• Businesses are still taking an operational approach to cloud vendor selection, as opposed to an integrated strategic view where cloud security plays an instrumental role in contributing to the overall business’ health
    • Thales’ Data Security in Asia-Pacific 2019 Study found that the primary incentives for cloud adoption stem from an operational approach to decision making, where cost reduction, rapid deployment and improved efficiency are factors that are prioritized ahead of security.
    • In fact, 61% of respondents continue to rely on the use of contractual negotiation and legal reviews to evaluate cloud providers and a mere 19% conduct a third-party assessment by security expert or auditor.
  • Strong dependency on the security of public cloud infrastructure
    • 83% of organizations feel that security features of public cloud are sufficient, and 60% of organizations are storing their sensitive data on cloud as a result of the trust in cloud providers. This sentiment is predominantly driven by less mature organizations leveraging the public cloud for more suitable operational cost and growth elasticity benefits.
    • In fact, 35% of respondents believe the cloud provider should be held responsible for protection of sensitive or confidential information. This has also resulted in a lower priority placed on security when organizations select cloud providers.
  • Lack of knowledge in data protection
    • In our Data Security in Asia-Pacific 2019 study, 75% of respondents still struggle to protect their business data as they do not know where to focus their resources or where to begin the transformation.

To strategically blend the objectives of agile and secure management of cloud environments with the operational goals, organizations should look to cloud providers that can help them with the following:

  • Encryption of data
    • Encryption also ensures a high level of safety for private data, such as their personal identifiable information (PII).
  • Gain strong key control and security
    • Whether the data is at rest or in motion, encryption protects it against all cyberattacks, and in the event of one, renders it useless to attackers. Organizations moving their data into the cloud need to establish strong controls over encryption keys and policies for data encrypted by cloud services, by having in place a separate solution that supports a growing list of infrastructure-, platform- and software as a service (IaaS, PaaS and SaaS) providers. The common solution would be Bring Your Own Key (BYOK) services that enable customers to separate key management from provider-controlled encryption.
  • Fulfill best practices
    • Separate encryption keys from data encryption and decryption operations for compliance, best security practices, control of your data, and finally gain operational insights on encryption key usage with dashboards, reports and logs.
  • Scalability with efficiency
    • Have a centralized encryption key management that supports multiple cloud environments, in a single browser tab, with add-on features such as automated key rotation and federated login to simplify key life cycle management.

Why are businesses in Asia pushing the responsibility of securing sensitive data in the cloud to their cloud providers? Among those surveyed, businesses in Europe seem to be the most proactive in securing sensitive and confidential information in the cloud – likely due to the existence of strong regulations like GDPR and CCPA. What are the learnings for Asia?

Tay: As data mobility increases, data will be streaming in from multiple sources, channels and stakeholders. Inevitably, the management and storage of these sensitive data, amid a climate of stringent regulations and compliance requirements have proven to be challenging. Businesses are struggling to reduce the complexity of managing privacy and data protection regulations in the cloud environment. Some of the key challenges include: