released in 2015. This year’s study reveals the increasing risk of non-compliance with new global privacy and data protection regulations. Another important trend over the past three years is the increasing use of cloud applications and platforms without the necessary security safeguards. We surveyed 3,346 IT and IT security practitioners in the United States, United Kingdom, Australia, Germany, France, Japan, India and Brazil who are familiar with and involved in their companies’ use of both public and private cloud resources. Seventy-six percent of respondents say their organizations are heavy (34 percent) or moderate (42 percent) users of cloud resources. Commitment to cloud security grows, but security safeguards are not keeping up with the increased use of the various cloud platforms. As shown in Figure 1, commitment to protecting confidential or sensitive information has increased significantly from 62 percent in 2015 to 72 percent of respondents in this year’s study. However, only half (50 percent of respondents) say their organizations have established clearly defined roles and accountability for safeguarding confidential or sensitive information stored in the cloud.
Figure 1 The commitment to safeguarding data in the cloud Strongly agree and agree responses combined
Global Cloud Data Security Study - 2019 5
Key FindingsOrganizations are failing to protect sensitive data, despite increasingly storing it in the cloud New research from Thales and the Ponemon Institute has exposed a disparity between the rapid growth of data being stored in the cloud, and organizations’ approach to protecting sensitive information.
• Businesses are clearly taking advantage of the increasing cloud options out there, but they’re not adhering to their owns fears around its risk with adequate security.
• Having clearly pushed the responsibility for protecting their data to their cloud providers, it’s extremely concerning to see security is not a big factor when choosing them.
• Regardless of the Cloud Service Model or Provider, the security of your organization's data in the cloud is your responsibility.
• It’s the business’ reputation that will suffer if a data breach occurs, so they should be taking more control over their security and ownership of their encryption keys.
According to the research, organizations struggle to achieve a stronger security posture in the cloud because of their inability to do the following:
• Apply conventional security practices in the cloud environment
• Directly assess the compliance and security practices of cloud providers
• Have sufficient resources to be able to evaluate the security practices of cloud providers
• Control or restrict end-user access
• Know all cloud computing applications, platform or infrastructure services in use
• Reduce the complexity of managing privacy and data protection regulations in the cloud environment
Global Cloud Data Security Study - 2019 6
49%of organizations are encrypting sensitive
data in the cloud
48%of all corporate data is stored in the
cloud compared to 35% three years ago
78%saying it’s important to retain
ownership of the encryption keys
53%of businesses are controlling the encryption
keys when data is encrypted in the cloud,
Businesses are taking advantage of the cloud, but not applying adequate security
Businesses remain responsible for security of data in the cloud regardless the provider
Some businesses push responsibility for data security to cloud providers, but do not consider security a big factor when choosing them
Businesses struggle to reduce complexity of managing privacy and data protection regulations in the cloud environment
despite
Businesses use 29 cloud applications on average - compared to 27 two years ago
10% have more than 50 and the
average U.S. business has 41over
44%of organizations are careful about sharing
sensitive information with third parties
46%revealed that storing customer data in the cloud makes
them more of a security risk and a compliance risk (56%)
Customer information 60%, emails 48% and consumer data 46%, are the biggest amounts of data stored in the cloud
32%don’t employ a security-first approach
to storing data in the cloud
30%of organizations have a unified system
for secure access to both cloud and
on-premise applications
dd
01 The cloud is a valued part of an organization’s IT strategy
Global Cloud Data Security Study - 2019 8
Improve security
Increase efficiency
Increase flexibilityand choice
Comply with contractualagreements or policies
Improve customer service
Reduce cost
Faster deployment time
0% 20% 40% 60% 80%
2017 201920162015
Figure 2 The primary reasons cloud resources are used Two responses permitted
The cloud reduces costs, improves deployment time and makes organizations more efficient. As shown in Figure 2, the primary incentive to use the cloud is to reduce costs. However, as shown in this year’s research greater efficiency and improved security have increased over the past three years as reasons to move to the cloud.
What are the primary reasons why cloud resources are used withing your organization?
