Skyhigh recently analyzed the encryption controls offered by over 12,000 cloud providers and there’s good news and bad news where the security of cloud-hosted data is concerned. First, the good news: 81.8% percent of cloud service providers encrypt data in transit as it moves between the user and the cloud service using SSL or TLS. That should help protect data from man-in-the-middle attacks as it traverses the Internet. The bad news: only 9.4% of cloud providers encrypt data once it’s stored at rest in the cloud, leaving it vulnerable to unauthorized access and data breaches.
If you think about that “data at rest” statistic above in the context of the number of cloud services, it means at least 10,000 cloud services today store customer data in the clear. Some of the biggest names in cloud computing don’t store data encrypted including Gmail and PayPal. That’s pretty unnerving when you consider that the cloud is now home to a significant amount of sensitive corporate data. The average organization uploads 13.9 TB of data to the cloud each month. To put that in perspective, it’s estimated the Sony breach that brought the company to its knees and led the resignation of its co-chair Amy Pascal amounted to just “tens of terabytes” of data.
File sharing services alone account for 39% of all company data uploaded to the cloud, and the average company uses 49 such services. What’s more, among file sharing users, 34% have uploaded sensitive information such as personally identifiable information (PII), protected health information (PHI), payment card data, or others forms of confidential data. All together, 21% of documents uploaded to file sharing services contain some sensitive data. When this information is stored unencrypted, it is vulnerable to data breaches, privileged user abuse, and blind government subpoenas.
Security best practices, as well as many government and industry regulations, call for data at rest to be encrypted no matter where it resides, but especially when it’s in the cloud. Data in the cloud is often not under the strict control of its owner. For example, third parties such as the cloud service provider and the underlying infrastructure hosting provider may be able to access the data. A data breach – whether intentional or inadvertent – can expose your data to others.
It’s also true that under the USA PATRIOT Act, the U.S. Federal government can legally subpoena your data, and the cloud provider is required by law to provide it without telling you that your data has been furnished to the government. The best way to prevent this from happening to your organization is to encrypt data stored in the cloud using encryption keys that you manage, rather than ones the cloud provider manages. However, just 1.1% of cloud providers support encryption using customer-managed encryption keys, which can thwart blind government subpoenas of corporate data.
These are all reason enough to not store your sensitive data in the clear in cloud services at any time.
Encryption is usually the preferred – and most recommended – method for securing data in the cloud, although tokenization is another option (see this article for an explanation of how encryption differs from tokenization). Since, as we’ve seen, so few cloud providers encrypt data by default as part of their data storage service, it’s important that you make some provision for encrypting your own data as it goes into cloud applications.
There are numerous approaches to implementing encryption for your data—on premise, in the cloud, as part of the SaaS application, via a CASB, etc. The most important consideration, however, is who has control over the encryption keys. Any entity that has access to the keys would also have access to the data in the clear. Do you want to give that kind of power to your cloud provider? Doing so certainly violates recommended best practices and it might even put your company at odds with security mandates within regulations such as PCI DSS, HIPAA, GLBA and many others.