Assess the risks of information in shadow cloud services
Assess the risks so you can decide whether to bring the shadow cloud service into your organisation’s catalogue of approved public cloud services.
How to do a risk assessment
Check your organisation’s process for doing risk assessments. The Government Chief Digital Officer (GCDO) has guidance for how to consistently assess the risks of information systems.
Use the tool for public cloud services to help with your risk assessment
Use the GCDO’s risk discovery tool for public cloud services to help you:
- discover and record information needed to do a risk assessment
- keep your time and effort in proportion to the information’s risk.
Risk discovery — security controls
When discovering the risks of using a public cloud service, you might find that it’s not possible to directly assess the service provider’s security controls. Instead, you’re relying on third-party audits.
The New Zealand Information Security Manual (NZISM) has guidance on using independent assurance schemes.
Service provider outsourcing to other providers
The service provider might also outsource parts of its service to other service providers. Make sure you also consider third-party suppliers in your risk assessment.
Assess the risks of using a public cloud service
It’s important to get to the final step of putting each risk assessment to immediate and ongoing use. If you stop short of the final step, your organisation’s use of a public cloud service will actually stay as shadow cloud.
Risk assessment sign-offs are not complete certification and accreditation processes
See the New Zealand Information Security Manual (NZISM) for the complete certification and accreditation process.
Exceptions to certification and accreditation
For public cloud services that are not tightly integrated with other information and communications technology (ICT) systems in your organisation, certifications and accreditation may not be:
Find out which services can or cannot be made compatible with your ICT network. This is part of managing shadow cloud services.
Next step — make decisions based on your priorities and risk assessments
See if it makes sense for your organisation to stop using, replace or keep a shadow cloud service — adding it to your approved public cloud services.