All too often in information technology, rules are broken. Such an attitude often gives rise to 'shadow IT,' which is the use of infrastructure, services and applications outside the boundaries of an organization's corporate IT policies. Shadow IT that targets cloud-based technology creates what is known as a 'shadow cloud.'

When it comes to security, if ever there was an excuse to 'ask for forgiveness rather than permission,' the pandemic without question tops the list. In a business where security isn't already fully embedded, it seemed inevitable that decisions would be made without their input or knowledge. Too much has happened, too quickly — businesses have had to roll out new cloud applications and services at an astonishing rate to enable remote working, support customers and facilitate the digitization of their existing services. 

As security teams begin to re-evaluate their organization's rushed through cloud solutions, they'll find a lot of it hiding in the shadows.

Typically, one person or team can decide to employ shadow cloud solutions. But during COVID-19, it may have been the business itself who understandably took an 'act now, ask questions later' approach, with an unstated message that they will approve what is needed to function and review it all retroactively. 

A common characteristic of a true shadow cloud is that it lacks the security and monitoring processes that, if properly operated, the legitimate IT function would employ. This solution will usually result in an increased risk of exposure to corporate data, personally identifiable information (PII), and intellectual property (IP). 

Many organizations will likely have authorized the use of cloud-based solutions such as Dropbox, Google Drive, AWS, and Azure to allow for remote collaboration and continued productivity. But it's now imperative that the use of these services be governed and monitored by corporate IT and risk professionals who understand the entirety of the implications.

Consequences of cloud shadow IT

Seldom governed by a competent security team, let alone benefit from periodic security reviews or even antivirus software — shadow cloud deployments can result in serious risks.

Even before COVID-19, many clients raised concerns over data discovered in their cloud environments placed there by employees or contractors in violation of company policies. Unfortunately, sometimes, they were not the first to find that data, and a breach followed. Today, as security teams use the momentary calm to begin to investigate their organization's security deficit, stories of incidents are on the rise.

To companies or its regulators looking at those incidents, it makes little difference why data was exposed. Penalties are just as severe in nearly all cases when shadow IT or shadow cloud is at the root of a data breach.

The misty boundaries of cloud technology

When a database server is setup on an internal network, it's typically behind a firewall managed by IT staff. It can only communicate with systems on that internal network unless it's specifically configured to communicate with internet systems.

However, when a cloud service provider is implemented, it can communicate with the entire internet unless a cloud-based firewall solution is deployed. Without this firewall, any service installed on this system can potentially communicate with any other computer connected to the internet, typically with only a single password to secure it — leaving any misconfiguration open to exploitation.

Many complex shadow cloud applications (e.g. Applications with a remotely accessible interface and a database) are deployed or created by the end-user or a developer. One person or even a small team rarely have all the skill sets necessary to manage risk completely:

  • Platform expert
  • Application developer/configuration expert
  • Database expert
  • Firewall/networking expert
  • Risk and compliance expert

Employees not trained in IT security may not realize the severity of these risks. That's one reason why new IT assets need to go through the proper change management and risk review process defined by the organization.

Managing shadow cloud today

Security teams have a unique opportunity to change their image. Rather than being seen as blockers to progress and productivity — it's time to be enablers. COVID-19 showed us how businesses could quickly respond when needed, so how can we streamline the security-by-design processes to match that pace? How do we balance the enforcement of critical ground rules for shadow cloud infrastructure with business requirements and deadlines? Here are six tips for helping you manage shadow cloud today.

  1. Just (don't) do it. Some organizations have taken strong measures to contain circumventions of security policy. One organization who had suffered a breach due to a missing network firewall very quickly declared across their global network — there will be no networks without firewalls. Leadership who failed to heed the memo would soon find themselves looking for a new job. Companies are moving closer to this mindset when dealing with shadow cloud. The first rule of shadow cloud is that there should be no shadow cloud. 
  2. Policy is key. In some organizations, there are no policy statements that address shadow cloud deployment. Be sure to adjust your policy to adapt to the prevalence of cloud-based applications — that means, update or address data handling and authorized application provisions by referring employees to a controlled approval process.
  3. Access control. Consider blocking access to unauthorized cloud-based applications. If cloud-based file sharing is authorized, settle on one platform and govern its use. Utilize whitelisting to allow access to approved platforms or sites, and block all others unless approval is received. Monitor network traffic for access to new sites and include them in the blacklist.
  4. Out of the shadows. Offer stakeholders a path for approval. It's essential to understand why users may want to 'go rogue'. If users have difficulty managing their work, collaborating or providing services to their clients because of old architecture, then working on a cloud deployment can be a smart solution. But beware, failure to handle these requests quickly and effectively is a great way of sending them back into the shadows. The most sensitive data can be stored on an AWS server if done correctly, though it may be more expensive than they would like. This path should include architecture review, configuration and security review, and lifecycle management. 
  5. No funding equals no fun. Some cloud services are free or carry minimal costs assumed by employees. But some projects can cost thousands per year. One way to discourage the use of shadow cloud services is to carefully manage the expense reports and invoices payable to these cloud services. While this may not affect the use of free applications like DropBox or OneDrive, shadow cloud deployments that house large or enterprise-wide projects will seek legitimacy and funding. 
  6. Don't skimp. If a company decides to use the cloud, it's best to start from day one. It's expensive, but it's MUCH more costly to retrofit to a secure configuration than to develop, build and test it under leading practices. The second application should be much cheaper than the first — new projects benefit from the first application's pains. At the same time, look to streamline the vetting and design process. Can parts of the testing and approval process be automated? Is there a way to make requests more easily? What software can be whitelisted once reviewed, so business teams looking for a new collaboration tool are pleasantly surprised by the proactive approach of the security team?

While shadow cloud use should be discouraged, its use during the pandemic is a strong testimony to what cloud solutions can offer and its benefits. When organizations can support cloud technology oversight and governance, stakeholders lose legitimate high ground for deploying shadow cloud solutions. 

Organizations that are ready for the future, whether they adopt cloud technology as a primary platform or ban it altogether, should do so while treating stakeholders as partners — bringing IT solutions out of the shadows.

Throughout this website, “we”, “KPMG”, “us” and “our” refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity.