Your enterprise IT landscape has changed. As businesses have rapidly shifted to a browser-based, web application-intensive IT environment, IT management challenges have multiplied. The different architecture of web applications, when compared with native Windows applications, is a key driver of these challenges. The open and dynamic nature of this new IT landscape has increased security threats, and the complexities of the environment make it easy for your organization to unknowingly sacrifice efficiency, resulting in wasted money.
Gone are the day when most business applications existed in the bubble of a client/server environment. The new IT landscape comes with web-based applications that have open, versatile, and dynamic architectures. While the functionality of these applications seems almost limitless, many companies are finding the security threats to their IT environment are compounding. Let’s take a look at the top 5 security threats that are common in most modern IT environments.
Java is now the second biggest security vulnerability after Adobe’s Flash plug-in. Look at the number of security fixes over the past few years. There are even 30 so far in 2016 alone! Miss an update and you are opening up a security vulnerability. It is typical to see organizations push for IT agility to support revenue growth. At times this means serious risks are taken by running old versions of Java. IT may look to comply by setting some target to eliminate Java, or a target to always be on the latest version, but CIOs will admit these are major and lengthy undertakings.
Built into Windows and often required for compatibility, legacy ActiveX controls can be targeted for cyberattack. These legacy components risk IT security and are very tricky to manage.This problem got so bad that back in 2008, the US Computer Emergency Readiness Team called for organizations to disable ActiveX. While heeding this call would mitigate the security risk, ActiveX remains – in 2016 – a core component of enterprise web applications.
According to Symantec’s 2015 Internet Security Threat Report, an all-time high of 24 zero-day vulnerabilities were discovered in 2014. Other research published at the ACM Computer and Communications Security Conferences shows the typical attack lasts an average of 312 days. And, according to Computerworld it is costs only $90,000 for a hacker to buy a vulnerability that could cost your company millions. With zero-day exploits at an all-time high, and the vast majority of your line-of-business applications running in the browser, your company could be exposed to a threat. Unless you have a strategy to address a zero-day exploit, you could face the shut-down of IT services in your enterprise.
Old and unused software create an unnecessary attack surface in your browser environment. As early as 2010, TechAdvisory.org stated:
“If you have old or unused programs, or have software that hasn’t been updated in a while, you are running the risk of hackers exploiting these vulnerabilities and infiltrating your system.”
In an effort to maintain compatibility old, unused software can often be kept as a ‘temporary’ workaround to keep legacy software working. These workarounds are often forgotten and unintentionally increase your IT attack surface. The ability to get a full inventory of software usage can help you determine what software needs to be eliminated to reduce your company’s IT attack surface.
Audits – it’s not a question of if, but rather when you’ll need to be ready for an audit. In a Computerworld article, Forrester stated, only 2 of the 41 IT executives surveyed said they had seen a decrease in the number of audits conducted at their companies during the previous 12 months. In addition, a 2016 Intel News Room article cited research that reported, 72% of respondents list compliance as the primary concern across all types of cloud deployments. However, other research showed 77% of executives were in the dark, they did not know if their organization stored sensitive data in the cloud. With all of the sensitive information your company handles, real-time knowledge about the activity of your browser environment can make compliance and verification readiness much easier.
The topic of shadow IT appears to be top of mind for many these days. Shadow IT represents a huge blind spot to a very large amount of organization data and business workflows, which creates security risk and a disconnect between user expectation and IT reality.
In a 2016 Intel survey, 58% of respondents stated that shadow IT has a negative impact on IT’s ability to keep cloud services secure. While this may not be a surprise, a 2015 Cisco survey of CIOs determined there is an estimated average of 51 cloud services running in each of their organizations. However, Cisco determined that based on data analysis the number is closer to 730.
Today, browser-based applications, with their dynamic and complex architecture, dominate the enterprise IT landscape. They are made of diverse and disparate building blocks, that can be assembled in nearly any order or pattern. While this new IT landscape offers a great user experience, your organization faces the challenging task of tracking and managing all of these components and interdependencies. Without proper data, analytics, and control, your organization risks efficiency, productivity, and financial resources — all of which impact your bottom line. You modern IT landscape brings with it 5 hidden financial risks to your company’s IT budget. Let’s take a look them.
An accurate application inventory is essential for new OS deployments. According to Gartner: “Companies must obtain a detailed inventory of the user environments, including hardware, software and processes.” And it’s not just needed for deployments, the explosion of web-based applications with their add-on components and interdependencies makes collecting detailed inventory information even more important to smoothly operate your IT environment.
Collecting browser inventory and usage stats is prohibitively expensive if done manually, not to mention time consuming. One large enterprise Browsium customer quantified their effort for a manual inventory of browser-based applications, Java and ActiveX dependences, along with all cloud-based or SaaS services would take 4 people, working 6 months to complete. Doing the math, if you paid each staff member $160K per year, that would total an expense of $320K. And the worst part was, once they completed the inventory it would be obsolete in little time based upon the ease and speed at which web applications can be deployed.
The new IT landscape makes it easier to add applications, but this also makes it more challenging to manage all of these software assets. One Gartner research model shows, between 2000 and 2010, about 4% of applications in an organization were retired or users stopped using them each year. Today, with the rapid pace of innovation, the rate is likely to be much higher.
If undetected, those obsolete applications will be used as the basis for software procurement and support planning. Doing the math, it can quickly get very expensive without the ability to properly analyze and address software usage. Using the 4% turnover rate from Gartner, an organization spending $100M on software assets could be wasting about $4M a year.
Money is lost if end-user productivity stalls. This includes anything that distracts employees from doing their job such as: broken applications, help desk calls, social media, and shopping during the work day.
According to Computerworld, 41% of organizations reporting an increase in help desk calls, attribute the uptick to infrastructure or product changes, upgrades, or conversions. When employees can’t do their jobs because of an IT outage, the company’s bottom line suffers. How would you like to face the executive staff at your company to explain why you took down an entire department by releasing a patch without first testing their critical applications (because you didn’t even know what web applications were being used)?
The study: Facebook use cuts productivity at work, cited in Computerworld found that companies who allow employees to access Facebook, lose an average of 1.5% in total employee productivity. That statistic does not include online shopping and other social media use.
Much like you can’t avoid death or taxes, patching, testing, and bug fixing is a fact of life in the enterprise. And your company’s security depends on it. In 2016 alone there have already been at least 30 Java security fixes and history tell us the pace will continue. Keeping up with the quarterly Java releases is very expensive. One pharmaceutical customers reported it costs them $2M per year just to regression test for Java patches alone. The risk of deploying updates without full testing is too great – your business could suffer losses well in excess of the cost of regression testing. It’s not sustainable to spend that sum of money supporting all of the add-ons and extensions involved with the multitude of web applications used in most companies.
If you’re like most IT departments, you likely have unnecessary hardware or cloud services your organization is paying for, but not utilizing. After all, unless you have accurate real-time browser usage data, it’s nearly impossible to ensure you’re hosting only necessary applications.
According to a McAfee study, 1,200 global IT executives state that 80% of their budgets will go to cloud computing services within the year. But there is good news. A Gartner study states “eliminating poorly utilized hardware and software associated with older, seldom-used applications can reduce the IT budget by as much as 20%”. The key is understanding web application usage.
Elasticity is one of the core values cloud computing can offer. You also need usage data to know how your organization uses the browser-based applications you have in order to effectively migrate to the cloud.