The Ponemon Institute is pleased to present the findings of Data Protection and Privacy Compliance in the Cloud, sponsored by Microsoft. The purpose of this research is to better understand how organizations undergo digital transformation while wrestling with the organizational impact of complying with such significant privacy regulations as the GDPR. This research explored the reasons organizations are migrating to the cloud, the security and privacy challenges they encounter in the cloud, and the steps they have taken to protect sensitive data and achieve compliance.
The Ponemon research qualified 1,049 IT and IT security participants from the United States and the European Union (EU). All of them were familiar with their organization’s approach to privacy and data protection compliance and responsibility for ensuring that personal data is protected in the cloud environment. Fifty five percent of respondents operate a cloud infrastructure with one primary cloud service provider; 45 percent operate in multiple or hybrid cloud environments.
Privacy concerns are not slowing the adoption of cloud services. The importance of the cloud in
reducing costs and speeding time to market seem to override privacy concerns. Only one-third of US respondents and 38 percent of EU respondents say they have stopped or slowed their adoption of cloud services because of privacy concerns,
Most privacy-related activities are easier to deploy in the cloud. These include such governance practices as conducting privacy impact assessments, classifying or tagging personal data for sensitivity or confidentiality, and meeting legal obligations, such as those of the GDPR. However, managing incident response is considered easier to deploy on premises than in the cloud.
However, most organizations lack confidence in, visibility into, and a clear delineation
of responsibility for managing privacy in the cloud.
• Despite the anticipated increase in the importance of the cloud in meeting privacy and data protection objectives, 53 percent of US and 60 percent of EU respondents are not confident that their organization currently meets their privacy and data protection requirements. This lack of confidence may be because most organizations are not vetting cloud-based software for privacy and data security requirements prior to deployment.
• Organizations are reactive and not proactive in protecting sensitive data in the cloud. Specifically, just 44 percent of respondents are vetting cloud-based software or platforms for privacy and data security risks, and only 39 percent are identifying information that is too sensitive to be stored in the cloud.
• Just 29 percent of respondents say their organizations have the necessary 360-degree visibility into the sensitive or confidential data collected, processed, and/or stored in the cloud. Organizations also lack confidence that they know all the cloud applications and platforms that they have deployed.
• In most organizations, the IT security and compliance teams are not responsible for ensuring
security safeguards and compliance with privacy and data protection regulations. Thirty six percent of respondents expect the cloud service provider to ensure the security of SaaS applications. In contrast, 46 percent of respondents say the organization is responsible. Further, privacy and data protection teams are rarely involved in evaluating cloud applications or platforms when they are under consideration. Almost half of respondents (49 percent) rarely or never determine if certain cloud applications or platforms meet data protection and privacy requirement.
Part 1: Privacy concerns are not slowing migration to the cloud, but organizations struggle to ensure the protection of data
Cloud services or platforms are used to achieve faster deployment and reduce costs.
The top two reasons for using cloud services and platforms are faster deployment
time and lower costs.
Cost savings, scalability, and faster time to market are the top reasons for migrating
to the cloud — 67 percent of respondents agree that migration results in cost savings and 64 percent of respondents agree that it enables scalability and faster time to market. More than half (54 percent) of the respondents believe migration will improve security and privacy protections.
There is no consensus about who is responsible for addressing privacy and data
protection requirements. Respondents were asked who in their organization would be most responsible for ensuring that SaaS and PaaS applications meet privacy and data protection requirements. Some assigned this responsibility to the cloud service provider; some state that the company and the cloud service provider share the responsibility; others allocate the responsibility within the company among end users and IT.
The importance of both SaaS and PaaS in meeting privacy and data protection
objectives will increase significantly — 64 percent of respondents say that deploying SaaS will be essential or very important in meeting privacy and data protection objectives over the next two years. Fifty-three percent of respondents say using PaaS will be essential or very important.
Respondents are not confident that their current use of SaaS and PaaS meets privacy
and data protection requirements. Currently the majority of respondents are not confident that their SaaS applications and PaaS resources meet privacy and data protection requirements. More respondents (60 percent) lack confidence in the privacy and data protection capabilities of PaaS.
Confidence in SaaS and PaaS applications is low because most organizations are not
vetting them for privacy and data security requirements prior to deployment.
As discussed previously, there is a lack of confidence in the ability of SaaS and PaaS applications to protect and secure data. Why? Fifty percent of respondents say their organizations are not
vetting their SaaS applications before deployment and 58 percent say PaaS resources are not being vetted.
To read the rest of this study, visit Microsoft’s website.