Navigating a new approach for securing applications
How employees use applications for work is changing. In the wake of COVID-19, the shift to remote work and rapid digitization empowered people to work however they wanted. Left to their own devices, employees started using the applications they preferred, instead of the applications approved by their employers. As a result, employers saw an increase in productivity, but they also saw an increase in cyberattacks targeting applications.
Today, securing cloud-based applications is more critical, yet more challenging, than ever before. For applications that support security standards, securing them is a relatively painless process–but not every application meets this criteria.
In fact, some of the most common applications today are simply “unmanageable.” Without industry or security standards to support them, unmanageable applications create a host of new problems for organizations, including misinformation, data breaches, and fraud.
In response, many employers attempt to block these applications, even though their employees don't want anything to change. As a result, many employees are still using their preferred applications for work, even if prohibited by their employer.
Behaviors on employee application choice have permanently shifted–whether employers like it or not. As a new generation of professionals gains their footing, and an even newer generation enters the workforce, a new mindset around application choice is emerging.
At Cerby, we’re calling this phenomenon the “COVID hangover.” To navigate this new landscape, we believe that organizations need a new approach for securing cloud-based applications in a post-COVID-19 world.
We were curious about what a new solution for application security looks like, so we partnered with Osterman Research to find out. Together, we spoke with over 500 business professionals across the US and UK to determine how employers should approach this new normal from a technology perspective.
What is the COVID hangover?
It started with the shift to remote work when organizations had to adopt a “do whatever it takes” approach to stay productive. Once limited by legacy applications and office networks, employees suddenly had more freedom than ever before. For the first time, they could choose where, when, and how they worked.
At the same time, responses to COVID-19, including the shift to remote work, sped up digitization in almost every industry. Most organizations simply weren’t prepared for the transition when their employees started working from home–but threat actors were.
The pandemic created new, seemingly endless opportunities for cybercriminals with real repercussions for their targets. Year after year, the average cost of a data breach keeps going up – in 2022, it's $4.35 million USD.
Included in that sum are regulatory compliance fines, costs from operational downtime, and reputational damages. For organizations where remote work is a factor, the cost of a data breach can be even higher–almost USD$1 million more.
In response to these unprecedented risks, many organizations opted to double down on enforcement-based approaches to cybersecurity–approaches that, for example, establish policies on which applications employees can and cannot use for work. But enforcement-based controls often take a heavy-handed approach to security, blocking users from the apps they prefer with impersonal prompts to contact an administrator to keep using it.
Enforcement-based approaches to unmanageable applications are also popular, according to our research: 78% of employers have policies on applications, and 61% of employees have had applications blocked. The research also reveals that employees often view application bans as undermining trust, and killers of job satisfaction.
People don’t want to give up control of their applications. In fact, 92% of employees and managers want full control over the applications they use for work, including the right of selection without the threat of veto by their employer. But many employees and managers also report they will continue to use the applications they want, with or without employer approval.
In the midst of the COVID hangover, managing applications is becoming more challenging for businesses, yet increasingly critical for success. Unfortunately, many of these applications fall into the “unmanageable” category.
What are unmanageable applications?
Whether it’s FinTech apps, MarTech apps, or social media apps–unmanageable applications help businesses meet their goals. Many organizations openly recognize the benefits of unmanageable applications, and some even allow their employees to use them. But as the name suggests, managing unmanageable applications isn’t easy to scale.
Unlike Shadow IT–a term that includes any applications used outside the purview of IT and security–unmanageable applications are applications that don’t support industry and security standards like Security Assertion Markup Language (SAML) for authentication, and the System for Cross-domain Identity Management (SCIM) for user management.
- SAML: enables users to access multiple applications with one set of login credentials (e.g., single sign-on (SSO)).
- SCIM: makes it easier to manage user identities in cloud-based applications and services by reducing the complexity of user management operations.
Today, taking reasonable steps to protect your organization’s reputation, financial, and legal best interests includes securing cloud-based applications, even if they’re unmanageable. For most organizations, that looks like:
- Setting and enforcing application controls
- Hardening cloud applications
- Restricting administrative privileges
- Using 2FA authentication
Even if your organization has a comprehensive application management program in place, there will always be ways around it. But giving employees complete control over their applications isn’t the answer either.
Existing approaches to unmanageable applications
- Policies and prohibitions: Although they’re intended to restrict the use of unmanageable applications, policies and prohibitions often don’t work. However, they do have some impact–more than half of the employees surveyed said they’ve had an application they wanted to use for work disallowed. But application bans and blocks also interfere with employee autonomy, and they undermine trust–both of which can negatively affect job satisfaction and performance.
- Security Services Edges (SSEs/SASE): SSEs are a collection of capabilities that enable safe access to websites, SaaS applications, and private applications. More specifically, this includes Zero Trust Network Access, cloud secure web gateway, Cloud Access Security Broker (CASB), and Firewall-as-a-Service. Together, these security technologies help organizations provide employees, trusted partners, and contractors with secure remote access to applications, as well as monitor and track behavior.
- Cloud Access Security Brokers (CASBs): CASB tools are usually operated on-premise or with cloud-based software sitting between users and applications, monitoring activity, and enforcing security policies. These are great for discovery on the network, but most employees are using applications off-network. CASBs typically offer very limited security controls for unmanageable applications and generally focus on standards-based integrations.
- Password managers: LastPass, 1Password, and Dashlane are all password managers–programs that allow users to store, generate, and manage their passwords for a myriad of applications, websites, systems, and software. Password managers are great for single users, but many teams often share access to applications. For platforms like Twitter, Facebook, and many financial applications, many teams resort to managing passwords manually. However, manual methods for managing passwords are often both insecure, and inefficient.
