Skip to main content

Actively manage shadow cloud in your organisation

Rather than a one-off, make managing shadow cloud an opportunity to keep your catalogue up to date with public cloud services that help your people do their work.

Shadow cloud will always exist

In your organisation, shadow cloud will always be present to some degree. You need to actively manage it to:

  • get the benefits of finding new services to add to your catalogue of approved services
  • make sure your people are respectfully using NZ government and New Zealanders’ information
  • avoid the pitfalls of extreme approaches to shadow cloud.

Review and monitor shadow cloud

Regularly schedule reviews and actively monitor shadow cloud in your organisation. You will find new services to assess and either:

  • bring into your catalogue of approved public cloud services
  • stop using or replace with approved services — you’ve made sure information is being used safely.

This will also let you know if any of the services that were stopped after previous prioritising and risk assessments have crept back into use.

Avoid extreme approaches to shadow cloud

Not doing anything about shadow cloud is not an option. Oddly enough, being too strict will have the same or similar effects. Avoid extreme approaches to shadow cloud.

Problems with extreme approaches to shadow cloud

Example of an extreme approach to shadow cloud

Rather than seeking insights from the people in your organisation who are using a shadow cloud service, you decide to act without this knowledge.

An extreme action would be cutting off network access to the service without this engagement and the proper approval.

Partnership approach to information security

When your organisation strengthens its approach to public cloud services, you can move your information technology and security teams towards partnership approaches with business units.

Business changes from the cloud plan

Another way to update your catalogue

Making a clear process for assessing risks known to your people is the main way to update your catalogue of approved public cloud services.

Monitoring and reviewing shadow cloud is another way for your organisation to:

Benefits of updating your catalogue

By doing this, you prevent your catalogue from becoming static and out of date. This helps your organisation to:

  • respond rapidly in a changing environment
  • keep up with advances in technology
  • support the mahi and mana of your people — they’re trying to use the tools that help them do their jobs well
  • work together smoothly inside your organisation and with other organisations inside and outside of government.

These benefits match the focus of strong cloud plans for government organisations.

How to write a cloud plan

Approved services

If you’ve properly approved the public cloud services, those will be part of your organisation’s regularly scheduled reviews and ongoing monitoring.

Monitor and review risks to information systems

Incomplete approvals of services

If you did not properly finish the risk assessments, be aware that those services are still considered shadow cloud.

Assess the risks of using a public cloud service

Replacing services in your catalogue

When you view your catalogue as open to change, you leverage one of the greatest benefits of public cloud services — being able to quickly adapt your services.

When managing shadow cloud services, you may come across a service that suits a business need better than your current approved service.

Be open to retiring public cloud services when they:

  • are no longer required
  • stop meeting business needs
  • newer technologies overtake them.

Benefits of using public cloud services

Safely use information in services

NZ government organisations are required by Cabinet to use public cloud services, but to do so after assessing the risks.

Cabinet minutes and papers for public cloud services

Since shadow cloud always exists in any organisation, public or private, actively managing shadow cloud allows you to control the degree in which it exists — limiting shadow cloud to low-risk information and services.

More information

Next step — fit approved services with your network

See which public cloud services are compatible with your network for information and communications technology.

Fit approved services to your other technology

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated