Make decisions based on your priorities and risk assessments
See if it makes sense for your organisation to stop using, replace or keep a shadow cloud service — adding it to your approved public cloud services.
Possible decisions for shadow cloud services
Decide if a public cloud service, currently being used as shadow cloud, is being used in low-risk or high-risk ways.
See if your organisation should:
- stop using the service
- replace the service with an approved service, or
- keep the service and add it to your catalogue of approved services.
If a business need gets blocked
If stopping or replacing a service gets in the way of a needed business process, work with the business unit to:
- back up or recover their information
- re-establish the business outcome
- manage the risks.
Stop using high-risk and insecure services
If your risk assessment showed the information in a shadow cloud service to be high-risk and insecure, either:
- stop using them, or
- replace them with other approved public cloud services that provide similar functions or outcomes.
When there’s too little choice
Shadow cloud services are a strong sign that your organisation offers too little choice. Being close to the work and business needs, your people look for solutions that help.
It’s wise to listen to their valuable insight when making decisions about shadow cloud in your organisation. By respecting their mahi and mana, the benefits of public cloud services can help:
- your people
- your organisation
- the NZ government
- New Zealanders.
Benefits of using public cloud services
When there’s too much choice
Using multiple services for the same business needs might harm people’s ability to work together or share information. This is not the case with all public cloud services, but can take the form of services that:
- rely on widespread use to be effective
- are part of your organisation’s common ground.
Risks of shadow cloud to government organisations
Services that rely on widespread use
Some services rely on the ability to share information and work together in order to deliver value. Common examples of this type of service include those for:
- case management
- enterprise reporting
- specialist applications.
Services that are part of your common ground
Other public cloud services might cover information or business needs that are part of your organisation’s common ground. This is part of your cloud plan and the way organisation’s balance too little and too much choice.
If you do keep the service, use your catalogue to signal that the service is for working with other organisations.
Offer a choice of public cloud services to your people
Factors for making decisions about keeping services or not
See if a service fits with your organisation’s approach to public cloud services if:
- your risk assessment shows a service to be within your organisation’s risk tolerance
- you’re still not sure whether to approve the public cloud service.
Understand the business needs that public cloud services are being used to support. See if information in these services are being used in low-risk or high-risk ways.
Consider the following factors.
See which services are being used in low-risk ways
Identify public cloud services that:
- are widely used in your organisation
- handle low-risk business needs
- use low-risk information — it can be lost or made available to the public without problems.
Consider keeping these services or leaving them to the leaders of business units to manage. This allows you to:
- focus your time, effort and resources on the backlog of services and information that are higher in risk
- keep the services that support low-risk business needs and information — not unnecessarily disrupting them.
See which services are being used in high-risk ways
Identify public cloud services that are poorly designed or managed and pose unnecessary risk. Look for those that:
- cost a lot
- do not allow your organisation to keep ownership of its intellectual property (IP) — or it’s unclear in the service provider’s terms and conditions
- have poor or no data retention or backup
- cannot migrate your organisation’s data to a new provider, if required
- lack or have unproven disaster recovery or business continuity plans, or both.
Stop using these services and replace them with ones that are approved for use in your organisation.
More information — high-risk information and services
Your risk assessments cover the critical areas — such as security, privacy, strategic threats and reputational threats.
Assess the risks of information in shadow cloud services
Protective Security Requirements has more information about:
Next step — catalogue the approved services
Set up or update your organisation’s catalogue of approved public cloud services.
Utility links and page information
Last updated