Survey: About half of organizations use cloud-based services for sensitive data

About half of the information technology and security professionals asked whether they use external cloud-based services for sensitive or confidential data said they did -- but their approaches to encrypting data in the cloud vary widely, according to the findings of the survey published today.

The "Encryption in the Cloud" survey done by Ponemon Institute sought the opinions of more than 4,000 IT professionals in seven countries, including the U.S. About 38% of the respondents said their organizations rely on encryption of data as it's transferred, typically over the Internet, to the cloud. Another 35% said their organizations encrypt data before it's transmitted to the cloud provider so that it remains encrypted within the cloud. 27% answered their organizations perform encryption within the cloud environment, with 16% of those selectively encrypting at the application layer, and 11% letting the cloud provider encrypt stored data as a service.

MORE: Amazon opens up about its cloud security practices, joins CSA registry

The survey, sponsored by Thales e-Security, included the U.S., United Kingdom, Germany, France, Australia, Japan and Brazil.

When it comes to the question of managing encryption keys when sensitive or confidential data is transferred to the cloud, 36% of the survey respondents say their organization is responsible for managing the keys. 22% say the cloud provider is the one most responsible for encryption key management. Another 22% say an independent third party in the role of a service provider is most responsible for the key management.

"Even in cases where encryption is performed outside the cloud, more than half of respondents hand over the keys," the survey report says.

The trend to transfer sensitive or confidential data to cloud environments seems to be a growing trend, according to the survey, with another one-third of the survey's respondents saying they, too, are likely to transfer sensitive or confidential data to the cloud over the next two years.

One finding in the survey poses a surprising contrast to the usual accepted notions of cloud services and security. "Companies with the characteristics that indicate a strong overall security posture appear to be more likely to transfer sensitive or confidential information to the cloud environment than companies that appear to have a weaker overall security posture," the survey report states. "In other words, companies that understand security appear to be willing and able to take advantage of the cloud. This finding appears to be at odds with the common suggestion that more security-aware organizations are the more skeptical of cloud security and that it is the less security-aware organizations that are willing to overlook a perceived lack of security."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts