How Your Employees Are Expanding the Attack Surface
The security of the enterprise has been dramatically disrupted due to hybrid and work-from-home (WFH) environments. Security teams are struggling to grasp the scope of their organizations’ devices, tools, and apps as employees download, log in, and use their preferred software and shortcuts from their home offices.
Just a few years ago, the concern was the use of SaaS applications and other hosted services that enabled anyone in an organization to buy apps and position potentially valuable data outside the view of security. The idea of an employee from marketing or accounting developing and deploying their own applications was inconceivable. But not anymore.
Employees across the organization are now empowered by low-code low code development tools. Anyone can create an enterprise-class application without writing any code at all. In fact, Gartner predicts that 70% of new applications will be developed with low-code or no-code technologies — up from less than 25% in 2020.
Not surprisingly, governance has risen from important to critical. In this era of employee empowerment, documentation and evidence of controls are paramount. How do you govern what is not only beyond your control but unknown?
For instance, preparing for compliance audits (GDPR, PCI, HIPAA, CCPA, SOX, etc.) requires a massive number of resources to document how data flows through applications. Even determining the scope of an audit – what applications have access to regulated data – requires significant manual collection of information from developers, using questionnaires, holding meetings, and sifting through code configurations. This process was never efficient nor comprehensive and is particularly intense today given the explosion of low code/no code development.
The use of third-party apps introduces additional complexity. For instance, an employee has a favorite app, say a stock tracker, and they connect that app to their Microsoft Office instance. The OAuth 2.0 mechanism makes it so easy; employees use it with little or no consideration for security. OAuth 2.0 is a seamless process that allows the employee to verify their identity and grant permissions to the app quickly to verify their identity and grant permissions to the app. Once complete, the app is allowed to execute code and perform logic within its environment behind the scenes. From a security and risk perspective, connecting that stock tracker app to the enterprise environment further expands the organization’s external attack surface, and if the app has an executable within it, this can introduce additional security risk to the organization.
While WFH, low code/no code development, and third-party apps are, in many ways moving businesses forward by making them more efficient and more competitive, these efficiencies introduce significant challenges related to security and risk as the threat surface is exploding.
Every asset customers and employees access when interacting with the company online expands the external attack surface. This creates an ever-growing, tangled web of ‘digital baggage’, which is often unknown to and unmanaged by IT and security teams. As the enterprise’s external attack surface continues to expand – from internet-exposed assets across a web of connections – it is increasingly unknown, uncontrolled, exposed, and vulnerable.
The only way to grab control is to get complete visibility over your entire external attack surface. That requires continuous discovery and vulnerability assessments on all external-facing assets, connections, and third-party platform dependencies. Only with a comprehensive, up-to-date, prioritized, and actionable inventory of assets and services and their potential vulnerabilities can security teams have a clear idea of the actions that should be taken to resolve them before they can be exploited.
Request a demo today and learn how IONIX can help.