Home
Standards & guidance
Technology and architecture
Cloud services
Cloud plans
Shadow cloud
Risks of shadow cloud to government organisations

Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It's easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Risks of shadow cloud to government organisations

Shadow cloud increases risk to your organisation, the NZ government and New Zealanders by not making the risks to your information known — this prevents you from using security controls effectively.

Context — shadow cloud and risk

There are risks to shadow cloud because the services have:

at worst, not even gone through a risk assessment
at best, not been logged with your organisation’s security or information technology departments — therefore, they cannot help to monitor and review the risks and security controls for your information in a public cloud service.

Make risks known — identify and analyse

Risks always exist, but the issue here is that you have not even identified the risks. Without this knowledge, you cannot use security controls to lessen the risk.

Identifying and analysing risks to information are important parts of any risk assessment process.

About risk assessments

Risks in brief

By not involving your organisation’s security or information technology departments, the way you use a public cloud service may not:

manage information safely
fit with NZ legislation and your organisation’s policies
make sure that systems and networks for information and communications technology can handle the additional capacity required.

These remain unknowns with shadow cloud.

Risks in more detail

Using a lot of shadow cloud can lead to:

losing or compromising data — exposed by poor design or management, or malicious services
losing data because it’s spread across multiple services — a service might be cancelled or employees might move on without passing on the information
slowness or incompatibility in sharing information in your organisation, which goes against the typical benefits of public cloud services
increased cost because your organisation is using multiple public cloud services for the same function — this might be costly to support, especially if there are many of them, and prevent your organisation from getting the cost-savings that come from volume pricing
other costs — for example, restoration, recovery and remediation operations if a public cloud service compromises your organisation’s information or infrastructure.

Manage shadow cloud

Bring your organisation’s use of public cloud into line with its cloud plan and Cabinet’s requirement for risk assessments.

How to manage shadow cloud in your organisation

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It's easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you're unable to turn on JavaScript — email your feedback to govt.nz@dia.govt.nz .

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 10 October 2022

Risks of shadow cloud to government organisations

Context — shadow cloud and risk

Make risks known — identify and analyse

Risks in brief

Risks in more detail

Manage shadow cloud

Utility links and page information