There’s a 90% chance your cloud-based data is in the clear… and that’s a problem.
IT security company Skyhigh evaluated the encryption efforts of over 12,000 cloud providers. Brace yourself. Just 9.4% of these cloud providers encrypt data once it’s stored at rest in the cloud. You don’t even need a calculator for that. It means over 90% of your data at rest on the cloud is prey to unauthorized access.
This is alarming news. But before you take to Twitter or Facebook to share and repost, here’s another Skyhigh statistic. 81.8% of those cloud service providers encrypt data in transit, using SSL or TLS. Whew, it’s reassuring, but that’s not enough. Inadequate data encryption is a costly mistake.
Doing the math
18.2% of the cloud providers leave your data in the clear as it zooms around the Internet. This makes it a 1 in 5 chance that your data could be at the mercy of a man-in-the-middle attack along the way.
On the other hand, 90.6% of those providers leave your data in the clear as it sits on their storage servers. Who’s your cloud service provider? Are they one of the 10,000 or more that don’t encrypt your data at rest on their servers?
And lest you think all the big players out there are on the good side of those statistics, here are two recognizable names.
Gmail
PayPal
What about your mobile devices? Time for a few more names you know. These popular apps are among those that don’t store your data in an encrypted state.
YouTube
eBay
Data at rest = data at risk
Our focus tends to be on data in state where it’s most vulnerable. Data in motion can be captured. We encrypt it. Almost 82% of cloud service providers have our backs on that.
Unencrypted data at rest is a huge security risk. It’s estimated that the average American company uploads nearly 14 terabytes of data to the cloud each month. It’s pretty safe getting to the cloud and back. But it’s hardly safe if it’s stored on the cloud. What’s in the 167 terabytes you and your company will store on the cloud over the next year?
The cloud is a repository of sensitive data. 34% of us have uploaded sensitive data to a file-sharing service. 21% of all information uploaded contains sensitive data.
What’s at stake?
This unencrypted data at rest can be stolen, and that would be unfortunate enough. But hackers aren’t the only ones who are thrilled that your data is in the clear as it sits on the cloud. Under the USA PATRIOT Act, the U.S. Federal government can legally subpoena your data. Your cloud provider is required by law to provide it. They don’t have to tell you they’ve given your data to the government.
Not just super-sensitive stuff
If it’s health related or financial data, there are federal compliance laws that mandate encryption for sensitive personal data in any state. It’s encrypted in motion, and at rest – even when it’s in the cloud. If these laws do not regulate it, your data doesn’t have to be encrypted.
Do not store your data in the clear. The risk is too high. And if it’s stored on the cloud, it’s likely in the clear.
Time to take control
If your cloud provider doesn’t encrypt data at rest, you can do it yourself. Manage it with encryption keys you own, rather than those your cloud provider manages. It’s a slim chance. Only about 1% of the cloud providers support customer managed encryption keys.
There are 2 more strong options.
Tokenization
Encryption as a service (EaaS)
Pick one. Encrypt your data at rest in the cloud. You’re flirting with disaster without this added protection.