Information security professionals are split over whether cloud suppliers should co-operate with governments by providing access to encrypted data, a survey has revealed.
More than one-third of those polled said cloud providers should turn over encrypted data to governments when asked, according to the survey by the Cloud Security Alliance (CSA) and security firm Bitglass .
But 55% of all respondents were opposed, with a higher proportion of US respondents being against government co-operation (63%) compared with peers in Europe, Middle East and Africa, where only 42% were opposed. Overall, 10% said they were not concerned.
Asked how far cloud suppliers should be forced to to provide access to encrypted data, 43% said data that is readily available should be provided, while 32% said suppliers should be forced to build capabilites to decrypt data especially for law enforcement purposes, and 12% said suppliers should be forced to use government-mandated algorithms.
“The decision as to whether or not an organisation wants their cloud provider to turn over encrypted data to government when asked is one that all organisations should ask themselves as they make the move to the cloud,” said John Yeoh, senior research analyst at the CSA.
“It is also a critical question organisations should be asking of their cloud providers as part of a comprehensive assessment of cloud providers’ security controls. The more information and policy detail that can be clearly spelled out up-front, the greater the chance that an organisation will have a successful, long-term relationship with their cloud provider.”
The CSA is a not-for-profit organisation led by a broad coalition of industry stakeholders with a mission to promote the use of best practices for providing security assurance within cloud computing, to provide education on the uses of cloud computing, and to help secure all other forms of computing.
Enterprises in every industry are adopting cloud apps at an “astounding” rate, the survey report said, with the software as a service segment expected to see a steady growth of 19.7% over the next four years and adoption is expected to double.
But despite this progress, the report said security and compliance concerns revolving around inappropriate use of or access to sensitive cloud data continue to loom large, and questions over whether cloud suppliers have an obligation to cooperate with government add to the uncertainty.
When asked what actions they have taken because of concerns that cloud supplier will be compromised, 61% of respondents reported they purchased from suppliers that encrypt data at rest. About one-third of respondents said they used third-party cloud encryption products (35%). However, one-quarter reported that they prohibit cloud apps and 17% reported that they did nothing to mitigate these concerns.
The survey also revealed that although many organisations have experienced cloud security incidents, they are not as widespread as many expected.
Most cloud-related security incidents, the survey shows, stem from inappropriate use of the cloud, led by unwanted external sharing (59%) and access from unmanaged devices (47%).
Fewer incidents were linked to cloud data being synced to a lost or stolen device (32%), employee credential compromise (29%) and malicious insiders (22%).
Cloud visibility is lacking, the survey revealed, with only 49% of organisations knowing the basics, such as where and when sensitive data is being downloaded from the cloud.
According to the survey, cloud access security brokers (CASBs) are on the rise, with 60% of organisations polled saying they have deployed or plan to deploy a CASB to act as a gatekeeper, allowing the organisation to extend the reach of their security policies beyond their own infrastructure.The main reason for using a CASB, the organisations cited, was to prevent data leaks.
However, the survey shows that few organisations polled have taken action to mitigate shadow IT threats , with 62% relying on written policies rather than technical controls.
Nearly 80% of respondents said they are just as concerned or more concerned about shadow IT than a year ago, while most security professionals are as concerned today about shadow IT as they were last year (49%), while 30% are more concerned than last year. Just 13% said they are less concerned and 8% said they were never concerned.
“While hotly contested issues like government intervention remain open, major public cloud suppliers have demonstrated that the cloud can be more secure than premises-based applications,” said Nat Kausik, CEO of Bitglass.
“The primary open concern is whether enterprises can put policies and controls in place to use the cloud securely,” he said.
