The inevitable pivot to BYOA (Bring Your Own Application): Mitigating risk to enable innovation

Companies seeking to increase business velocity should allow their staff to choose the SaaS applications that bring them the most value, and security teams should view this as an opportunity rather than a threat. While this may seem contradictory in nature, with the right supportive technology, efficiency and innovation in SaaS can thrive alongside a strong security posture.

SaaS adoption as a catalyst for efficient business processes is not a new phenomenon. There has been a significant pivot to SaaS-based offerings in business in light of the value they provide as opposed to on-prem legacy solutions. In the era of remote work, dispersed staff and democratization of data, SaaS adoption has grown in both size and scope, with employees constantly looking for turnkey digital solutions in the form of SaaS applications for greater accessibility, cost-effectiveness and ease of use. The sheer size of the cloud-based applications(opens in new tab) market provides users with a tempting menu of options to choose from, varying in design, features, user interface and more. Employees today are digital nomads and early adopters, and will invariably seek the applications that provide them with the most value, whether they have been approved by their organization or not. They aspire to use the latest tools, produce cutting edge outcomes to benefit their organization and do so from anywhere, using any device. Employers and customers expect tradesmen to use their specific tools for their trade, so shouldn’t data analysts be expected to choose the tools which they believe can help them get the job done?  

Unmanaged vendors (Shadow IT), malicious third party access and the potential loss of data make CISOs wary of allowing employees to pick and choose the applications they use, and drive them to place stringent cybersecurity measures and limit users to a chosen application portfolio which has been vetted, secured and controlled by the organizational security team using cumbersome and limited SaaS solutions. Employees today are able to adopt new applications with a click of the mouse and with zero oversight, rendering incumbent controls based on network security irrelevant. These security solutions can’t see, control or mitigate the risks inherent in rapid application adoption. If we look at the prevalence of BYOD (Bring Your Own Device), adopted in light of workplace evolution in the past decade, we can see that it presented a similar dilemma for security teams. Rather than place sanctions and barriers for use, forward-thinking security officers understood a basic truth - it’s going to happen, whether you approve it or not. Setting transparent guidelines for BYOD to ensure secure, visible and regulated utilization by employees was a smart move for businesses.

BYOA

“BYOA” (Bring Your Own Application) is a comparable workplace policy empowering -
and trusting - professionals to independently and wisely select the SaaS applications that can accelerate their workflow. BYOA has become an inevitable part of the modern workplace, increasing agility and driving employee productivity, while simultaneously creating unnecessary friction between staff, security teams and management. Instead of seeing it as a threat, CISOs should view BYOA as an opportunity to show management how security accelerates business velocity, and encourages a corporate culture of trust.

The use of innovative technology which provides visibility without using outdated manual discovery solutions can mitigate the risks of BYOA and manage it appropriately while reducing the occurrence of Shadow IT. Much like security policies enable BYOD while ensuring that no sensitive data is copied to the local device, the adoption of automated supportive technology to enable BYOA will ensure that any new applications adopted by users in the organization will be seen, approved and secured by security teams seamlessly. Over time and without the adoption of BYOA, employees will inevitably seek and find workarounds to allow them to get the job done. They don’t need and will not request security approval to register to their new applications, and will use them from private devices to obscure adoption and use. CISOs need to know what employees are using and for what purpose, for compliance (the Australian CPS 234, for example), for security configurations, for SSO connectivity and in order to revoke access of dangling users. Unreported adoption and use harms the security posture of the organization, and can significantly damage the trust and transparency necessary for an organization’s stability and sustainable growth.

A new perspective on security

But what if application detection was automatic? Instead of passively awaiting vendor approval requests, an automated process can increase CISOs’ awareness of “risky apps” within the organization, without interfering with workflow and productivity. Data misappropriation will be reduced dramatically, as security teams will know where the data is, who is using it and how, as opposed to the current guessing game and limited visibility prevalent in organizations. Instead of stifling BYOA and increasing suspicion, management can support employees by training them to use their tools of choice, while ensuring that security teams protect them through extended access policies to all applications, unified off-boarding, zero-touch life cycles, removal of blind spots and more.

The challenges BYOA introduces can be resolved by adopting a new perspective on security. Organizational security policies designed to allow BYOA will not ignore the problem - they will manage it. CISOs should change their frame of reference on this issue, in order to avoid throwing the baby out with the bathwater. With automated processes ensuring visibility, data governance and access controls, and through eliminating friction and performance degradation, CISOs will automatically be involved and in control, while at the same time allow users to embrace their tools of choice to their full potential.

‍

This article originally ran in ITProPortal, a trusted resource for IT professionals.