In years gone by, enterprise software deployment was a lengthy, time-consuming process carried out by dedicated teams running meticulously planned projects. Now, it is as simple as dropping a few lines of code into a connected environment, or even simpler, just logging in.
While this may bring the utopian vision of cloud-based organisations and digital transformation one step closer, it injects no small amount of risk and asks significant questions of cloud application security.
This trend is exploding in the months following the great dispersal of the workforce, triggered by COVID-19. Microsoft’s CEO Satya Nadella, for example, recently told an earnings call that the company had seen ‘two years of digital transformation in two months.
App sprawl is a risk to enterprise information
In an ideal world, each application is used according to a tight policy drawn up in alignment with the security team. But, with cloud services being so easy to use, it is distinctly more chaotic in reality.
Marketing teams jump on whatever software bandwagon happens to be passing by, sales teams use any CRM plugin they think will give them an edge. Finance and HR teams are no different. If an application makes life easier it gets used, often without the oversight of IT and security.
This is such a prevalent trend that Gartner has even estimated shadow software constitutes between 30 – 40% of all IT spending in large enterprises.
The end result? A vast number of apps sprawl across the enterprise environment undeclared, invisible, and potentially presenting a very real risk to everything from customer databases to company IP, not to mention the compliance issues.
Specific risks are two-fold. First, there is an innate insider threat from employees using applications which are not visible and therefore not subject to monitoring and policies. This opens them up to either malicious abuse, such as theft of sensitive data, or the accidental leakage of information.
Second, if poorly secured, such applications can also give an external attacker a toehold into organisations either through poor endpoint hygiene, or social engineering techniques. Once in, attackers can either move sideways into the company network or stealthily access confidential information.
Contain app sprawl
The best strategy for containing enterprise application sprawl is one which combines visibility, monitoring and control.
At a base level, security teams need to be able to see all the applications used in their environment. This is possible with an advanced CASB capable of performing analysis on each outbound request from a corporate environment to understand who is using what.
With better visibility, security teams are then empowered to control usage throughout the IT estate they govern in accordance with their risk appetite. Achieving this is a case of putting in place a set of policies which allows for nuanced management of risk, without strangling productivity.
Once policies have been decided, a CASB is again a highly effective tool, capable of understanding what applications users are accessing and providing a granular perspective on behaviour.
Risk can be categorised and managed down to a group or individual level, depending on a user’s role and responsibilities, location and work patterns. Access to different applications, and features and functions within applications, can be modified based on time, day, device used, and where the user is.
Additionally, if you want to keep a lid on the problem of app sprawl entirely, a CASB will allow you to simply remove the users’ ability to use new applications unless they are pre-approved by the company in the first place.