Global Cloud Data Security Study - 2019 9
Today
73%72% 80%79%Over the next 2 years
81%78% 90%87%2017
2019
2016
2015
Figure 3 Trends in the importance of cloud computing applications or platform solutions Very important and Important responses combined
Figure 4Trends in use of cloud data resources for IT and data processing requirements Extrapolated values
Virtually every organization represented in this study will be using cloud services within the next two years. Today cloud computing applications and platform solutions are considered critical to their organizations’ operations, according to 80 percent of respondents and 90 percent of respondents say the cloud will increase in importance in the next two years.
The use of cloud data resources for IT and data processing requirements continues to increase.
As shown in Figure 4, in two years an average of 53 percent of all IT and data processing requirements will be in the cloud, a significant increase from an average of 41 percent today. The use of cloud services for IT and data processing has steadily increased over the past three years.
IT and data processing requirements are met by using cloud resources today
36%33% 41%39%IT and data processing requirements will be met by using cloud resources two years from today
45%41% 53%51%2017
2019
2016
2015
Global Cloud Data Security Study - 2019 10
24%19% 24%25% 30%26% 30%31% 46%55% 46%43%Very confident Confident Not confident
2017 201920162015
Figure 5 How confident are you that your IT organization knows all cloud computing applications, platform or infrastructure services in use today?
Organizations are not making progress in knowing all cloud computing services they use.
As shown in Figure 5, 54 percent of respondents are either very confident (24 percent) or confident (30 percent) that the IT organization knows all cloud computing applications, platform or infrastructure services in use today. This is almost unchanged from 56 percent of respondents in the previous study.
Software as a Service (SaaS) is now used in almost every organization. Since 2016, the percentage of respondents reporting their organizations do not use SaaS1 decreased from 54 percent to 9 percent in this year’s study.
On average, organizations in this study are using 29 cloud applications. Business applications including cloud infrastructure applications, such as online backup, virtual desktop and email texting and other communication tools have increased significantly since 2016. The use of email, texting and other communication tools also grew in value to organizations.
91%of responding organizations are using SaaS
1 SaaS is software deployment whereby a provider licenses an application to customers for use as a service on demand. SaaS software providers may host the application on their own web servers or upload the application to the consumer device, disabling it after use or after the on-demand contract expires.
29average number of cloud applications that organizations are using
Global Cloud Data Security Study - 2019 11
The use of Platform as a service (PaaS) increases.
Since 2016, the percentage of respondents using PaaS2 has increased. The percentage of respondents reporting their organizations are not using PaaS has declined from 54 percent to 44 percent. Services such as identity management, payments and search have increased from 24 percent to 32 percent over the past three years.
More companies are using Infrastructure as a Service (IaaS). Organizations represented in this study use an average of 13 cloud computing infrastructure/provider services. Respondents reporting they don’t use IaaS3 has declined from 41 percent in 2016 to 28 percent in 2019. The use storage and computing services increased steadily since 2016.
Almost half (48 percent) of organizations represented in this study are using a multicloud4 architecture or strategy and are using an average of 3 different clouds. Of the 50 percent who are not using multiple clouds, 60 percent of respondents say they will deploy a multicloud architecture in the next 6 months (37 percent) or 12 months (23 percent).
56%of respondents say their organizations are using PaaS
4 Multicloud is the use of multiple cloud computing and storage services in a single heterogeneous architecture. This also refers to the distribution of cloud assets, software, applications, etc. across several cloud-hosting environments. With a typical multicloud architecture utilizing two or more public clouds as well as multiple private clouds, a multicloud environment aims to eliminate the reliance on any single cloud provider. It differs from hybrid cloud in that it refers to multiple cloud services rather than multiple deployment modes (public, private, legacy).
3 IaaS is the delivery of a computer infrastructure as a service. Rather than purchasing servers, software, data center space or network equipment, clients instead buy those resources as a fully outsourced service. The service is typically billed on a utility computing basis and the amount of resources consumed (and therefore the cost) will typically reflect the level of activity.
2 PaaS is the delivery of a computing platform and solution stack as a service. It often goes further by provisioning a software development platform that is designed for the cloud computing environment.
