RSA 2017: Special conference coverage
Reporting and analysis from IT events
SAN FRANCISCO -- Commercial software-as-a-service applications aren't the only source of shadow cloud woes, according to new research from the Cloud Security Alliance.
CSA's report, titled "Custom Applications and IaaS Trends 2017," was unveiled Monday at RSA Conference 2017, and it shows enterprises deploying a growing number of custom applications and moving them to the public cloud, but IT security teams are only aware of a fraction of those apps. Custom software programs that are unknown to IT departments are considered shadow cloud applications.
The report was conducted in partnership with Skyhigh Networks, a cloud access security broker headquartered in Campbell, Calif., and surveyed more than 300 IT professionals directly involved in developing, deploying and securing custom enterprise applications. According to the report, the average organization has 464 custom enterprise applications deployed, but IT security departments are aware of just 38.4% of the applications.
The CSA report also showed more than 20% of custom enterprise applications currently deployed in on-premises data centers will move to the public cloud in the next 12 months. In addition, the number of custom apps deployed in the data center, which is currently at 60.9%, is expected to fall to 46.2% over the next year, as public cloud adoption increases, according to the report.
While much of the attention around shadow cloud services has previously been focused on commercial third-party apps and services, such as Google Docs, Office 365 and Dropbox, the report claimed, "There is now a sizeable number of 'shadow' applications developed internally that IT security is not aware of or involved in securing."
Jim ReavisCEO, Cloud Security Alliance
Kamal Shah, senior vice president of products and marketing at Skyhigh, said custom application development is often done within specific departments. This contributes to the shadow cloud problem, he said, because it's a challenge for IT security teams to track each custom app and where it's being deployed. "You have lines of business doing things on their own and developing apps for a competitive advantage," he said. "Virtually every company is leveraging their own custom software today."
Shah also said cloud instances can be quickly created for development and testing environments for custom enterprise applications, which could lead to even more apps being developed and deployed in the cloud. "I think it's partially true that custom application development has been made easier with the public cloud," he said. "So, if anything, the number of custom applications is going to keep increasing."
"Companies need the scale and agility of cloud environments to stay competitive in the digital economy, but leaving the data center exposes applications to new threats and vectors of risk," said CSA CEO Jim Reavis in a statement. "While IaaS [infrastructure-as-a-service] providers offer secure platforms, we see the majority of cloud customers lack the tools and expertise to protect applications they develop and deploy in the public cloud."
Read why RSA Conference 2017 will focus on internet-of-things security
Find out which companies are nominated for RSA Conference's Innovation Sandbox
Learn more on how cloud access security brokers are deployed by enterprises