.png){kind=small}
.png)
.png)
Why You Need An Application Inventory
Due to different business lines and/ or the distributed workforce across the globe, many companies we spoke to mentioned that their applications are strewn around the enterprise, and difficult to keep track of. Some maintain the application list locally within business units or physical entities, while others store it in their CMDB—often awkwardly, as CMDBs typically lack native support for this purpose. A few have even tried to manage it with a running spreadsheet. As a result, customers often lack confidence in having a truly comprehensive list of all applications, let alone detailed information about their characteristics to aid in discovering compliance and security gaps.
However, to effectively manage and maintain an identity-first security program, it’s essential to have an up-to-date inventory of applications - ideally encompassing all applications, with particular attention to those subject to compliance and security requirements. From a compliance perspective, different regulations also require you to provide a list of all applications so having that comprehensive inventory can serve as attestation.
What Does An Application Inventory Include
If you consider the applications you have, you can bucket them into three:
- Known knowns - the applications you know about and have their identity controls in place.
- Known unknowns - the applications you are aware of but purposefully did not prioritize the assessment of their identity controls.
- Unknown unknowns - the applications that are completely off your radar and you are unaware of, and consequently, their identity controls are unknown.
Considering these buckets, you first need to make sure that your inventory includes all three.
Your “known knowns” may be SaaS applications used by all business units, across the globe.
“Known unknowns” may be custom-developed apps, legacy applications, or those acquired during mergers and acquisitions.
What about “unknown unknowns”? These may include other self-hosted applications (i.e., non-SaaS apps). That can be challenging, as self-hosted applications may reside on various company-managed hosts, such as on-premises data-centers, private clouds, PaaS, IaaS infrastructure, or hybrid environments, running either home-grown or 3rd party applications. For example, they may also be SaaS solutions that provide a self-deployment option within your IaaS environment. Once you have a list of all the application components, it’s beneficial to consolidate them into business application entities, and ideally, dynamically classify which entities are subject to compliance and which can be excluded. This approach prevents individual components from cluttering your inventory, helping you avoid lengthy, irrelevant, and sometimes noisy, lists. For instance, you’d like to see a single root application entity, while another application serving as its authentication component, is monitored as part of it, although considered a component rather than a standalone entry.
For more details on mapping self-hosted applications, see here.
Finally, make sure your list details where the application is hosted, its authentication and authorization flows, the third party identity providers it connects to, and its identity security posture.
Benefits of an Application Inventory
With an application inventory, you can:
- Quickly retrieve a list of all your application entities, compiled from all of the components that are distributed across all of the organization’s environments.
- Quickly retrieve a list of all your application entities along with their compliance-related characteristics - such as MFA enforcement, rogue accounts, orphaned accounts, RBAC privilege data, and more - to present to the auditor.
- Ensure you can maintain a consistent, contextual and continuous identity-first strategy
- Get a full picture of your identity security posture, across all applications
- Prioritize remediation of identity-related security gaps
- Track identity-related remediation
The Application Inventory That Orchid Provides
Orchid provides customers with a comprehensive inventory of all SaaS and self-hosted application entities, along with each application’s identity catalog. A quick overview shows you the company’s identity risk rating, allowing you to slice and dice for reports.
Application details include residing host, authentication flows, authorization- associated role harvesting, identity security posture, adhered frameworks, integrations and whether any action should be taken on the application.
Learn more about how you can use Orchid’s Identity-first Security Orchestration platform to continuously discover your application inventory here.
As the CISO of Costco notes, you can’t secure what you can’t see. Incomplete application visibility poses both cyber security and regulatory compliance risk. To measure risk you need to at least know the picture before you can decide whether a gap needs to be addressed, and for this you need the complete application inventory.
For more information on application inventory, see here.
.png)
.png)
.png)