28%
48%
of respondents say their organizations don't use IaaS
of organizations are using a multicloud architecture or strategy13
average number of cloud computing infrastructure/provider services used
Global Cloud Data Security Study - 2019 12
Percent of total corporate IT spending is controlled by the IT department
53%51% 36%40%
Percent of cloud services deployed by departments other than corporate IT
49%50% 54%58%2017
2019
2016
2015
2017
2019
2016
2015
Percent of total corporate IT spending is controlled by the IT department
53%51% 36%40%
Percent of cloud services deployed by departments other than corporate IT
49%50% 54%58%2017
2019
2016
2015
2017
2019
2016
2015
Percent of corporate data stored in the cloud
35%30% 48%43%2017
2019
2016
2015
Figure 6 Percent of total corporate IT spending is controlled by the IT departmentExtrapolated values
Figure 8 Percent of corporate data stored in the cloud Extrapolated values
Figure 7Percent of cloud services deployed by departments other than corporate ITExtrapolated values
IT control of IT security spending declines. The average percent of total corporate IT spending controlled by the IT department has decreased to an average of 36 percent from an average of 40 percent in last year’s study, as shown in Figure 6.
According to Figure 7, the percent of cloud services deployed by departments other than corporate IT decreased from an average of 58 percent in last year’s study.
More corporate data is stored in the cloud. As shown in Figure 8, the percent of corporate data stored in the cloud environment has grown from an average of 30 percent in 2015 to an average of 48 percent.
dd
02 Cloud security practices remain stormy and uneven
Global Cloud Data Security Study - 2019 14
44%say the new General Data Protection
Regulation (GDPR) will require my
organization to make significant changes
in its cloud governance
70%say it is more complex to manage
privacy and data protection regulations
in a cloud environment than on-premise
networks within my organization
44%of organizations are careful about sharing
confidential or sensitive information with third
parties such as business partners, contractors,
and providers in the cloud environment
46%of organizations are proactive in
managing compliance with privacy
and data protection regulations in the
cloud environment
More corporate data is being stored in the cloud and the use of cloud platforms and applications is pervasive in organizations.
Yet, Figure 9 shows the barriers to safeguarding confidential and sensitive data in the cloud environment. Specifically, 70 percent of respondents find it more complex to manage privacy and data protection regulations in a cloud environment than on-premises. Further, only 44 percent of respondents say their organization is careful about sharing sensitive information with third parties and 46 percent of respondents say their organization is proactive in managing compliance with privacy and data protection regulations in the cloud.
Figure 9 Perceptions about governance practices in the cloud Strongly agree and Agree responses combined
Global Cloud Data Security Study - 2019 15
Most organizations still believe the use of cloud resources affects compliance risk.
According to Figure 10, Fifty-six percent of respondents say the use of cloud resources increases compliance risk. As discussed on the previous page, it is difficult to manage privacy and data protection regulations in the cloud.
Figure 10 How does the use of cloud resources affect compliance risk?
62%61% 56%57% 10%8% 13%13% 28%31% 31%30%Increases compliance risk Decreases compliance risk Does not affect compliance risk
2017 201920162015
56%of respondents say the use of cloud resources increases compliance risk
Global Cloud Data Security Study - 2019 16
Financial information
Consumer data
Payment information
Employee records
Intellectual property
Health information
Research data
Other
Customer information
Email messages
0% 20% 40% 60% 80%
Corporate data that presents the greatest security risk when stored in the cloud
Corporate data stored in the cloud
Organizations are storing corporate data in the cloud they consider are at risk.
Customer information, email messages and consumer data are the top three data types stored in the cloud. Less likely to be stored in the cloud are such confidential data as payment information, employee records, intellectual property and health information, as shown in Figure 11.
Figure 11 also shows the data types considered most at risk, led by payment information, according to 51 percent of respondents followed by customer and consumer data (46 percent and 33 percent, respectively).
Figure 11 Corporate data stored in the cloud vs. Corporate data that presents the greatest security risk when stored in the cloudMore than one choice permitted Only two choices permitted
What type of corporate data does your organization store in the cloud?
Global Cloud Data Security Study - 2019 17
Yes, and each cloud provider manages encryption and key management mechanisms
Yes, and a managed security service provider (MSSP) manages encryption and key management mechanisms
Yes, and our organization manages encryption and key management mechanisms
No, we have not adopted a security first approach32%
29%
21%
18%
Most organizations are adopting a security first approach for the cloud.
