Web, mobile and cloud applications are insanely popular - both from an end-user consumption standpoint and also a revenue-generating standpoint. But having too many apps under your roof could spell big problems. For many organizations, "application sprawl" is as much a security predicament and brand liability as having too much data.
If you think you're immune to this risk, read on to understand why that may not be the case:
Nowadays, applications easily can be thrust online. The do-it-yourself simplicity of app development and the agility and convenience of the cloud enable virtually anyone with a modest set of skills to stand up a new application - often out of the purview of the corporate IT department. Apps clearly offer big benefits, but when siloed business units that are not collaborating with (or governed by) IT decide to build them, security vulnerabilities and proper patching easily can be overlooked in the haste to go live quickly and avoid scrutiny.
Many organizations, especially ones with sub-brands, don't realize the number of apps they have that need protecting. Mergers and acquisitions often usher in a slew of legacy apps that companies fail to phase out. In some cases, these apps are no longer used or are simply redundant, but are sitting in the same data center as others that still are heavily used. That means that if a hacker is able to infiltrate the company through one of them, they could establish a foothold in a very juicy segment of the corporate network. In response, catalog your apps to get an idea of what you need - and what you don't.
Thanks to the mobile and BYOD frenzy, many employees have an unquenchable appetite for the latest and greatest apps. But they're often uploading the programs on corporate-connected devices. Consider implementing policies that manage employees' app usage, both on mobile and desktop. One idea picking up steam is enterprise app stores. Workers are only allowed to download approved apps to their devices. As this blog states: "Having all enterprise assets in one store means that it is easier to manage what users and roles can see what APIs and apps."
Of course, apps aren't going away. Aside from the above recommendations, enterprises should implement application scanning - from automated to manual penetration testing. Reaction is important as well. That's why web application firewalls can help. With WAFs, you can continuously monitor your apps, instantly detect and prevent threats, mitigate the risk of data breaches and address compliance requirements. On the BYOD front, companies should consider turning to mobile security solutions, such as risk assessment services, integrated network protection, two-factor authentication and security education awareness.
Dan Kaplan is manager of online content at Trustwave.