Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why you should own the key when encrypting data in the cloud

Anthony Merry, director of Product Management, Sophos | April 4, 2016
In today’s connected society where organizations are increasingly migrating applications and information stores from on-premises to the cloud, we will never be secure against cyberattacks without strong encryption.

This vendor-written tech primer has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Cloud computing services have become so easy to use that users commonly upload, view and download files and access applications anytime, anywhere, from any device. But they probably aren’t stopping to consider whether the files they're uploading should be encrypted, or even uploaded in the first place.

The responsibility to safeguard that corporate data still rests on the shoulders of IT, and as a matter of standard practice, IT should enable automatic encryption of every piece of information before it's sent to any cloud service.

Sophos recently surveyed 1,700 IT decision makers across six different countries and multiple industries to determine how, or even if, they’re using encryption. According to our "The State of Encryption Today" report, cloud data security is one area driving increased adoption of encryption. More than eight in ten companies (84%) expressed concern about the safety of data stored in the cloud. However, although 80% of respondents use the cloud for storage, only 39% encrypt all files stored in the cloud.

Why? For many of the same reasons they're not encrypting data they store locally.  In fact, budget, performance concerns and lack of deployment knowledge were the top three barriers to implementing an encryption solution cited in the survey.

It appears it doesn’t matter whether data “lives” on-premises or in the cloud. Nearly one-third (30%) of organizations fail to always encrypt their own corporate financial information and 41% inconsistently encrypt files containing valuable intellectual property, despite the increasing risks of economic espionage.

Even private, highly sensitive employee data such as banking details, human resources (HR) files, and personal healthcare records, are frequently not encrypted:

  • 31% of the companies that store this type of data admitted that employee bank details are not always encrypted
  • 43% don’t always encrypt employee HR records
  • Nearly half (47%) of those that store employee healthcare information fail to always encrypt these records

Failure to adequately protect this information could open doors to significant financial damage and possible legal action in the event of a data breach. A company could also fall out of compliance with laws and industry regulations that require businesses to take responsibility for protecting customers' and employees' sensitive data, such as medical records, credit card numbers and other personally identifiable information.

Bring your own key

Even if a cloud service provider does offer to encrypt files after they arrive on its servers, it is critical that you encrypt data before it's sent. While service providers come with many benefits, it’s difficult for the service provider to verify who has accessed the data once stored there. Was it the legitimate user, a thief who used a phishing attack or other malware that tricked a user into handing over credentials?

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.