Shadow cloud — definition

Any public cloud service that is being used without:

• your organisation’s approval — that is, not using their approved process for assessing risks
• the information and communications technology team knowing and overseeing it
• the operations or information security team helping in its security assessment.

Shadow cloud and shadow information technology

Shadow cloud is part of the wider term for user-led, on-the-fly use of technology: ‘shadow information technology (IT)’.

Why people use shadow cloud

These are the common reasons that people use public cloud services without formal approval and monitoring. Most of the reasons start with a sincere and well-intended aim — people want to do their jobs well, solving business needs.

People are not aware they’re using shadow cloud

For people in your organisation, it could be as simple as:

• a public cloud service is familiar to them — they either used it for work in the past or use it in other areas of their lives and think it will help them do their work well
• not knowing an application is a public cloud service or that there’s a process for assessing its risks
• your organisation’s current approach to public cloud services is preventing them from solving a business need — pushing them to look for a service that becomes shadow cloud in your organisation.

It’s so easy to set up and pay for shadow cloud

Changes to information technology have changed the way organisation’s need to handle security. For example, some of the benefits of public cloud services can lead to people using them as shadow cloud because they are easy to:

• set up — procurement is quick
• use — they are often well-designed and require little time to learn how to use
• pay for — often with just a credit card or sometimes free if using a basic level of service or a free trial period
• keep to a timeframe — pay-as-you-go being cost-efficient for projects and usually avoids being locked in to a service.

Formal approval is too difficult

The people in your organisation may find that getting public cloud services approved is too slow or difficult, or both. This can lead people to get around your risk assessment process.

Manage shadow cloud

When you manage shadow cloud, you work to improve what your organisation is already doing well and pick up in areas where it needs to improve.

Help your people with assessing risks

Be clear about your risk assessment process, letting people know:

• who they can ask for help
• ways to get your catalogue of approved public cloud services updated
• how to match assessment effort to information’s risk.

Catalogue approved services

Actively manage shadow cloud

Make managing shadow cloud an opportunity to:

• keep your catalogue up to date — taking advantage of the benefits of public cloud services
• avoid the problems of extreme approaches to shadow cloud.

Actively manage shadow cloud in your organisation

What to do about shadow cloud in your organisation

Manage shadow cloud and take action in other areas of your organisation — for example, what leaders of business units and senior management can do to help.

What to do about shadow cloud in your organisation