Ninety-five percent of businesses have adopted some form of the cloud. But, according to recent research, securing cloud-based data remains a major concern.

A new study by Gemalto found that 77 percent of companies recognize the importance of security controls such as encryption. Although this number would seem to suggest a steady march toward more defensible cloud data, just 47 percent of companies queried in the report actually use encryption to secure their sensitive data. This creates a disconnect whereby good knowledge is not backed up by solid global policies, putting cloud data at risk.

The Evolving Cloud Security Challenge

Although 88 percent of survey respondents said they are confident that new global regulations will impact cloud governance and 91 percent believe that the need to encrypt data will become more important over the next two years, security practices don’t match the preaching.

On average, according to the study, just 40 percent of all data stored in the cloud is secured with encryption and key management solutions. Meanwhile, just 25 percent of IT professionals surveyed were “very confident” they knew the exact type and number of cloud services used by their business.

The hard truth here is that these aren’t great numbers — but they’re not exactly surprising, either. Consider the trajectory of the cloud. At first it was a disrupter, but now cloud services have become essential for day-to-day operations, application development and big data analysis.

Giving up the cloud is unthinkable, but the prospect of both securing distributed data and actively keeping track of every cloud-based application is overwhelming for many IT departments. As a result, global cloud policies rarely make it past the drawing board even as more cloud services are added to the corporate roster.

A Growing Cloud Infrastructure

There’s no shortage of cloud infrastructure investment. Google recently announced that it spent $30 billion over the last three years building up cloud infrastructure and now has plans for undersea cables connecting Chile and Los Angeles; the U.S., Ireland and Denmark; and Australia and Southern Asia.

In other words, companies already using the cloud will find it even more convenient to spin up new servers, deploy new applications and store more data. However, organizations with existing security issues will face even greater challenges — especially because 75 percent of survey respondents said it’s more complex to manage privacy and data protection regulations in the cloud than on-premises.

Navigating the Wild West of Cloud Policy

So how do companies grow with the cloud and ensure they’re acting responsibly when it comes to cloud security? It all starts with policy.

Right now, global clouds remain a kind of Wild West, where data unseen is data ignored, and applications roam freely across personal and corporate networks. Clamping down on security issues means drafting a global, cloud-specific policy that addresses emerging problems.

For example, many organizations are now writing policies that embrace the utility of shadow IT while placing it under the purview of IT departments. In effect, this allows employees to retain some control over their cloud environment while granting IT the final word.

Encryption policies, meanwhile, are best designed for new data. Enterprises should mandate that all data moving to cloud storage be properly encrypted, then provide the personnel and technological support to make this a viable outcome. After all, the enemies of great policy are poor budgeting and sky-high expectations. Post-storage encryption is a long-term project that is doomed to sink new policies if attached as a core component.

The bottom line is that companies understand the need for cloud security but lack the global processes to follow through. Better outcomes demand specific policies backed by budgets that accommodate both trained security professionals and cutting-edge cloud solutions.

More from

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than later.Highest…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications and…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…