Survey reveals the challenge of securing hundreds of custom applications
Despite the wide range of commercial off-the-shelf applications, both on-premises and cloud-based, enterprises continue to develop their own custom applications. The average enterprise today runs hundreds of these apps that are internally facing for employees and externally facing for customers, partners, suppliers, etc. Increasingly, these applications are running in public cloud environments such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
While the public cloud offers a host of advantages including scale and cost, it also makes it easier for line of business to build and deploy apps without involvement from IT security. Our survey discovered that while the average enterprise has 464 custom apps deployed, IT security teams are only aware of 38.4% of them. Rather than security being a barrier to development, it appears security is circumvented all together in most cases.
Awareness of custom applications
While the average enterprise has 464 custom applications deployed today, most of them are deployed without the knowledge of IT security department. On the other hand, IT administration and Devops have the most visibility into the extent of custom applications built and deployed.
Number of custom apps by company size
As expected, larger enterprises have the most custom applications deployed at their organizations. On average, companies with over 50,000 employees had 788 apps deployed, compared to 22 at companies with less than 1,000 employees.
Custom app end users
Interestingly, for most custom application, the end user tends to be internal employees. For 56.8% of apps, the intended audience is internal employees only, 36.2% are intended for non-employees, and 7% are geared towards a mix of the two.
Future of application workloads
Enterprises are gradually divesting from their data centers and moving applications workloads to the public cloud. Today, 60.9% of applications workloads are still in enterprise data centers. By 2017, however, fewer than half (46.2%) will remain there. This is, in part, due to new applications primarily being deployed in the cloud, and because enterprises plan to migrate 20.7% of their existing applications to the public cloud.
IaaS Platform Adoption
Amazon continues its domination of the IaaS market, with 41.5% of application workloads deployed on it. Azure, however, is gaining ground with 29.4% of application workloads on it. Despite Google’s effort in gaining a foothold in the IaaS market, only 3% of application workloads are deployed on Google’s Cloud Platform.
Is the public cloud more secure?
Perhaps one reason why enterprises have rapidly moved these application out of the data center to the public cloud is that, generally speaking, they view public cloud proviers as being secure. A majority of respondents (62.9%) say the public cloud is as secure or more secure than their own data center.
Custom app security concerns
Despite confident in the security of public cloud platforms, there remains a deep level of concern about the security of custom applications deployed in the public cloud. 31.7% of respondents are “ver concerned” while another 32.3% are “moderately concerned”.
No group within enterprises today is more concerned about the security of custom apps in the public cloud than IT security professionals. A plurality of IT security professionals (41.9%) report feeling “very concerned” about the security of these applications, followed by IT administrators (32.1%).
Who’s not concerned?
Developers, devops, and operations professionals report lower levels of concern. Perhaps it is a lack of concern about security that is preventing developers, devops, and operations profesionals who are responsible for the development and launch of applications from including IT security.
Perceived threats to custom applications
When asked about the greatest threats to applications running in the public cloud, the single most common response (66.5%) was sensitive data uploaded to the cloud. Some organizations have regulatory compliance and data residency requirements that can prevent them from uploading data to a cloud environment. That’s followed closely by third-party account compromise (56.9%).
Who’s fired after a breach
Even if a cyber attack on a custom application deployed in the public cloud does not result in permanent data loss, downtime of a few hours could result in significant costs. These high stakes threaten the job security of anyone involved. In the event of such an attack, 50.3% of respondents said the IT security person(s) responsible for security the public cloud would likely be fired.