The average enterprise has 464 custom applications deployed today. Across industries, even ones not associated with technology, companies of all sizes are developing applications that help them engage with customers, suppliers, and employees. However, as these applications move to cloud platforms such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform, new security concerns are emerging. That’s according to a recent report published by the Cloud Security Alliance (download a free copy of the report here).
It’s estimated that, on average, enterprises will develop and deploy 37 new applications in the next 12 months. This rapid pace of development represents a 20.5% increase in the number of custom applications that are deployed at the average enterprise today. Not surprisingly, application development is strongly correlated with company size. On average, companies with fewer than 1,000 employees run an average of 22 custom applications. The largest enterprises with more than 50,000 employees run 788, on average.
A slight majority of applications (56.8%) are consumed by internal employees. Examples include a sales application that pulls data from multiple systems showing a salesperson the accounts in their territory that are set for renewal this quarter and a customer service application that allows call center employees to enter case details and retrieve suggested fixes. A little over one-third of applications (36.2%) are consumed by customers, partners, and suppliers. Examples include an Internet-enabled application that enables customers to schedule appointments with technicians for support and an application that delivers training for partner sales teams.
The overwhelming majority of enterprises (92.0%) have some software development resources in house, which they use for developing their own applications; 44.5% of enterprises rely entirely on internal development teams and another 47.5% rely on a mix of internal development teams and outsourced developers. A small number (5.5%) of enterprises rely entirely on outsourced development and have no in-house developers. Whether developers are internal or outsourced, some enterprises map developers to specific applications for the life of the application while others fluidly move a pool of developers between different apps.
Within an enterprise, not everyone is aware of applications being developed and deployed. IT administrators have the highest awareness of the breadth of custom applications, followed by devops professionals. IT security professionals are only aware of 38.4% of the applications known to IT administrators. This means that IT security teams are involved in fewer than half of these applications to ensure corporate data is protected against threats. Rather than security being a barrier to development, it appears development is occurring without involvement from security.
Increasingly, custom applications are moving from the corporate datacenter to the cloud. Today, 39.1% of applications are deployed in the public cloud, private cloud, or a hybrid of both. That number is expected to grow to 53.8% in the next twelve months as new applications are deployed in the cloud and existing application migrate to the cloud. The public cloud is already the most popular flavor of cloud, and by the end of this year it’s expected that more than one third of applications will be deployed in the public cloud.
Threats to applications deployed in the cloud
In a cyber attack on the company Code Spaces, whose principal product was a code repository application on AWS, hackers gained access credentials for the company’s AWS console and held their application and data hostage for a ransom. When Code Spaces did not comply, attackers permanently deleted its customers’ data along with backups of that data maintained within the same AWS account. The attack was so devastating that it resulted in Code Spaces going out of business. It is an attack that did not compromise the integrity of the AWS platform, but rather an account password, which can easily be stolen via a phishing attack.
When asked about the greatest threats to applications running in the public cloud, the single most common response (66.5% of IT professionals) was sensitive data uploaded to the cloud. Some organizations have regulatory compliance and data residency requirements that can prevent them from uploading data to a cloud environment. That’s followed closely by third-party account compromise (56.9% of IT professionals) like the one that shut down Code Spaces. Another concern is that applications in the public cloud make it easy to access sensitive data from BYOD devices with 40.1% of respondents concerned about users downloading this data to unmanaged personal devices lacking endpoint security controls.