Heavy-handed approaches to cybersecurity generally end up blocking key applications, and killing productivity. And, they don’t necessarily work, either. Our research shows that 51% of employees will still use applications for work, despite company policies or prohibitions.
There’s an obvious gap between employers’ perception of control over apps, and the reality of the employees using them. As hard as it may be to admit, companies ignore this trend at their own peril.
To learn more about the pros and cons of existing management methods for unmanageable applications, check out this blog post from Cerby’s Chief Trust Officer, Matt Chiodi.
The reality of managing unmanageable applications
At Cerby, we were curious about how organizations actually manage access to unmanageable applications in a post-COVID-19 world, without support for common identity and security standards.
Most surprisingly, we found that 42% of employees are responsible for managing their own passwords. We also found that most employees and managers are making access management up as they go along, without uniformity or consistency. This mishmash of approaches is creating untold risk and exposure for organizations and their data–there’s a reason password compromise is one of the most popular methods of cyberattack.
- Employees need a secure way to store and manage login credentials for a variety of applications, systems, and accounts. According to our research, 12% of employees store passwords on sticky notes, which is concerning.
- Employees need a secure way to share login credentials with other people, including people inside and outside the organization (e.g., stakeholders, third parties, partners, etc.). Even with a password manager, there are major gaps when it comes to collaboration and sharing in these programs.
It’s understandable why employers crack down on certain applications. However, as a long-term, comprehensive solution, this approach isn’t sustainable. The fact is, employees want control over their applications, and they’re willing to do almost anything to keep it.
How to manage unmanageable applications
Managing unmanageable applications is challenging given their lack of support for standards. Here are a few things your organization should be focused on building to make them more secure:
- Enforce strong passwords: Make sure employees have a secure way to store, rotate, manage, and share passwords. This isn’t always easy to do, especially when employees are working remotely and on an honor-code basis. According to our research, only 16% of employees change passwords regularly without being prompted. If policies and prohibitions around applications aren’t working, then policies around passwords probably aren’t working either. This needs to be automated.
- Enable 2FA: two-factor authentication is a common control for putting safeguards on digital identities. The good news is, 42% of employees surveyed already love using 2FA. The bad news is, 2FA also introduces friction into the user’s workflow, which is probably why only 42% of employees love using it. Where unmanageable applications are concerned, 2FA must be manually enabled, and can often be disabled by any user. Building a system that can provision and monitor 2FA enforcement for unmanageable applications is critical.
- Track activity: Have you ever tried to track user activity across applications that aren’t tied into your identity provider? Spoiler alert: it isn’t easy. Organizations need a way to individualize and track user activity, even when multiple users are using the same account (often the case with corporate social media platforms such as Twitter and Facebook). When applications are managed individually and don’t support industry standards like SAML and SCIM, activity reporting can be even more challenging. Ideally, you should be able to centralize access logging, and make it available for further analysis on Security information and event management (SIEM) platforms.
This list might seem short and sweet, but in reality, the manual tasks associated with each of these responsibilities are tedious and time consuming–a deadly combination that creates inefficiencies and vulnerabilities for organizations, and demoralizes teams.
So, what’s the alternative?
The best approach is to look for solutions that strike a balance between employee choice with applications and employer responsibilities with security and compliance.
The ideal unmanageable application management solution should:
- Detect unmanageable applications in use that are not provisioned by IT and secured by security.
- Protect against breaches by automatically correcting security misconfigurations.
- Empower end-users to choose the best applications for getting their work done.
- Report activity with a detailed log at the individual level–even when users share the same account.
- Streamline process by automating manual workflows like provisioning and enabling 2FA.
Adopting an enrollment-based approach
Enrollment-based options are user-centric and employee-friendly, which means your employees can self-enroll applications in a single security solution that configures manual tasks such as rotating passwords, enabling 2FA, and tracking user activity, automatically.
When employees understand that application choice comes with responsibility, security becomes everyone’s concern. When registering employee-chosen applications is easy, those same employees who resent company-wide policies on applications will become willing participants in strengthening security, and ensuring compliance.
Discover a new approach for unmanageable applications
Organizations must find a new approach for identifying unmanageable applications and assessing their risk before they lead to cyberattacks, misinformation, or fraud. However, adopting a new approach can often feel like starting from scratch, especially when most of the tasks are manual.
Fortunately, there are emerging solutions that can help. At Cerby, we’ve created the first security platform for unmanageable applications.
- Use any application you want, and stay secure. Unlike using spreadsheets or password managers, we make managing access, including employee and third-party accounts, easy for your organization. Perhaps the biggest difference-maker in our platform is that we help you assess risk in your unmanageable applications before they turn into breaches, versus doing post-breach incident response.
- Crowdsource the discovery of unmanageable applications. Empower employees to register applications themselves, and remove the burden of finding risky applications from IT and security teams. With Cerby, your organization can even review applications registered by users to understand who is using which application and in what way.
- Assess the risk of connected applications. Our platform vigilantly watches over your applications for some of the most common misconfigurations leading to data breaches. Defined, tested, and documented integrations between Cerby and your existing applications will help you streamline productivity and security workflows across any applications, all in a centralized platform.
- Automate and streamline access management: Using robotic process automation, Cerby automates and streamlines access management in a single UI. With Cerby, if an employee is already logged in with an identity provider like Okta or Azure AD, they can easily access non-SSO supporting applications like Facebook, Twitter, Brex, and more. And, removing access is easy with automated access removal. Cerby also automates password rotation and can add, role-based access control to any application where it doesn’t natively exist.
We’ve heard the same story from many of our customers: before Cerby, they were managing unmanageable applications manually. Since we released our platform in 2021, Cerby’s software has enabled clients including L’Oreal, Wizeline, and FOX to fix common application liabilities efficiently while facilitating collaboration.