While 32 percent of respondents have not adopted a security first approach, 68 percent of respondents are adopting some form of it. According to Figure 12, 39 percent are either having their cloud provider (21 percent) or their managed security service provider (18 percent) manage encryption and key management mechanisms.
Figure 12 Has your organization adopted a security first approach for the cloud?
32%of respondents have not adopted a security first approach
The use of encryption, tokenization and other cryptologic tools increases.
Over the past three years, the use of encryption, tokenization or other cryptologic tools to protect data in the cloud has increased. Data is also protected with private data networks, and premium security services provided by cloud providers. There is also greater awareness about the steps taken to protect sensitive or confidential information in the cloud. In 2016 and 2017, 35 percent of respondents said they did not know. This declined to 4 percent in this year’s research.
96%of organizations know that they are protecting confidential or sensitive information in the cloud
Global Cloud Data Security Study - 2019 18
More organizations find it difficult to protect confidential or sensitive information when using cloud services.
This year, 56 percent of respondents believe cloud services make it more difficult to protect sensitive and confidential information, an increase from 49 percent of respondents in last year’s study.
Reasons for the increase in the difficulty in safeguarding data in the cloud are: the difficulty of applying conventional information security in the cloud computing environment (67 percent) and the inability to directly inspect cloud providers for security compliance (64 percent). Fifty percent of respondents say it is more difficult to control or restrict end-user access.
56%believe cloud services make it more difficult to protect sensitive and confidential information
“Over the past three years, the use of encryption, tokenization or other cryptologic tools to protect data in the cloud has increased. Data is also protected with private data networks, and premium security services provided by cloud providers.“
03 The Achilles heel of cloud security: Inadequate vetting of cloud providers
Global Cloud Data Security Study - 2019 20
33%32% 35%34% 36%33% 33%34% 31%35% 33%32%The cloud provider The cloud user Shared responsibility
2017 201920162015
Organizations are not assuming responsibility for security in the cloud.
As shown in Figure 13, thirty-five percent of respondents believe the cloud provider should be held responsible for protection of sensitive or confidential information or it should be a shared responsibility (33 percent of respondents). Only 31 percent of respondents say their organizations should assume full responsibility.
Figure 13 Who is most responsible for protecting sensitive or confidential data stored in the cloud?
35%of respondents believe the cloud provider should be held responsible for protection of sensitive or confidential information
Who is the most responsible for protecting sensitive or confidential data stored in the cloud?
Global Cloud Data Security Study - 2019 21
Organizations continue to select cloud providers based on efficiency and cost, not security.
As discussed previously, many organizations expect the cloud provider to be responsible for security or it should be a shared responsibility. However, only 23 percent say security is a factor in selecting a cloud provider, according to Figure 14.
Interoperability
Financial stability of the cloud provider
Flexibility and choice
Security
Deployment time
Customer service
Reputation of the cloud provider
Efficiency
Cost
0% 20% 40% 60%
2017 201920162015
Figure 14 How do you select a cloud provider?Two responses permitted
23%of respondents say security is a factor in selecting a cloud provider
What factors are most important in the selection of a cloud provider?
Global Cloud Data Security Study - 2019 22
There is no clear accountability for the evaluation of the cloud provider’s security capabilities.
The percentage of respondents who say their organizations evaluate cloud providers declined from 61 percent last year to 56 percent of respondents in this year’s study.
Of these respondents, 30 percent of respondents say it is the end-user that does the evaluation. In contrast, only 13 percent say it is IT security who is most responsible for evaluating the cloud provider’s security capabilities, as shown in Figure 15.
30%of respondents say it is the end-user that does the evaluation
Procurement
Legal
Internal audit
Information security
Compliance
No one person is responsible
Corporate IT
End-users
0% 20% 40% 60%
2017 201920162015
Figure 15 Who evaluates the cloud provider’s security capabilities?
Who in your organization is most responsible for evaluating the cloud provider's security capabilities?
Global Cloud Data Security Study - 2019 23
Security evaluations of cloud providers rely increasingly on contractual negotiations and legal reviews.
Figure 16 reveals little change in how organizations go about evaluating cloud providers. Most companies continue to rely upon the use of contractual negotiation and legal reviews to evaluate cloud providers (61 percent of respondents). Word-of-mouth or market reputation is used to evaluate the provider by 54 percent of respondents, followed by availability of information security tools (49 percent).
