About half of the information technology and security professionals asked whether they use external cloud-based services for sensitive or confidential data said they did -- but their approaches to encrypting data in the cloud vary widely, according to the findings of the survey published today.

The "Encryption in the Cloud" survey done by Ponemon Institute sought the opinions of more than 4,000 IT professionals in seven countries.

About 38 per cent of the respondents said their organisations rely on encryption of data as it's transferred, typically over the Internet, to the cloud.

Another 35 per cent said their organisations encrypt data before it's transmitted to the cloud provider so that it remains encrypted within the cloud. 27 per cent answered their organisations perform encryption within the cloud environment, with 16 per cent of those selectively encrypting at the application layer, and 11 per cent letting the cloud provider encrypt stored data as a service.

The survey, sponsored by Thales e-Security, included the UK, US, Germany, France, Australia, Japan and Brazil.

When it comes to the question of managing encryption keys when sensitive or confidential data is transferred to the cloud, 36 per cent of the survey respondents say their organisation is responsible for managing the keys.

Related:

22 per cent say the cloud provider is the one most responsible for encryption key management. Another 22 per cent say an independent third party in the role of a service provider is most responsible for the key management.

"Even in cases where encryption is performed outside the cloud, more than half of respondents hand over the keys," the survey report says.

According to the survey, the trend to transfer sensitive or confidential data to cloud environments seems to be a growing trend, with another one-third of the survey's respondents saying they, too, are likely to transfer sensitive or confidential data to the cloud over the next two years.

One finding in the survey poses a surprising contrast to the usual accepted notions of cloud services and security. "Companies with the characteristics that indicate a strong overall security posture appear to be more likely to transfer sensitive or confidential information to the cloud environment than companies that appear to have a weaker overall security posture," the survey report states.

"In other words, companies that understand security appear to be willing and able to take advantage of the cloud. This finding appears to be at odds with the common suggestion that more security-aware organisations are the more skeptical of cloud security and that it is the less security-aware organisations that are willing to overlook a perceived lack of security."