We’ve known for years that employees and lines of business are bypassing IT departments to get the cloud services they want. The good news is we can finally quantify how much shadow IT exists in an organization and identify any risks.

Large customers actually use 730 individual cloud services on average—with some using over 1,000. That’s 15-22 times more than what their IT departments estimate. We can help customers understand what (and how much) they are using, but even then, I get asked (a lot) – which ones are the riskiest?


Based on risk analysis with organizations over the last two years, and we’ve identified the top ten riskiest cloud service categories. They are:

  • Cloud Drive/Storage
  • Back-up & Recovery
  • Enterprise Resource Planning (ERP)
  • Finance & Accounting
  • Legal
  • Customer Relationship Management (CRM)
  • Human Capital Management
  • Compute
  • Services Management
  • Application Development & Testing

Why did these and not others make the top ten? Good question – so let me explain.

  1. Data Stores: Data Ownership & Compliance

Most often the customer doesn’t actually own their data that’s housed in services storing a lot of data, like cloud storage and back-up & recovery. Many public cloud providers have clauses in their contracts that explicitly state data is stored with the provider – not the customer. If that provider terminates a relationship or goes of business, what do you think happens to your data? At the same time, organizations using these services can face compliance and data sovereignty challenges if employees aren’t storing data in the right ways.

  1. Business Critical Data: Data Exploits & Availability

Services like ERP, Finance, Legal, CRM and Human Capital Management store critical customer, employee, financial, legal and business operations data. This data needs to be protected from exploits and data breaches, but the vendor’s cloud service needs to be highly available and redundant to make sure business operations are smooth business. Bigger vendors often have resources to appropriately address these challenges, but what about smaller vendors? Are they good financially, or could they shut their doors and leave one of your critical business operations hanging?

  1. Critical Business Operations: IT Service Availability

Services that support IT like compute, application development & testing, and services management, are the cogs in the wheel that keep IT services up and running. Long story short – they are critical to running your business smoothly. One cog out of place and you could face disruption. With these services, redundancy and fault tolerance aren’t always under your control. Every service claims to have fantastic availability, but interruptions can frequently happen which unfortunately means your business operations can face many threats.

  1. Rating Risk: You Don’t Know What You Don’t Know

Many cloud vendors do a great job at protecting your data and your business.

However, as they say, you don’t know what you don’t know.

Your organization IS using hundreds of services. If the service supports a business critical function that could drastically disrupt your business—you could experience high risks.

Your first step is to discover what you’re using and find a way to assess vendors without using too many IT resources. Automated tools, like Cisco Cloud Consumption, are key. Manually trying to discover and assess vendors would take months of dedication and resources. Cloud Consumption software examines 65 risk attributes for every provider. Based on these attributes, each service is then ranked with a comprehensive risk score.

This risk score is key to identify and manage your cloud risk. For example, Cisco IT uses the risk score to create a matrix rating the confidentiality of information against the business criticality. Using a series of questions determining business criticality and data classification, Cisco IT can come up with a number for each application and see where it would fall. This provides you with a clear indicator of where your IT resources need to apply in order to assess and consolidate your cloud services to reduce risk and protect Cisco’s brand.

What are your top cloud risk concerns? Let me know on Twitter or LinkedIn.


Robert Dimicco

Senior Director

Advanced Services