Part of a series, this blog outlines how Shadow Cloud is impacting organisations, and how this could possibly be mitigated. Read below for key insights.
Free to use cloud services are becoming increasingly easy to use and are seen as fit for purpose in organisations. This has resulted in raised expectations about the speed and quality of the services formal IT departments can deliver. As a result of this, a trend is being recognised at our clients where employees and departments are selecting their own cloud services and using them in the organisation without the consent of the formal IT department. The Harvey Nash / KPMG CIO Survey 2018, held under 4.000 CIOs worldwide, shows that in 2018 44% of the overall spend on IT is controlled outside the IT organization (see figure 1).
The use of these unauthorised cloud services poses unforeseen risks to the organisation such as data fidelity risks, loss of data ownership, and breach of regulatory & legal compliance including financial instability. However perceived improvement in overall work quality is recognized due to better fit between the chosen tool and the performed task. The Harvey Nash / KPMG CIO Survey 2018 recognizes that Employees increasingly want consumer-focused solutions that solve their specific business needs.
This article explores the relevance, consequences and observations as experienced by KPMG at multiple clients across a variety of industries. We outline how Shadow Cloud is impacting organisations, and how this could possibly be handled.
Shadow Cloud is a form of unsanctioned IT, in which, software and cloud specific services are outside the ownership or control of IT organisations. Shadow IT may also consist of subscription-based or off-the-shelve products, resulting in cloud services falling into this category as well. Even before the era of the cloud, employees have been widely using personal USB flash drives for corporate usage, as a form of Shadow IT. Because there is no official definition of informal usage of cloud services, we use the following definition of Shadow Cloud within this article:
`Shadow Cloud represents all cloud-based solutions delivered over the internet that are used by employees inside the organisation who have not received formal organisational consent.'
Much of the research on Shadow Cloud underlines that employees within organisations turn to Shadow Cloud solutions, based on the genuine reason to do their job and the fact that the enterprise is not providing them with the proper tools to do so. For example, a security survey, revealed that the most common response of the employee was `we need to get our job done', implying that there is a gap between the alignment on business & IT. This behaviour often points to conflict regarding organisations performing in hyper competitive global environments, in which they strive to increase profit and performance, and employees are being measured on results. Therefore, these employees will do whatever it takes to meet both the company's objectives and their own. Even if that means taking shortcuts with taxing company processes, then the trade-off appears to be a smart business decision.
The incentive of using Shadow Cloud also lies in the compatibility of other peers who have installed the application and triggers the employee's behaviour in adopting these solutions. Because many cloud solutions can be obtained effortlessly through a credit card purchase, this further stimulates the usage of such services in an informal manner. In addition, the blurring between work and home environment has resulted into employees working with applications they are familiar with instead of formal alternatives the organisations have to offer. Factors such as low awareness and policy ignorance play an important role in the purchase and usage of these non-approved services.
There are various reasons why employees and departments tend to choose Shadow Cloud services. By choosing to make use of this solution the employee/organisation takes certain risks that he is not always aware of. But there are also benefits which might be unforeseen by the organization. The risks and benefits of using Shadow Cloud solutions are briefly discussed below.
The figure below briefly summarises the causes and effects as defined above.
Organisations are not defenceless against the usage of Shadow Cloud within their organisation. There are numerous ways to prevent and detect such Shadow Cloud services. Actions against Shadow Cloud can be aggregated into the following three categories with examples:
1. Prevention: Organisations can prevent Shadow Cloud by introducing measures to eliminate the need for the business to adopt Shadow Cloud. Organisations can undertake the following actions:
2. Detection: Organisations can introduce detection measures to find any cases of Shadow Cloud. Organisations can undertake the following actions:
3. Responding: This category contains actions (response) in order to analyse found Shadow Cloud services and perform a risk assessment regarding the benefits and caveats of using such applications. Organisations can undertake the following: