Shadow IT: Queensland audit uncovers cloud sprawl

8TB of data transferred off-shore

A recent scan of the Queensland government’s Internet gateway revealed the use of thousands of instances of cloud services across departments — and in many cases the ICT teams of the departments are unaware that the services are being used.

The scan by the Department of Science, Information Technology and Innovation revealed 2163 individual cloud services were in use, which according to a recently released report by the state’s audit office, is higher than the number departments have on record.

The scan also revealed 8.6TB of data was uploaded to cloud services — with 75 per cent of it transferred offshore.

The process did not reveal which of the services related to personal use by public sector employees, the report said.

“Departments indicated that they do not have processes or mechanisms to monitor the use of user-initiated cloud computing in their departments,” the report said.

About a fifth of departments had begun to purchase or pilot tools to identify “user initiated” cloud computing.

The auditor recommended that all state government departments implement processes to detect and monitor user-initiated cloud services and conduct user-awareness programs outlining the risks of unapproved cloud services

“Without knowledge of all cloud solutions, they risk leaving government information insecure,” the report said.

Early days for cloud adoption

Overall it is still early days for cloud adoption across Queensland departments, the audit found.

A groundbreaking 2014 policy adopted by the Queensland Government Chief Information Officer has led to greater emphasis on considering cloud solutions and an interview conducted with CIOs across the Queensland government revealed that 79 per cent were adopting cloud services because of it.

However, the audit found that most departments are yet to develop a clear strategy for integrating cloud services into their ICT architecture.

“This lack of planning for evolving the ICT infrastructure creates a risk that departments will implement systems and services that do not integrate with existing systems or interoperate amongst multiple-sourced cloud solutions,” the report said.

“Queensland government departments are in early stages of adopting cloud, and in the main consider cloud solutions only when old systems require renewal or when they are purchasing new system,” it said.

Almost three-quarters of departments are at the “initial, ad hoc” stage, which the report describes as: “Some groups within the department have started to implement cloud. There is awareness of cloud computing. There is no cohesive cloud-computing plan.”

The most popular uses of cloud services are dev and test, website, and email.

The report recommended that departments adopt a more strategic approach to cloud adoption — “to assess where cloud can add the most value, and to address the people, process or technology change activities that are required if the objectives of the ICT strategy are to be realised.”

The report is available from the website of the Queensland Audit Office.

Queensland was the first state to adopt a cloud-first policy.

The policy followed recommendations from the February 2013 report of the Independent Commission of Audit that advocated the state government "adopt an ICT-as-a-service strategy and source ICT services, especially commoditised services, from private providers in a contestable market where this is feasible and represents value for money" and that the government "utilise as appropriate cloud based computing and other emerging technologies as enablers to complement its ICT-as-a-service strategy".

Join the Computerworld newsletter!

Error: Please check your email address.

Tags shadow ITqueensland governmentClouddata sovereigntycloud securitygovernmentcloud computingqueensland

More about Queensland GovernmentTechnology

Show Comments