Security Experts:

IaaS Creating New Variant of Shadow IT

Custom Applications are being Increasingly Used from Within Public Clouds as Part of the Migration to IaaS

Organizations cannot rely on commercial off-the-shelf (COTS) software to fulfil all their IT requirements: almost all companies develop their own custom apps. The majority of these apps, whether internal or internet-facing, currently run on datacenters owned or operated locally. By the end of 2017 this will change -- the majority of enterprise custom apps will reside in public clouds as the industry-wide migration to Infrastructure as a Service (IaaS) increases speed.

A new report, conceived and developed by the Cloud Security Alliance and Skyhigh Networks, polled 314 qualified respondents in December 2016 and January 2017. The results (PDF) show that an increasing number of custom apps are being moved into cloud infrastructures (primarily AWS, Azure and Google Cloud Platform) without the security team necessarily being aware that they exist. This is effectively a new variant of Shadow IT -- it is not necessarily software unknown to the IT department, but it is software unknown to the head of security.

This presents a new security and compliance challenge since CISOs cannot secure what they cannot see. It is possible that the app developers assume that their apps are protected by the cloud providers' security, and therefore don't need to be sanctioned by in-house security. Certainly, the majority of respondents believe that IaaS is more secure than local data centers simply because of the huge security resources available to Amazon, Microsoft and Google.

But clouds operate a form of shared responsibility under which the customer is responsible for the data it uploads and the apps it develops. The report cites the example of Code Spaces, which provided a code repository for its customers on AWS. It was breached. AWS was not compromised, but rather the attackers got hold of a legitimate Code Spaces account password. Ultimately, they destroyed all the customers' data, and the effect on Code Spaces was so severe that it went out of business.

What the Skyhigh survey highlights is that more and more custom apps are being used from within public clouds as part of the migration to IaaS.

"The security of custom applications has not been a focus in many organizations," explains Nigel Hawthorn, Skyhigh's chief European spokesperson, "but every company is now a software company; 92 percent of them write their own custom apps, and the average enterprise will have more than 500 apps running in the next year. Moreover, 72% of companies have a bespoke critical app running today that is essential to operations. When these workloads are targeted by a cyberattack or fall victim to a mistake, the downtime will cost a business dearly. It's no surprise that application innovation is ahead of security but, with an average of 285 custom apps running that are unknown to IT security teams, companies must ensure that IT security is part of the custom app development process."

The actual number of apps unknown to security varies with the size of the organization. Small companies, with less than 1,000 employees, can have as few as 22 custom apps; but large companies with more than 50,000 employees can have an average of 788 apps. It is the invisibility of such a large number of them that causes the security concern. Sixty-five percent of respondents said they are moderately or very concerned for the security of custom apps in the cloud, with only 13.8% 'not at all concerned'.

"IT security professionals," says the report, "are only aware of 38.4% of the applications known to IT administrators. This means that IT security teams are involved in fewer than half of these applications to ensure corporate data is protected against threats. Rather than security being a barrier to development, it appears development is occurring without involvement from security."

The biggest single concern (from 66.5% of respondents) is that unprotected apps could be used to upload sensitive data to the cloud. This is followed at 56% by a third-party account compromise similar to the one suffered by Code Spaces. But 40.1% are also concerned about sensitive data being downloaded from the cloud to an unmanaged BYOD device.

Loss of personal data could be expensive under data protection regulations and damaging to brand reputation; but some of the custom apps are actually critical to business operations. Almost 73% of the respondents said they have at least one business-critical application. Forty-six percent of these are either fully deployed in the public cloud or in a hybrid public/private cloud -- and IT security professionals have incomplete visibility into their deployment and operations. As the migration to IaaS continues, the number of business-critical custom apps at risk will undoubtedly increase. 

"Securing sensitive data in the cloud is no longer the remit of one party, it's a shared responsibility," says Hawthorn. "The rapid adoption of IaaS deployments sees the role split between infrastructure providers and enterprises, while internally, businesses cannot expect IT to manage cloud security alone. There needs to be buy-in from all departments to ensure custom applications have cybersecurity imbedded from the start, and that employees continue to use them in ways that won't put corporate data at risk."

Last week, Skyhigh Networks SVP of products and marketing, Kamal Shah, announced in a blog post, "Skyhigh will pioneer this next phase of the cloud security market with Skyhigh for Custom Apps and Skyhigh for Amazon Web Services, Microsoft Azure, and Google Cloud Platform. 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.