The average enterprise today runs 464 in-house developed applications. These apps are internally facing for employees and externally facing for customers, partners, suppliers, etc. Increasingly, custom applications are moving to public cloud environments such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. While the public cloud offers numerous advantages including scale and cost, it also makes it easier for lines of business to build and deploy applications without involvement from IT security. Most custom applications (61.6%) are “shadow” applications unknown to IT security and not secured.

That’s according to a new report published by the Cloud Security Alliance and Skyhigh Networks (download a free copy here). The report investigates the scale of custom applications deployed today, where they are deployed, how they are secured, and who is responsible for securing them. Crucially, the current state of custom applications and IaaS adoption creates several key security, compliance, and governance hurdles that IT security professionals will face in 2017, which are summarized in the report.

Download the Full Report

Download your free copy to understand the growing risks to custom apps in 2017

Download Now

Despite the wide range of commercial off-the-shelf applications, both on-premises and cloud-based, enterprises continue to develop their own custom applications. The average enterprise runs 464 custom applications while the largest enterprises run an average of 788 applications. For example, an airline developed an application that plots the optimal flight path for each airplane crew before take off. A rental car company uses an application it built to support its call center representatives to input details of reservations they accept over the phone. A retail store developed an application to allow its employees to request certain days and times for their upcoming shifts and allocate work schedules based on seniority and other factors.

The number of custom applications is expected to grow 20.5% in the next 12 months as enterprises develop and deploy new applications. Facing large upgrade costs, many enterprises are opting to ditch their legacy datacenters, where custom applications have traditionally been deployed, for the cloud. During the same period, 20.7% of existing custom applications currently deployed in the datacenter will move to the public cloud. Taken together, a majority of custom applications (60.9%) are in the datacenter today but this will decline to 46.2% in the next 12 months, making 2017 the tipping point when the enterprise datacenter is overtaken by the cloud, with public cloud growing the fastest.

Enterprises rely on custom applications to perform business-critical functions. Today, 46.1% of business-critical custom applications (i.e. downtime would impact operations) are in the public or hybrid cloud. The survey found that while enterprises have confidence in the security of IaaS providers’ underlying infrastructure compared with their own datacenters, data in custom applications is nevertheless exposed to a wide range of threats independent of the platform. That includes accounts compromised by third parties via phishing or another method. There are a growing number of examples such as Code Spaces where attackers have held data ransom and in some cases permanently deleted enterprise data in applications deployed on IaaS.

So, where does the responsibility lie for securing these applications? Although IT security professionals are not involved in securing most custom applications—indeed they are only aware of 38.4% of them due to not being included in the process by the line of business and developers—they are ultimately responsible for ensuring that corporate data is secure. If business-critical data is destroyed in an attack on a custom app, a majority of respondents (50.3%) say the IT security manager responsible for IaaS security will be fired. Consistent with the aftermath of cyber attacks such as the one on Target, 29.1% of respondents said the CIO’s job would be at risk following an attack, which increases the stakes enormously.