Fewer organizations look at proof of security compliance (42 percent), a self-assessment security questionnaire (34 percent) and an assessment by in-house security team (24 percent). Similar to the previous study, only 19 percent of respondents say their organizations conduct a third-party assessment by security expert or auditor.
61%of companies continue to rely upon the use of contractual negotiation and legal reviews to evaluate cloud providers
Assessment by in-house security team
Self-assessment checklist or questionnairecompleted by provider
Third-party assessment bysecurity expert or auditor
Availability of information security tools
Proof of security compliance (such as SOC 2/3)
Word-of-mouth (market reputation)
Contractual negotiation and legal review
0% 20% 40% 60%
2017 201920162015
Figure 16 How does your organization go about evaluating cloud providers? More than one response permitted
How does your organization go about evaluating cloud providers?
Global Cloud Data Security Study - 2019 24
Not enough resources is a barrier to evaluating cloud providers.
Not enough resources is a barrier to evaluating cloud providers. Forty-four percent of respondents say their organization does not evaluate cloud providers for security capabilities prior to engagement or deployment. Reasons for not evaluating providers are shown in Figure 17. Primarily it is not enough resources to conduct an evaluation (63 percent of respondents). The inability to control end-users has declined from 69 percent in 2016 to 59 percent in this year’s study.
44%of respondents say their organization does not evaluate cloud providers for security capabilities prior to engagement or deployment
Not enough resources to conduct evaluation
Not able to control end-users
Not considered a priority
Don’t know
0% 20% 40% 60% 80%
2017 201920162015
Figure 17 What are the reasons for not evaluating the security of cloud providers?More than one choice permitted
Why would your organization permit cloud resources to be deployed without first evaluating for security?
Global Cloud Data Security Study - 2019 25
dd
04 Cryptoagility, encryption and tokenization solutions increase in use and importance
Global Cloud Data Security Study - 2019 26
Most organizations say cloud applications increase or have no effect on their organization’s cryptoagility5.
As shown in Figure 18, 57 percent of respondents say deployment of cloud applications significantly increases (11 percent), increases (20 percent) or has no affect (26 percent) on their organization’s level of cryptoagility.
57%of respondents say deployment of cloud applications significantly increases, increases or has no affect on their organization’s level of cryptoagility.
5 Cryptoagility, or cryptographic agility, is the capacity for an information security system to adopt an alternative to the original encryption method or cryptographic primitive without significant change to system infrastructure. NIST guidelines state “maintaining cryptoagility is imperative” to prepare for the quantum computing era. Cryptoagility may be achieved through the adoption of new frameworks for incident response and application development, as well as the acquisition of a service software layer to facilitate cryptoagility in legacy and cloud applications.
No affect
Decrease
Increase
Significant decrease
Significant increase
17%11%
20%
26%
26%
Figure 18 How does the deployment of cloud applications affect your organization’s level of cryptoagility?
Global Cloud Data Security Study - 2019 27
Data at rest in the cloud is more likely to be protected than data within cloud applications.
According to Figure 19, respondents who say their organizations encrypt, tokenize and use cryptologic solutions has increased since 2015. However, encryption of confidential data in cloud applications has decreased to 29 percent of respondents. According to these respondents, an average of 10 applications require encryption.
The majority of sensitive data in the cloud is not encrypted.
Eighty percent of respondents say the ability to encrypt or tokenize sensitive or confidential data is either very important or important to their organization’s decision to use cloud resources. However, as shown in Figure 20, less than an average of 46 percent of such data is encrypted when transferred to the cloud environment and only an average of 43 percent is secured with encryption and key management.
10average number of applications that require encryption
Sensitive or confidential information transferred to the cloud environment that is protected by encryption,
tokenization or other cryptologic solution
34%33% 46%42%Data in cloud environments is secured with encryption and key management
43%40%2017
2019
2016
2015
Encryption, tokenization or other cryptologic solution is used to secure sensitive or confidential information
at rest in the cloud environment
42%36% 49%47%Encrypt or tokenize sensitive or confidential data
directly within cloud applications (SaaS)
34%28% 29%36%2017
2019
2016
2015
Figure 20 The percentage of all sensitive information encrypted in the cloudExtrapolated values presented
Figure 19 The use of encryption to secure sensitive or confidential information Yes responses
Global Cloud Data Security Study - 2019 28
Important
Not important
Very important
Irrelevant
Essential
4%20%
28%30%
18%
A combination of my organizationand the cloud provider
A third-party (i.e. neither you or your cloud provider)
Other
Your organization
The cloud provider
0% 20% 40% 60%
2017 201920162015
Figure 21 Who is in control of encryption keys when data is encrypted in the cloud?
