Can you have too many apps? How many is too many? A recent Flexera Software survey found that 64 percent of enterprises believe they have more applications than are needed by their businesses. Nearly half of CIOs interviewed by Capgemini in 2014 thought they employed too many applications. This article discusses risks like data dissemination and dissipation, solutions like single sign-on and multifactor identification, and centralized control.
Applications are essential to running your business. Done well, they can make nearly any task or process faster and easier. But can you have too much of a good thing? Apparently yes. Nearly half of CIOs interviewed by Capgemini in 2014 thought they employed too many applications.
Certainly, FedEx found that out to be the case. Even back in the date when app proliferation wasn’t recognized as an issue, the shipping and office services giant assessed its application portfolio and realized it had more than 2,600 applications, the consequence of both a massive acquisition push and rapid growth. That was a lot even for that time. Equally concerning, FedEx identified more than 14,000 custom interfaces to these applications.
FedEx is not alone. A recent Flexera Software survey found that 64 percent of enterprises believe they have more applications than are needed by their businesses. Although few are on the scale of FedEx, Harris Interactive found in 2012 that 50 percent of enterprises had more than 500 applications.
In addition to excess costs, significant risks accompany this kind of application proliferation. But you also have some solutions at hand to help you as your application portfolio continues to grow.
Risks and fixes
With applications now able to go from initial idea to proof of concept within weeks due to an extremely fertile app development environment, three primary risks unfold: identity sprawl, data dissipation, and—probably the most important—the growing size of the “threat surface.” But there are ways to mitigate these risks, as you’ll see.
Having so many applications at once certainly engenders identity sprawl. When users are confronted with dozens, sometimes even hundreds, of applications and told they need a username and password for each one, the average user is often forced into bad password practices—reusing passwords, for example, or not changing them regularly—which then puts the organization at risk. In fact, almost a third (31 percent) of employees admitted that they reused passwords at work. And even if they modify their passwords from app to app, the risk is still high: researchers at the University of Illinois at Urbana-Champaign were able to develop a cross-site password-guessing algorithm that guessed 30 percent of transformed passwords within 100 attempts.
There are two solutions for this: single sign-on (SSO), and multi-factor authentication (MFA).
First, deploy SSO across your entire app portfolio. There are many identity and access management solutions that centralize access to these different applications, while creating a consistent user experience. And the more consistent the user experience is, the less likely users will fall for a phishing scam, no matter how clever.
MFA is also critical. Because even if the network is locked down, even if your applications have no vulnerabilities in them, if a cybercriminal gets hold of an employee’s credentials in a username-password access system, the game is over. With two- or even three-factor authentication, even if one type of authentication is compromised, you have extra layers of protection.
The two main reasons we’re seeing such growth in enterprise applications: supply and demand.
The second issue is data dissemination and dissipation. In previous decades, you kept all your data internally in a centralized place, with a well-defined perimeter. Yes, there were risks, but mitigating those risks was fairly straightforward. Today, with the proliferation of apps, data is constantly going out of the enterprise. Suddenly, your sales and marketing data is at Salesforce. Your HR data is at Workday. Documents containing your important IP data is at Microsoft with Office 365. Build or subscribe to a new app, and the data goes with it. What if one of these Software as a Service (SaaS) providers gets hacked? You have significant risks out to data and implications that have never been seen before.
How do you mitigate these risks? Start by performing third-party risk assessments on your business partners before onboarding them—and continue to do this periodically thereafter. Second, go back to access control, and MFA. Make sure that if one or even two factors get compromised, the hacker still is refused access. And finally, put the application security measures in place: encryption—all data should be encrypted—and web application firewalls.
Another aspect of data dissipation is that across so many applications, different versions of the same data can end up stored in multiple places, and multiple copies means multiple versions of what should be one truth exist, potentially creating confusion. One way to combat this is education: publishing guidelines for business-led teams to educate them on data hygiene and the health of data in applications.
Security awareness training is also important. Apps that create valuable IP need tight controls around the most critical data. Rules should determine who can use what, and where. Types of controls include data access controls, data validation controls, backup and recovery controls, audit controls, and file controls.
Particularly note that any data subject to a compliance regulation must be carefully locked down. In cases of HIPAA or personally identifiable information, you should have a very low tolerance of risk.
The growing size of your business’s “threat surface”
As of March 2017, there were more than 2.8 million apps available for Android users. Apple’s App Store offers more than 2.2 million apps. And that doesn’t count the millions of enterprise applications that have been developed and deployed. Altogether, we’re probably talking more than a billion applications in play worldwide today.
However, not just the sheer number, but the complexity of the applications adds to the “threat surface”—or area of potential security vulnerability—that enterprises face today. Back in the 1990s, in the heyday of client/server computing, you took a CD out of a shrink-wrapped package and installed it in your data center. Today you have to deal with different web frameworks such as .NET and HTML5, among others, and many other components, including application servers and web servers. Different browsers have access to applications. With every added layer of complexity, there are more vulnerabilities, and more risk to manage.
So how do you manage this risk? By shifting your focus. We’ve always been concerned about securing the network. But it’s time to focus on application security, too. Web application firewalls, in particular, are growing in popularity. That’s because the bad guys are targeting more than the network—after all, even if the network is secure, if there’s a hole in an application, they’re in.
Take FedEx as an example again. Anyone in the world is able to access the FedEx website for their shipping needs. That’s billions of people. Even if the network is completely locked down, the application could be a way in, since anyone is authorized to use it. So FedEx’s greatest risk would be with that application, not its carefully guarded network. For many companies, the application is the weakest link right now. And the hackers realize this. So keeping apps secure should be a top priority.
There’s no doubt apps are proliferating. Some CIOs might use the terms “shadow” or “rogue” IT because many of these applications are brought into the organization by business users rather than IT. But derogatory words don’t address the issues that arise when business users take acquiring (or building) applications into their own hands. Rather, think of it as business-led IT—as a partnership between business users and IT in trying to do the best job of attaining the business mission.
And at some point, this application proliferation is going to call for centralized control. It’s common today for enterprises to have their application assets scattered throughout various platforms. In the cloud. In their private data centers. On premises. In various SaaS environments. Eventually, businesses will need a single pane of glass that gives them insight into their entire application portfolio. When they have that kind of control, these risks—identity sprawl, data dissipation, and the enlargement of the threat surface—will be much easier to manage.
Alice LaPlante is an award-winning and best-selling American author of numerous books, including A Circle of Wives and The New York Times bestseller Turn of Mind, which was the winner of the Wellcome Trust’s Book Prize and a B&N Discover Award finalist. She was a Wallace Stegner Fellow and a Jones Lecturer at Stanford University, and taught creative writing at both Stanford and San Francisco State University. She has written for Forbes ASAP, BusinessWeek, ComputerWorld, InformationWeek, and Discover. Her corporate clients include some of the best-known brands in the technology industry, including IBM, Microsoft, Oracle, Symantec, Deloitte, and HP.