Records Toolkit

Archives New Zealand’s guidance on information and records management

New cloud services guidance released and blog on shadow cloud

Posted by Archives New Zealand on 18 December 2018

Image20for20Shadow20Cloud20blog20shutterstock 1158810691

Dealing with “shadow cloud” and mitigating the risks to information 

What is “shadow cloud”?

Shadow cloud means cloud services that are used without explicit organisational approval, or the knowledge and oversight of the ICT management, operations or information security departments within an organisation.   Shadow cloud services are increasingly used by business units and individual staff members to store official or personal information created in the process of daily work.   

Benefits for organisations

This growing trend is driven by the need for staff to have fast, free technology solutions, without having to be dependent on ICT staff to approve and help out.  Users can therefore overcome business process challenges and obstacles themselves without having to rely on another department within the organisation. It is also an attractive alternative to outmoded technologies and tools which are no longer fit for purpose.  Understandably staff want access in the workplace to the advanced services and tools that are available in the private sphere, to enhance their business-as-usual.

The usage of shadow cloud may contribute to greater:

  • innovation and business improvement

  • flexibility and agility

  • productivity.

Risks to information and records

This trend also creates risks for organisations. Government information may be compromised when risks are not understood and controls are not in place.  Without governance, using unauthorised cloud services presents significant security risks, and the potential for technology and service redundancies.  Risks include:

  • unintended exposure of government information

  •  illegal access to and control over protected and confidential information

  • intellectual property and privacy breaches. 

There is also the risk of preventing information sharing across the organisation with only a small number of people having access to the information created within the cloud service.  This limits the use and re-use of information assets.

Managing shadow cloud to mitigate the risks to information and records

In order to get the benefits of using shadow cloud without compromising corporate information and records, organisations should take a risk-based approach to prioritising and managing this activity.

Organisations should identify all cloud services in use which involve government (official or personal) information or are accessed from government networks. There are various software tools and third party services that facilitate this.  All cloud services must have a proper risk assessment and endorsement in line with the Government Chief Digital Officer’s guidance.

To discourage uncontrolled shadow cloud proliferation, organisations should adopt clear policies and procedures, and set expectations to manage cloud usage.

Here are a few first steps organisations may want to consider:   

Step 1: Partner with ICT, Information security, Risk, Legal, and Procurement teams to assess the extent of the situation, and list the shadow cloud services/tools used in your organisation.

Step 2: Take action on services/tools identified; triage and prioritise: approve / ban / restrict. Where critical, extract and save the information identified as public records back into the corporate systems. Get evidence from the provider that all copies (including back-up copies) have been securely disposed of.

Step 3: Raise awareness around the risks to corporate information through campaigns. Promote and champion best practices amongst staff. Have regular checks and conversations with business groups. Raise issues with leaders and encourage them to support their staff in understanding the risks.

Step 4: Remind users about their responsibilities when creating public records, including those in the cloud environment. Document those responsibilities and update your policies, training and guidance.

Step 5: Prevent future unauthorised use of cloud services by encouraging staff to ask for advice before signing-up. Have a process in place to do regular checks and assessment of current state in order to measure the effectiveness of awareness campaigns.

Organisations will find more details about the GCDO’s framework and guidelines in the Managing Shadow Cloud Services guide.


For the December quarter we have published the guidance Cloud services: information and records management considerations 18/G15. If you have feedback/questions/comments please email us at


, ,

Post your comment



No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments