Application inventory software has long been a staple in all but the smallest organizations. Such software allows administrators to keep track of the applications that the organization is using in an effort to ensure software license and security compliance.
The decentralized nature of cloud applications means that application subscriptions can easily spiral out of control.
At first the concept of application inventory tracking might seem a bit outdated when it comes to cloud applications. After all, cloud applications are usually subscription-based. This means that the concept of ensuring license compliance often becomes obsolete. This does not, however, eliminate the need for inventory tracking. The cloud simply changes the way that inventories should be compiled and managed, as well as the reasons for compiling cloud software inventories.
Inventorying cloud applications: Security
When it comes to inventorying cloud applications, the goal must shift from ensuring license compliance to controlling costs and ensuring security.
Security is one of the most commonly overlooked reasons for compiling cloud-based application inventories. It's crucial for administrators to know what applications users are using before verifying that those applications are secure, hence the need for a cloud application inventory. However, the security aspects of a cloud application inventory go much deeper than that.
Some cloud-based applications offer very little in the way of configurable security settings, but others offer a plethora of them. Having a cloud application inventory makes it possible to identify those applications that have configurable security. Administrators can then make it a point to verify (and reconfigure if necessary) the security settings within those applications.
Having an inventory of cloud applications can be especially important for organizations in regulated industries. Health care organizations, for example, are required by the Health Insurance Portability and Accountability Act (HIPAA) to ensure that protected electronic health data is stored and accessed in a secure manner. If an organization uses cloud applications to access this protected data, then the organization is responsible for making sure that the cloud application is HIPAA-compliant. Depending on the nature of the cloud application, the organization might also be responsible for disclosing the application's use in their compliance documentation.
Sometimes cloud applications can present a direct threat to an organization's security. There have been numerous examples over the last few years of cloud applications that track online activity or contain some form of spyware. The best protection against these types of cloud applications is a strong policy stating that cloud applications must be authorized by the IT department before they can be used. Of course, such a policy does little to protect an organization in which individual departments have already subscribed to various cloud applications. A centralized cloud application inventory can help determine the cloud applications that are currently being used. That way, organizations can research the various applications to determine if any serious vulnerabilities exist.
Building a cloud application inventory
At the moment, there doesn't seem to be an application that is specifically designed to compile cloud application inventory reports. That being the case, organizations are likely to have to adapt the way they use their existing license-metering software so that they can begin tracking cloud application usage. Although this approach might at first seem to be less than desirable, there is a silver lining. Using a single application inventory application for both cloud and on-premises applications means having all software inventory data in a centralized location.
From the editor: More on cloud application security
Cloud application security: Top issues and considerations
Security ramifications of migrating legacy apps to the cloud
There are some key differences between inventorying cloud applications and on-premises applications, and these differences may affect the way that an organization compiles its software inventory. The most significant difference is that the application inventory software will not be able to automatically detect cloud applications. This shouldn't be a problem so long as the application inventory software allows application data to be entered manually.
However, several of the software inventory applications on the market are designed to periodically scan network endpoints for software that has been installed, and do not support manual data entry. This may be a huge problem for owners of these products wishing to compile an inventory of cloud applications, since cloud applications do not actually get installed onto network endpoints.
Another challenge that administrators are likely to encounter is that traditional software inventory applications are designed to automatically track software usage and compile license counts. However, such an application would have no way of being able to tell how many users are using a cloud application or if all cloud applications have been accounted for. Once again, it is going to be up to the administrator to manually keep this information up to date.
Putting your inventory to work
For the time being, maintaining an inventory of cloud applications is largely a manual process. Even so, compiling and maintaining such an inventory may be a worthwhile endeavor in spite of the administrative burden because the inventory can be used to help in managing application security controls.
One way that such an inventory might be used is in making sure that no unauthorized cloud applications are being used. Many software inventory applications allow administrators to compile a "forbidden software" list. In the case of cloud applications, this list might contain applications that are known to contain spyware or that have documented weaknesses that are known to violate the organization's security policies. It can be tough to remember all of the applications that have been forbidden, but a good software inventory application can compare the cloud applications that are being used against a list of forbidden cloud applications and alert an administrator to any violations.
Another way in which an inventory can be used to enhance security is through usage tracking. Most organizations use a separate tool to track the websites that users visit. Internet usage reports can be periodically cross-referenced with cloud application inventory reports to determine which cloud applications are being actively used. This is extremely important from a security standpoint, because so many cloud applications store data on cloud servers. If data shows that any particular cloud application is no longer being used, then the organization's application support team can be brought in to extract the application's data and cancel the cloud subscription in an effort to reduce chances that the data will accidentally be exposed or exfiltrated by attackers going after the cloud provider.
The decentralized nature of cloud applications means that application subscriptions can easily spiral out of control. When subscribing to a new cloud application, it is a good idea to make detailed notes about who requested the subscription, who needs access and what the subscription is being used for. Having this information on hand will make it a lot easier to periodically audit the cloud application inventory and ensure that the cloud applications that the organization subscribes to are still being used.
More importantly, cloud application inventories can be used to ensure that the organization's data remains secure. Having a centralized inventory of cloud applications allows the IT staff to periodically check to make sure that cloud applications continue to be configured and used securely.
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as chief information officer for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox.
This was first published in March 2013