This content is part of the Essential Guide: Secure cloud computing requires key skills, knowledge of tools

Conference Coverage

Browse Sections

CSA: Custom applications creating new 'shadow cloud computing' risks

The Cloud Security Alliance unveiled new research at RSA Conference 2017 that shows custom enterprise applications are creating shadow cloud computing risks for organizations.

SAN FRANCISCO -- Commercial software-as-a-service applications aren't the only source of shadow cloud computing woes, according to new research from the Cloud Security Alliance.

CSA's report, titled "Custom Applications and IaaS Trends 2017," was unveiled Monday at RSA Conference 2017, and it shows enterprises deploying a growing number of custom applications and moving them to the public cloud, but IT security teams are only aware of a fraction of those apps. Custom software programs that are unknown to IT departments are considered shadow cloud computing applications.

The report was conducted in partnership with Skyhigh Networks, a cloud access security broker headquartered in Campbell, Calif., and surveyed more than 300 IT professionals directly involved in developing, deploying and securing custom enterprise applications. According to the report, the average organization has 464 custom enterprise applications deployed, but IT security departments are aware of just 38.4% of the applications.

The CSA report also showed more than 20% of custom enterprise applications currently deployed in on-premises data centers will move to the public cloud in the next 12 months. In addition, the number of custom apps deployed in the data center, which is currently at 60.9%, is expected to fall to 46.2% over the next year, as public cloud adoption increases, according to the report.

While much of the attention around shadow cloud computing services has previously been focused on commercial third-party apps and services, such as Google Docs, Office 365 and Dropbox, the report claimed, "There is now a sizeable number of 'shadow' applications developed internally that IT security is not aware of or involved in securing."

While IaaS providers offer secure platforms, we see the majority of cloud customers lack the tools and expertise to protect applications they develop and deploy in the public cloud.
Jim ReavisCEO, Cloud Security Alliance

Kamal Shah, senior vice president of products and marketing at Skyhigh, said custom application development is often done within specific departments. This contributes to the shadow cloud computing problem, he said, because it's a challenge for IT security teams to track each custom app and where it's being deployed. "You have lines of business doing things on their own and developing apps for a competitive advantage," he said. "Virtually every company is leveraging their own custom software today."

Shah also said cloud instances can be quickly created for development and testing environments for custom enterprise applications, which could lead to even more apps being developed and deployed in the cloud. "I think it's partially true that custom application development has been made easier with the public cloud," he said. "So, if anything, the number of custom applications is going to keep increasing."

"Companies need the scale and agility of cloud environments to stay competitive in the digital economy, but leaving the data center exposes applications to new threats and vectors of risk," said CSA CEO Jim Reavis in a statement. "While IaaS [infrastructure-as-a-service] providers offer secure platforms, we see the majority of cloud customers lack the tools and expertise to protect applications they develop and deploy in the public cloud."

Next Steps

Read why RSA Conference 2017 will focus on internet-of-things security

Find out which companies are nominated for RSA Conference's Innovation Sandbox

Learn more on how cloud access security brokers are deployed by enterprises

Dig Deeper on Public Cloud Computing Security