Share with your friends

To The Cloud - How can I prevent the improper use of cloud services?

The Unpredictable Clouds

Part of a series, this blog outlines how Shadow Cloud is impacting organisations, and how this could possibly be mitigated. Read below for key insights.


Related content

The Unpredictable Cloud

Free to use cloud services are becoming increasingly easy to use and are seen as fit for purpose in organisations. This has resulted in raised expectations about the speed and quality of the services formal IT departments can deliver. As a result of this, a trend is being recognised at our clients where employees and departments are selecting their own cloud services and using them in the organisation without the consent of the formal IT department. The Harvey Nash / KPMG CIO Survey 2018, held under 4.000 CIOs worldwide, shows that in 2018 44% of the overall spend on IT is controlled outside the IT organization (see figure 1).

Proportion of the overall spend on IT

Figure 1: Proportion of the overall spend on IT is controlled by/managed outside the IT organization/department 2014-2018 (CIO Survey, 2018)

The use of these unauthorised cloud services poses unforeseen risks to the organisation such as data fidelity risks, loss of data ownership, and breach of regulatory & legal compliance including financial instability. However perceived improvement in overall work quality is recognized due to better fit between the chosen tool and the performed task. The Harvey Nash / KPMG CIO Survey 2018 recognizes that Employees increasingly want consumer-focused solutions that solve their specific business needs.

This article explores the relevance, consequences and observations as experienced by KPMG at multiple clients across a variety of industries. We outline how Shadow Cloud is impacting organisations, and how this could possibly be handled.

What is Shadow Cloud?

Shadow Cloud is a form of unsanctioned IT, in which, software and cloud specific services are outside the ownership or control of IT organisations. Shadow IT may also consist of subscription-based or off-the-shelve products, resulting in cloud services falling into this category as well. Even before the era of the cloud, employees have been widely using personal USB flash drives for corporate usage, as a form of Shadow IT. Because there is no official definition of informal usage of cloud services, we use the following definition of Shadow Cloud within this article:

`Shadow Cloud represents all cloud-based solutions delivered over the internet that are used by employees inside the organisation who have not received formal organisational consent.'

Why does it happen?

Much of the research on Shadow Cloud underlines that employees within organisations turn to Shadow Cloud solutions, based on the genuine reason to do their job and the fact that the enterprise is not providing them with the proper tools to do so. For example, a security survey, revealed that the most common response of the employee was `we need to get our job done', implying that there is a gap between the alignment on business & IT. This behaviour often points to conflict regarding organisations performing in hyper competitive global environments, in which they strive to increase profit and performance, and employees are being measured on results. Therefore, these employees will do whatever it takes to meet both the company's objectives and their own. Even if that means taking shortcuts with taxing company processes, then the trade-off appears to be a smart business decision.

The incentive of using Shadow Cloud also lies in the compatibility of other peers who have installed the application and triggers the employee's behaviour in adopting these solutions. Because many cloud solutions can be obtained effortlessly through a credit card purchase, this further stimulates the usage of such services in an informal manner. In addition, the blurring between work and home environment has resulted into employees working with applications they are familiar with instead of formal alternatives the organisations have to offer. Factors such as low awareness and policy ignorance play an important role in the purchase and usage of these non-approved services.

The effects of Shadow Cloud

There are various reasons why employees and departments tend to choose Shadow Cloud services. By choosing to make use of this solution the employee/organisation takes certain risks that he is not always aware of. But there are also benefits which might be unforeseen by the organization. The risks and benefits of using Shadow Cloud solutions are briefly discussed below.


  • Data Confidentiality Risk: When users develop or purchase cloud-based service solutions, these solutions may not be compliant or employ the same degree of protection as is required from the formal IT department.
  • Regulatory Risk: Furthermore, even when Shadow Cloud solutions do not cause direct non-compliance issues towards regulation, the fact still remains that it adds a layer of complexity to the IT landscape making it more difficult to audit an organisation and verify if the organisation's systems are in compliance with regulation.
  • Business Continuity Risk: Organisations document their information in order to preserve that information gets lost in case an employee leaves his organisation. When business users set up a Shadow Cloud system which is outside of the control of the organisation, concerns are rising of losing corporate data by the original maintainer of the Shadow Cloud solution.
  • Loss of Financial Benefits: Due to employees repeatedly purchasing/implementing Shadow Cloud solutions from different vendors in organisations, the benefit of receiving a volume discount will be lost. It also adds complexity to the IT landscape.


  • Productivity Improvement: When identifying the causes found in the previous section they can all be traced back to the employee being unable to attain the tools he needs to perform his job. The upside of this effect is that the productivity rises through a better fit between task performance and the underlying Shadow Cloud which helps them to carry out the tasks at hand.
  • Facilitate Creativity and Innovation: By aligning the cloud services together with employee preference and let the employees choose their own software, it can empower the employee to become more innovative. Bottom-up initiatives such as `Consumer-Powered IT' are generating new ideas and innovation which are triggered by consumer technology and are the driving force for the new wave of `corporate productivity'.

The figure below briefly summarises the causes and effects as defined above.

Overview of the cause and effects of Shadow Cloud usage.

Figure 2: Overview of the cause and effects of Shadow Cloud usage.

Mitigation of Shadow Cloud

Organisations are not defenceless against the usage of Shadow Cloud within their organisation. There are numerous ways to prevent and detect such Shadow Cloud services. Actions against Shadow Cloud can be aggregated into the following three categories with examples:

1. Prevention: Organisations can prevent Shadow Cloud by introducing measures to eliminate the need for the business to adopt Shadow Cloud. Organisations can undertake the following actions:

  • Create awareness within the organisation. It will make employees realise there are consequences to their actions. 
  • Policy Creation: define what the policies are around cloud services: what is allowed and what not. Make sure Shadow Cloud is well described and it is clear it is not allowed.
  • Adjust the formal IT service catalogue to the business demand, by facilitating alternative solutions to the organisation's demand and by reducing the delivery time of IT services.
  • Simplify the adoption of cloud services: by defining a simplified and easy-to-use process to approve cloud services within the organisation. The support of a cloud adoption toolkit can help organisations to align all the requirements within the organisation.

2. Detection: Organisations can introduce detection measures to find any cases of Shadow Cloud. Organisations can undertake the following actions:

  • Continuously monitor the organisation's internal activities through analysis of network traffic.
  • The use of a Cloud Access Security Broker (CASB). CASBs are on-premises or cloud-based security policy enforcement points placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. The value of cloud access security brokers stems from their ability to give insight into cloud application use across cloud platforms and to identity unsanctioned use.

3. Responding: This category contains actions (response) in order to analyse found Shadow Cloud services and perform a risk assessment regarding the benefits and caveats of using such applications. Organisations can undertake the following:

  • Block websites and applications to prevent them from being used and accessed within the company network and devices.

Connect with us


Want to do business with KPMG?


loading image Request for proposal