University of Twente Student Theses


Cloud Strife : an analysis of cloud-based shadow IT and a framework for managing its risks and opportunities

Hulsebosch, M.A.C. (2016) Cloud Strife : an analysis of cloud-based shadow IT and a framework for managing its risks and opportunities.

[img] PDF
Abstract:This thesis proposes a framework for the management of unauthorized cloud computing usage, based on a risk analysis, a set of possible strategies and concrete measures. The rise of cloud computing in the consumer domain has raised users' expectations about the types of services that organizational IT departments deliver and the speed of delivery. Many IT departments are unable to keep up with these expectations. As a result, individual employees and departments choose to bring cloud services into the organization by themselves, circumventing IT. This is called Cloud-based Shadow IT. The use of these services may result in various risks for the organization, such as business continuity risks, unauthorized access to sensitive data, non-compliance and adverse effects on financial and operational performance. On the other hand, an employee's legitimate desire to use these tools to improve the quality of their works can lead to various benefits. No frameworks for the management of the risks and benefits of Cloud-based Shadow IT previously existed, so this report proposes one. The proposed framework consists of three steps that organizations should follow. First: analyze how they are impacted by the aforementioned risks, and how they benefit from the positive effects. They should also consider what causes their employees to adopt Cloud-based Shadow IT. Second: choose a strategy. Coming from a state of ignoring unauthorized cloud usage, they can choose to monitor which applications are used, accepting both risks and benefits. Going further, they could use blacklisting or whitelisting to select which applications can and cannot be used, balancing risks and benefits.A final option is to prohibit the use of Cloud-based Shadow IT completely. Third, they should choose what measures they take, and how they implement them, in accordance with that strategy. This report introduces measures in five steps: prevention, detection, analysis, response and evaluation, and analyzes how Cloud Access Security Brokers and Identity-and-Access-Management-as-a-Service-solutions can be used in these efforts. The framework has successfully been validated with experts. Since the framework takes a high level perspective of Cloud-based Shadow IT, the main recommendations are that further research provides additional details about implementation and effectiveness of the proposed measures, that the framework is expanded to better cover various organization sizes, industries, geographies, maturity levels and IT governance models.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science, 85 business administration, organizational science
Programme:Business Information Technology MSc (60025)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page