Only half of organizations are in control of encryption keys when data is encrypted in the cloud.
Just over half of organizations are in control of encryption keys when data is encrypted in the cloud. Figure 21 reveals that 53 percent of respondents say their organization is in control of encryption keys. Only 20 percent of respondents say the cloud provider is in control and 16 percent of respondents say it is a third party.
Consistent with the above finding, almost half (48 percent of respondents) say it is essential or very important for their organization to retain custodianship of the security and encryption keys, according to Figure 22.
53%of respondents say their organization is in control of encryption keys
Figure 22 How important is it for your organization to retain custodianship of the security and encryption keys?
Global Cloud Data Security Study - 2019 29
dd
05 Trends in identity and access management practices in the cloud
Global Cloud Data Security Study - 2019 30
Don’t know
Hybrid combination ofthe above two choices
Separate identity management interfaces for thecloud and on-premise environment
Unified identity management interface for boththe cloud and on-premise environment
0% 20% 40% 60%
2017 201920162015
Figure 23 What best describes your organization’s approach to user access and identity management in the cloud environment?
Most organizations have different approaches to control access to sensitive and confidential data in the cloud.
As shown in Figure 23, 50 percent of respondents say their organizations have separate identity management interfaces for the cloud and on-premise environment. Only 30 percent of respondents say they have a unified identity management interface for both the cloud and on-premise environment.
50%of respondents say their organization have separate identity management interfaces for the cloud and on-premise environment
What best describes your organization's approach to user access and identity management in the cloud environment?
Global Cloud Data Security Study - 2019 31
82%Control strong authentication prior to
accessing data and applications in the cloud 72%Support multiple identity federation
standards including SAML
70%Ensure consistently high availability
of IT resources
56%Accelerate on-boarding process
for new users
58%Expand or contract usage based on the
organization’s current needs/demands
62%Utilize social identities provided by
trusted third parties
63%Deploy short cycles and the ability to add
new identity management services quickly
The importance of supporting multiple identity federation standards has increased in the past four years.
While the importance of supporting multiple identity federation standards has increased significantly, the most important feature is the ability to control strong authentication prior to accessing data and applications in the cloud (an increase from 73 percent of respondents to 82 percent of respondents). SAML has increased significantly in the past four years (from 56 percent to 72 percent). The most essential and important features for controlling and securing access to cloud resources are shown in Figure 24.
Figure 24Most important identity and access management featuresEssential and Very important responses combined
Global Cloud Data Security Study - 2019 32
dd
06 Country differences
Global Cloud Data Security Study - 2019 33
51%49%47%45%34%28%28%
63%
FR
UK
US
JP
IN
DE
AU
BZ
Figure 25 My organization is careful about sharing confidential or sensitive information with third parties Strongly agree and Agree responses combined
63%of German respondents agree that their organizations are careful when sharing sensitive and confidential information with third parties
In this section, we analyze the differences among the following countries included in this research: United States (US), United Kingdom (UK), Australia (AU), Germany (DE), France (FR), Japan (JP), India (IN) and Brazil (BZ). As shown, German organizations seem to be the most proactive in securing sensitive and confidential information in the cloud, managing the complexity of privacy and data protection regulations in the cloud environment, ensuring security policies for the cloud are in place and having confidence in knowing all cloud computing applications in use.
German organizations understand the importance of taking care when sharing with third parties
As shown in Figure 25, 63 percent of German respondents agree that their organizations are careful when sharing sensitive and confidential information with third parties. Only 34 percent of respondents in Brazil and 28 percent of Japanese respondents agree their organizations are careful when sharing sensitive information.
Global Cloud Data Security Study - 2019 34
57%56%45%41%33%27%24%
63%FR
UK
US
JP
IN
DE
AU
BZ
Figure 26 GDPR will require significant changes in our organization’s cloud governance Strongly agree and Agree responses combined
Respondents in France, Germany and the United Kingdom say their organizations must make significant changes to cloud governance because of GDPR.
Respondents in France, Germany and the United Kingdom say their organizations must make significant changes to cloud governance because of GDPR. India, Australia and Brazil respondents are far less likely to believe changes will be required, as shown in Figure 26.
Global Cloud Data Security Study - 2019 35
65%47%44%37%37%36%33%
67%
FR
UK
US
JP
IN
DE
AU
BZ
Figure 27 My organization is proactive in managing compliance with privacy and data protection regulations in the cloud environment Strongly agree and Agree responses combined
67%of respondents in Germany agree their organizations are most proactive in managing compliance with privacy and data protection regulations in the cloud environment
German organizations are the most proactive in managing compliance with regulations.
Sixty-seven percent of respondents in Germany agree their organizations are most proactive in managing compliance with privacy and data protection regulations in the cloud environment. Only 36 percent of US and 33 percent of Brazilian respondents say their organizations are proactive in making sure the handling of sensitive and confidential information is in compliance, as shown in Figure 27.
Global Cloud Data Security Study - 2019 36
81%79%70%68%64%61%45%
98%
FR
UK
US
JP
IN
DE
AU
BZ
Figure 28 It is more complex to manage privacy and data protection regulations in a cloud environment than in on-premises networks within my organizationStrongly agree and Agree responses combined
98%of organizations in Australia say managing privacy and data protection regulations is more complicated in the cloud than on-premises
Virtually all organizations in Australia say managing privacy and data protection regulations is more complicated in the cloud than on-premises. In contrast, only 45 percent of respondents in Brazil say it is more complex, as shown in Figure 28.
Global Cloud Data Security Study - 2019 37
64%63%58%58%52%47%42%
65%
FR
UK
US
JP
IN
DE
AU
BZ
Figure 29Are cloud providers evaluated for security capabilities prior to engagement or deployment within your organization? Yes responses
65%of German respondents say their organizations evaluate the security capabilities of cloud providers
Organizations in Germany, India and France are most likely to evaluate the security capabilities of cloud providers.
As shown in Figure 29, Sixty-five percent of German respondents, 64 percent of Indian respondents and 63 percent of French respondents say their organizations evaluate the security capabilities of cloud providers. Only 42 percent of Brazilian respondents say their organizations evaluate cloud providers prior to deployment or engagement.
Global Cloud Data Security Study - 2019 38
55%55%52%48%46%30%26%
58%
FR
UK
US
JP
IN
DE
AU
BZ
Figure 30Are you confident your IT organization knows all cloud computing applications, platforms or infrastructure services in use today?Not confident responses
58%of respondents in Brazil are not confident that their organizations have visibility into the use of cloud computing applications, platform or infrastructure services
How confident are respondents that they know all cloud computing applications, platforms or infrastructure services in use in their organizations?
Fifty-eight percent of respondents in Brazil are not confident that their organizations have visibility into the use of cloud computing applications, platform or infrastructure services. Germany is the most confident (only 26 percent of respondents say they are not confident), as revealed in Figure 30.
Global Cloud Data Security Study - 2019 39
18%
38%
16%
16%
34%
21%
18%
32%
20%
20%
34%
15%
27%
24%
15%
21%
25%
19%
23%
17%
20%
Yes, and each cloud provider manages encryption and key management mechanisms
Yes, and our organization manages encryption and key management mechanisms
Yes, and a managed security service provider manages encryption and key management mechanisms
30%
19%
27%
UKIndiaGermany Japan USAustralia BrazilFrance
Figure 31Are you confident your IT organization knows all cloud computing applications, platforms or infrastructure services in use today?Not confident responses
68%of respondents in the consolidated findings say they have adopted some form of security first for the cloud
Organizations in Australia and Germany are most likely to adopt a security first approach for the cloud.
Sixty-eight percent of respondents in the consolidated findings say they have adopted some form of security first for the cloud. As shown in Figure 31, Seventy-six percent of Australian respondents and 72 percent of German respondents have adopted a security first approach. Their organizations are also most likely to manage encryption and key management mechanisms.
Global Cloud Data Security Study - 2019 40
54%50%48%47%44%43%36%
56%
FR
UK
US
JP
IN
DE
AU
BZ
Figure 32Does your organization deploy a multicloud architecture or strategy? Yes responses
56%of respondents in Germany have a multicloud strategy
German and US organizations are most likely to deploy a multicloud architecture or strategy.
As shown in Figure 32, 56 percent of respondents in Germany and 54 percent of respondents in the US have a multicloud strategy. India and Brazil are least likely to have such an architecture.
Global Cloud Data Security Study - 2019 41
0%
25%
75%
100%
50%
Today Over the next 2 years
UK DEJP IN FRUS BZAU
0%
25%
75%
100%
50%
Control strong authentication prior to accessing data and applications in the cloud
Ensure consistently high availability of IT resources
UKDEJP INFR USBZAU
Figure 33 How important is the use of cloud computing applications or platform solutions for meeting business objectives today and over the next two years?Very important and important responses combined
Figure 34 What’s more important, strong authentication or high availability of IT resources? Essential and Very important ratings combined
The importance of cloud computing applications or platform solutions grows globally. The greatest growth in the use of cloud applications and platforms will be in the UK, US and Germany, as shown in Figure 33.
As shown in Figure 34, Japan, France and India are most likely to say it is essential or very important to have controls that result in strong authentication prior to accessing data and applications in the cloud are essential and very important. Ensuring high availability of IT resources is most important in Brazil, US and Germany.
Global Cloud Data Security Study - 2019 42
dd
07 Demographics
Global Cloud Data Security Study - 2019 43
DemographicsA sampling frame of 95,242 experienced IT and IT security practitioners located in the United States, the United Kingdom, Australia, Germany, France, Japan, India and Brazil who are familiar with their companies’ use of both public and private cloud resources were selected as participants in the research. Chart 1 shows 3,667 total returns. Screening and reliability checks required the removal of 321 surveys. Our final sample consisted of 3,346 surveys, a 3.5 percent response rate.
Chart 2 reports the respondent’s organizational level within participating organizations. By design, 59 percent of respondents are at or above the supervisory levels and 38 percent of respondents are at the staff/technician level.
Manager/Supervisor
Staff/Technician
Director
Contractor
Other
Senior Executive/VP
2% 3%
16%
40%
38%
1%
558494
421385
354305
239
590
UKIndia Germany JapanBrazil FranceUS Australia
Chart 2 Current position within the organization
Chart 1Number of respondents
Global Cloud Data Security Study - 2019 44
As shown in Chart 3, 59 percent of respondents are from organizations with a global headcount of more than 1,000 employees.
Percentages below report the industry classification of respondents’ organizations. Chart 4 identifies financial services (15 percent of respondents) as the largest segment, followed by public sector (13 percent of respondents) and industrial/manufacturer (12 percent of respondents).
1,001 to 5,000
5,001 to 10,000
500 to 1,000
10,001 to 25,000
25,001 to 75,000
More than 75,000
Less than 5009%
17%
24%
21%
19%
3%6%
283
0 5 10 15 20
Financial services
Public sector
Industrial/Manufacturer
Retail
Technology & software
Health & pharmaceutical
Services
Utilities & energy
Consumer products
Transportation
Education & research
Communications
Media & entertainment
Hospitality
Other
Chart 3 Global employee headcount
Chart 4 Industry classification of respondents’ organizations
59%of respondents have a global headcount of more than 1,000 employees
Americas Arboretum Plaza II, 9442 Capital of Texas Highway North,
Suite 100 | Austin, TX 78759 USA Tel:+1 888 343 5773 or +1 512 257 3900
Fax:+1 954 888 6211 | E-mail: [email protected]
Asia Pacific - Thales Transport & Security (HK) Ltd Unit 4101-3, 41/F, Sunlight Tower, 248 Queen’s Road East
Wanchai, Hong Kong | Tel:+852 2815 8633 Fax:+852 2815 8141 | E-mail: [email protected]
Europe, Middle East, Africa Meadow View House, Long Crendon,
Aylesbury, Buckinghamshire HP18 9EQ Tel:+44 (0)1844 201800 | Fax:+44 (0)1844 208550
E-mail: [email protected]
> thalescpl.com <
© T
hale
s - O
ctob
er 2
019
• G
H -
v7