More companies moving sensitive data to the cloud - but who's responsible?

More and more companies are transferring sensitive data to the cloud, according to the latest report from Thales e-Security and the Ponemon Institute on cloudy data encryption.

Over half (53%) of survey respondents said they were transferring such data, with a further 31% stating they were looking to push ahead in the next 12 months.

The report, one in a series of overall encryption trends, concludes that organisations, instead of not noticing the cloud security warnings, or even simply ignoring them, are aware that their security is being threatened, but are still pushing ahead with change.

35% of those polled said that moving sensitive and confidential data to the cloud has “decreased their security posture”, with 15% saying the opposite. The previous year’s survey revealed that 39% felt cloudy data transfer had weakened security, which, although hollow, is something of a victory.

Similarly, companies feel more confident in cloud service providers’ (CSP) role in protecting data. 57% of respondents either “agree” or “strongly agree” that the vendor can safeguard data, up from 41% the year before.

This leads to the inevitable question: who is ultimately responsible for the data; the end user or the CSP?

The Thales report concluded that, overall, respondents believe responsibility lies with the service provider. One in three (33%) said it was the CSP’s burden, whilst 12% said it rested with the consumer.

This is a view which may not be universally agreed upon, of course. Back in February Marie Shroff, the New Zealand Privacy Commissioner, published a document saying explicitly that cloud data was the user’s responsibility.

“If there’s a privacy breach, you’re going to be the one answering questions about what went wrong”, she wrote.

Where the report does pick up interest, however, is that responsibility differs by service. For software as a service, three in five say that the provider should be responsible, but in the case of infrastructure as a service, 43% believed responsibility lied with the user.

This is still evidently a big issue – given that a study earlier this year from Lieberman Research revealed how almost nine in 10 (88%) of IT professionals believed data in the cloud could be either lost, stolen or corrupted, companies have a pressing need to get this right.

“Staying in control of sensitive or confidential data is paramount for most organisations today, and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud,” said Ponemon Institute founder Larry Ponemon in a statement.

“Respondents generally feel better informed, more confident in their cloud service providers and more positive about the impact on their security posture compared with last year,” he added.

What’s your view? Who bears ultimate responsibility for where that data goes; the CSP or the user? And does it vary by service?

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.

5 Jul 2013, 2:53 p.m.

Cloud Computing brings with it certain risks and open issues, chief among them is security. Cloud Providers make it clear that they are not responsible for security. Security outcomes of concern include unathorized access, loss of data, tampering with data, erosion of performance, and denial of service. In addition there is the operational uncertainty of networking delays.

The burden on risk management is to balance the cost/benefit risk equation and to lubricate the interaction between Cloud Providers and Cloud Consumers. Finessing the problem by substituting real risk analysis with an administrative assertion that risk is mitigated by virtue of selecting an authorized Cloud Provider is insufficient. Currently this analysis and engineering remains a work in progress to thread the needle in the tradeoff between cost reduction and increased security risk:
1. Cost reduction through significant increase in scale (on demand) and dynamics (elasticity, cost optimization) is well understood.
2. Security risk increase through increased complexity, reduced control, commingled roles and split responsibilities, and loss of accountability is not well understood.

Meeting this risk challenge is double barreled. It must be adequate to convince two essential actors. First, the Could Provider community must be convinced that its is prudent to accept security SLA's. Second, the Cloud Consumer community must be convinced that Cloud Providers can and will safeguard proprietary information.


6 Jul 2013, 10:58 p.m.

It seems reasonable to expect the CSP to provide security that benefits their services, which in turn would provide a certain amount of security to the consumer. It is my opinion that if the CSP is going to disclaim responsibility of consumer security, they should put in place an option for the consumer to secure their data within the CSP network as well as provide the consumer the tools to do it.
Obviously there is a need for new laws to be written directed at this issue. Logic would indicate that the CSP would provide good security practices as an added benefit of utilizing their services.


16 Jul 2013, 7:27 p.m.

You still need to secure your data in the cloud. Potential data theft and non-compliance with regulatory standards are two of the greatest threats to cloud adoption. At Crypteron, we solve these problems with our military grade cloud security. We provide military grade data encryption, authentication, and key management to ensure that your cloud data is safe and your company satisfies compliance requirements.

Are you thinking of using the cloud? Tell us in the comment box below or at our website