The study indicates uncertainty when it comes to cloud security as 53 % of respondents said that GDPR data security requirements would keep them from putting sensitive data in the cloud. For the majority (85%) this was due to their lack of confidence in the protection of sensitive data.
In addition, 72 % noted that they would have to re-evaluate their data security requirements in the cloud because of the regulation that comes into force May 2018.
“GDPR has meant that the age-old debate about the adequacy of security in the cloud has reared its head again,” said Ravi Pather, senior vice president of eperi. “Fines under the regulation seem to be the main driver for meeting compliance, as it’s likely to be an organisation killer for the worst offences. But with all of this hype, organisations must not forget that if they first and foremost secure the data that goes into the cloud through encryption or tokenisation and remain in control of the encryption keys, the scope of GDPR can be significantly reduced.”
Encrypting or tokenising data means that it is scrambled by an algorithm to such an extent that it is rendered unusable to any unauthorised party attempting to access it. The only way to decrypt the data is to use a key, which ideally should be under the control of the organisation who owns the data.
Currently, Pather points out, this is where many companies fall down in relation to GDPR, as 54% admitted that they rely on their cloud or Software as a Service (SaaS) provider to encrypt data and just over half 51 % think that it is acceptable for the solution provider to control all or part of the encryption keys.
“Where 54 % rely on the SaaS vendor for encryption, this is usually for 'data at rest', which under GDPR is only a subset of the 'comprehensive security' guidelines and recommendations which specifies the protection of PII and sensitive PII 'data in motion', 'at rest' and 'in use',” Pather explained.
“In the event of data compromise or loss, if the organisation is in full control of its own encryption keys, it can avoid the notification step altogether if the data is unreadable to the world outside the organisation,” he continued. “In contrast, if the cloud or SaaS provider controls the keys and they are breached, then there is no way to be certain the organisation’s data is safe and notifications and fines ensue.”
The survey comes just after Forrester released its
Cloud Security Solutions Forecast that shows the cloud services market is set to soar from $114 billion in 2016 to $236 billion by 2020. Its rapid growth is also driving the market for cloud security tools, which Forrester estimates will increase from $1 billion in 2016 to $3.5 billion in 2021. Furthermore, the report notes that businesses are starting to recognise a lack of adequate key management among cloud providers, making key management a bigger priority for time and resource allocation.