• Australia and New Zealand lead cloud adoption globally.
• We found an average of 670 cloud-based services per organisation, of which 26 were considered high risk.
• Organisations must develop frameworks to govern and manage this new risk paradigm.
PwC research has shown that Australia and New Zealand are leading cloud adoption globally, in an effort to improve agility and time to market. Through our alliance with Skyhigh Networks we found that organisations in Australia and New Zealand are using, on average, 670 cloud-based services each. Of these, 26 are categorised as posing a high level of risk to the data held on the service.
Just last week, as a result of the level of adoption being seen across the financial services industry, the Australian Prudential Regulation Authority (APRA), Australia’s financial services regulator, released an information paper on the risks associated with the adoption of the public cloud.
In this paper APRA noted: “Risk management practices, including risk identification and mitigation techniques, are still maturing for these types of arrangements, elevating the level of risk to APRA-regulated entities.”
Why has the adoption of shadow cloud accelerated?
Shadow IT has been an issue for some time, but the recent explosion of what is called ‘shadow cloud’ and therefore ‘shadow data’ has been credited to a number of factors.
The growing culture of consumerisation within enterprise has led staff away from relying just on IT departments for their needs. Frustrated by outdated technologies or restrictive infrastructures, they independently seek information and technology online, and ultimately deploy their own IT solutions. Used to accessing what they want, when they want, and at the speed they want – the user chooses to do so without the guidance or knowledge of their organisation’s risk and security specialists.
Operating under a shadow cloud
The concerns of shadow cloud are similar to those of shadow IT: the technology could drive up overall cost to the organisation without resolving the central issue. With unsanctioned systems in use, there is also less control of the environment.
The greatest risk lies is in its lack of confinement. Whereas shadow IT was largely restricted to individual computers running day-to-day activities, rogue cloud applications mean that any number of third parties are linked into company assets and the traditional boundaries of shadow IT have been dissolved. Company information and assets are now travelling through a network of internal and external systems that is not being properly monitored by the organisation.
This kind of activity can present a significant risk. The presence of third parties can compromise data security, regulatory compliance, or the integrity of transactions.
Yet cloud computing can also bring with it innovation, speed and efficiency – a fact that cannot be ignored, particularly when you consider how investment and advancement means more and more cloud-based solutions will rapidly come to market.
Managing the risk
The nature of technology departments has changed. No longer a discrete authority within the business that focuses solely on infrastructure, technology teams must now work with the business to understand and solve its most important problems.
With public cloud services being seen as innovative ways to solve those important business problems, it is imperative that organisations develop frameworks to govern and manage this new risk paradigm.