Risks of shadow cloud to government organisations
Shadow cloud increases risk to your organisation, the NZ government and New Zealanders by not making the risks to your information known — this prevents you from using security controls effectively.
Context — shadow cloud and risk
There are risks to shadow cloud because the services have:
- at worst, not even gone through a risk assessment
- at best, not been logged with your organisation’s security or information technology departments — therefore, they cannot help to monitor and review the risks and security controls for your information in a public cloud service.
Make risks known — identify and analyse
Risks always exist, but the issue here is that you have not even identified the risks. Without this knowledge, you cannot use security controls to lessen the risk.
Identifying and analysing risks to information are important parts of any risk assessment process.
Risks in brief
By not involving your organisation’s security or information technology departments, the way you use a public cloud service may not:
- manage information safely
- fit with NZ legislation and your organisation’s policies
- make sure that systems and networks for information and communications technology can handle the additional capacity required.
These remain unknowns with shadow cloud.
Risks in more detail
Using a lot of shadow cloud can lead to:
- losing or compromising data — exposed by poor design or management, or malicious services
- losing data because it’s spread across multiple services — a service might be cancelled or employees might move on without passing on the information
- slowness or incompatibility in sharing information in your organisation, which goes against the typical benefits of public cloud services
- increased cost because your organisation is using multiple public cloud services for the same function — this might be costly to support, especially if there are many of them, and prevent your organisation from getting the cost-savings that come from volume pricing
- other costs — for example, restoration, recovery and remediation operations if a public cloud service compromises your organisation’s information or infrastructure.
Manage shadow cloud
Bring your organisation’s use of public cloud into line with its cloud plan and Cabinet’s requirement for risk assessments.