Beware of threats lurking in the shadows
‘SHADOW cloud” solutions have proliferated, in our experience, and their defining characteristics are often ill-configured security controls and a lack of integration with the security and monitoring processes that the legitimate IT (information technology) function would employ. These solutions will usually result in an increased risk of exposure for corporate data, personally identifiable information and intellectual property.
Shadow cloud solutions raised security concerns before the pandemic but the forced and disruptive shift in working patterns and rapid infrastructure changes during the pandemic have dramatically accelerated their presence. In organizations whose security and technology teams were slow to adopt collaboration tooling to support remote working, their business teams and individual employees have turned to cloudbased solutions for collaboration, storage and continued productivity.
These applications may not be protected by multi-factor authentication or strict password policies and may not meet data localization and retention requirements. Now is the time to ensure these services are governed and monitored by corporate IT and risk professionals who understand the risks they pose and the regulatory requirements they must meet. When organizations enact efficient oversight and governance of cloud technology, staff and stakeholders will be discouraged from deploying shadow cloud solutions. Eliminating the mindset that propagates shadow cloud usage can be as effective a security control as any.
Four tips for keeping shadow clouds at bay
ADDRESS shadow cloud issues in policies and employee standards. It’s not enough to simply ban the use of cloud solutions lacking the permission of the security team. Make business leaders accountable for the control of shadow cloud solutions and implement clear protocols and disciplinary measures as needed.
Consider blocking access to unauthorized cloud-based applications. If cloud-based file sharing is authorized, settle on one platform and govern its use. Implement permission lists including sites or platforms that are approved for access, and block all others lacking approval.
Offer stakeholders a path for approval. It’s essential to understand why users may want to “go rogue.” If employees have difficulty managing their work, collaborating or providing client services via old architecture, a rapid cloud deployment can be a smart solution. But beware! Failure to handle these requests quickly and effectively can lure users into the shadows.
Some cloud services are free or carry minimal costs to employees. But some projects can cost thousands per year. Discourage the use of shadow cloud services by carefully managing expense reports and invoices payable to such services. While this may not limit the use of free cloud applications, shadow cloud deployments that house large or enterprise wide projects will need to seek legitimacy and funding.
The excerpt was taken from “KPMG Thought Leadership, A balancing act: Privacy, security and ethics.”
© 2020 R.G. Manabat & Co., a Philippine partnership and a member-firm of the KPMG global organization of independent member-firms affiliated with KPMG International Ltd., a private English company limited by guarantee. All rights reserved.
For more information on KPMG in the Philippines, you may visit