IT Pros: Cloud Providers Shouldn't Turn Over Encrypted Data
While some IT professionals believe that cloud computing vendors should turn over encrypted data to government agencies, 55% believe that it is not right, according to a new survey from CSA and Bitglass. The report also found that confidence in cloud vendor security is growing.
9 Promising Cloud Security Startups To Watch
(Click image for larger view and slideshow.)
More than one in three IT professionals believe cloud providers should turn over encrypted data to the government when they are asked. However, a majority believe that these vendors should not cooperate, according to a Cloud Security Alliance (CSA) and Bitglass survey of 176 information security professionals.
More than a third (35%) of respondents reported that they believe cloud app vendors should be forced to provide government access to encrypted data, while slightly more than half (55%) noted that they are opposed.
The survey also found nearly two-thirds (64%) of US-based information security professionals are opposed to government cooperation, compared to only 42% of respondents in Europe, the Middle East, and Africa (EMEA).
In addition to those finding on encryption, businesses and their IT departments seem to lack visibility into their cloud infrastructure. Less than half (49%) of organizations even know basics such as where and when sensitive data is being downloaded.
Even more worrying is the fact that only about 28% have access into user logins, and a mere 29% have audit logs, although confidence in cloud vendors seems to be growing. Some 67% of respondents said they were moderately concerned or not at all concerned about their cloud application vendors being compromised.
"Since cloud apps are accessible from any device, anywhere, having robust identity management and access control is critical," Rich Campagna, vice president of products for Bitglass, told InformationWeek.
"Organizations must employ tools that provide the ability to identify and control suspicious logins, anomalous user activities, and unmanaged device access across all of their cloud applications."
The report also found the deployment of cloud access security brokers (CASBs) are on the rise, with 60% of organizations having deployed or planning to deploy a CASB, with data leakage prevention cited as the most important capability.
Deployed between cloud apps and devices, CASBs provide data protection and visibility. They leverage features such as encryption, data loss prevention (DLP), and access control.
The report revealed most organizations have experienced some cloud security incident, with 59% related to unwanted external sharing and 47% involving access from unauthorized devices.
Among the other issues facing organizations and their IT security specialists are shadow IT threats -- information technology systems and solutions built and used inside organizations without explicit organizational approval.
The report found that few of the organizations surveyed have taken action to mitigate these threats. Only 29% of respondents said they use a proxy or firewall to redirect users.
"The ease with which employees can use unsanctioned shadow IT apps makes control difficult, with 62% using written policies according to our survey -- not at all effective in controlling usage," Campagna said. "In addition, 38% of respondents said they outright block applications, which tends to drive employees to work around IT, accessing these apps outside the corporate network."
He explained that discovery -- the ability to identify unsanctioned cloud usage and the risk profile of each application -- is the first step IT departments should take when tackling shadow IT issues.
"Organizations can then decide what to do, including secure and sanction, block, or redirect," Campagna said.
Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.