Why people use shadow cloud
People in organisations sometimes use public cloud services without getting formal approval — find out why.
Shadow cloud — definition
Any public cloud service that is being used without:
- your organisation’s approval — that is, not using their approved process for assessing risks
- the information and communications technology team knowing and overseeing it
- the operations or information security team helping in its security assessment.
Shadow cloud and shadow information technology
Shadow cloud is part of the wider term for user-led, on-the-fly use of technology: ‘shadow information technology (IT)’.
Example of shadow IT
Using personal mobile devices for work is an example of shadow IT and is now an accepted practice in most workplaces.
Why people use shadow cloud
These are the common reasons that people use public cloud services without formal approval and monitoring. Most of the reasons start with a sincere and well-intended aim — people want to do their jobs well, solving business needs.
People are not aware they’re using shadow cloud
For people in your organisation, it could be as simple as:
- a public cloud service is familiar to them — they either used it for work in the past or use it in other areas of their lives and think it will help them do their work well
- not knowing an application is a public cloud service or that there’s a process for assessing its risks
- your organisation’s current approach to public cloud services is preventing them from solving a business need — pushing them to look for a service that becomes shadow cloud in your organisation.
It’s so easy to set up and pay for shadow cloud
Changes to information technology have changed the way organisation’s need to handle security. For example, some of the benefits of public cloud services can lead to people using them as shadow cloud because they are easy to:
- set up — procurement is quick
- use — they are often well-designed and require little time to learn how to use
- pay for — often with just a credit card or sometimes free if using a basic level of service or a free trial period
- keep to a timeframe — pay-as-you-go being cost-efficient for projects and usually avoids being locked in to a service.
Formal approval is too difficult
The people in your organisation may find that getting public cloud services approved is too slow or difficult, or both. This can lead people to get around your risk assessment process.
Manage shadow cloud
When you manage shadow cloud, you work to improve what your organisation is already doing well and pick up in areas where it needs to improve.
Help your people with assessing risks
Be clear about your risk assessment process, letting people know:
- who they can ask for help
- ways to get your catalogue of approved public cloud services updated
- how to match assessment effort to information’s risk.
Actively manage shadow cloud
Make managing shadow cloud an opportunity to:
- keep your catalogue up to date — taking advantage of the benefits of public cloud services
- avoid the problems of extreme approaches to shadow cloud.
What to do about shadow cloud in your organisation
Manage shadow cloud and take action in other areas of your organisation — for example, what leaders of business units and senior management can do to help.