Less than a third (32%) of global organizations believe cloud security is a shared responsibility, with a similar number (34%) claiming it’s up to the cloud provider, according to new research from Gemalto.
The security firm’s 2018 Global Cloud Data Security Study revealed a worrying lack of awareness and security controls when it comes to protecting sensitive data in public cloud environments.
UK IT practitioners do not fare well: just 35% said they’re careful about sharing sensitive info with third parties via the cloud, while only half have security policies for cloud data — versus 61% and 65% of German respondents.
Most organizations globally believe payment information (54%) is at risk in the cloud, with 49% claiming the same for customer data, but half (49%) said cloud services actually make it more difficult to protect sensitive data.
Part of the problem lies with visibility: just 43% of IT practitioners globally said they were confident they know all the cloud services running in their organization, rising to 56% in the UK. Gemalto claimed over half (53%) of corporate cloud data on average is not managed or controlled by IT.
This could spell problems, with over half (57%) of respondents claiming the cloud increases compliance risks.
That’s especially concerning given that the forthcoming GDPR lands in May. The regulation is clear that any breaches in the cloud are the responsibility of both the data controller and the processor (CSP).
Joe Pindar, Gemalto director of product strategy, told Infosecurity that organizations must take responsibility for the data they collect and store, because “it only takes one hacker to get through to cause a major issue.”
"If GDPR doesn't compel organizations to have a mindset change towards data security in the cloud and across their entire network, then I don't know what will,” he added.
“The fear of being exposed, the cost, and the reputational damage should be enough to increase business implementation of techniques such as encryption and data pseudonymisation to protect consumers.”
However, less than half of IT professionals claimed to have a policy requiring safeguards like encryption.
Of those that do use it, just 52% claimed their organization is in control of the encryption keys.