What Hybrid IT Means for App and API Security

Lori MacVittie Miniature
Lori MacVittie
Published January 11, 2023

For years the industry has been dancing around the realities—and subsequent challenges—of hybrid IT by calling it multi-cloud.

This is not to say that organizations are not operating in multiple clouds; they most certainly are. But it is to say that the term fails to fully capture that “cloud” is an operating model that isn’t just peculiar to public providers of infrastructure as a service. Indeed, our data has shown, year after year, that organizations operate on-premises cloud, as well as embracing its public versions.

SOAS 2023

But even that ignores the reality of hybrid IT, which has been right under our noses since cloud appeared and took business by storm. Pun intended. Because even as organizations adopted cloud, most were still dealing with traditional on-premises environments. Because most enterprises aren’t new; they’ve been operating for twenty, thirty, even fifty years. That means they’ve had an established portfolio that spans every generation of major app architectures, from monoliths to microservices, from client-server to mobile.

For this year’s annual research, we got specific about environments on-premises, because we wanted to understand the realities that our customers are facing. The data speaks for itself: enterprises have been, and continue to be, hybrid.

It’s not just the research for this report, either. When F5 NGINX polled its open source community, guess what it found (among other interesting bits)? Yes, that hybrid is here to stay.

Now, without spoiling all the findings from our upcoming State of Application Strategy report, I will say that the trend toward modern applications is strong, but there are indications that some organizations will never be “all in” on replacing traditional apps with more modern versions.

Ergo, therefore, and thusly, enterprises will remain hybrid for many years to come.

But that leads us to ask, what does that mean for security? In particular, for app and API security?

The Implications for App and API Security

If we operate on the assumption that organizations are hybrid at their core (app portfolio) as well as their operational environments, then the implications for app and API security are pretty profound.

That’s because some application environments, like containers, have unique security needs that can’t be addressed by traditional security solutions. It also means that, with apps remaining on-premises, organizations will struggle to find consistent security solutions able to span core, cloud, and edge deployments of application workloads. But wait, there’s more! Because it also means that the need for existing traditional solutions does not simply vanish, especially those that focus on protecting apps and API from protocol abuse and exploitation.

Unfortunately for organizations, hybrid IT does not—and cannot—imply hybrid security.

By hybrid security I mean mixing app and API security services from one vendor with another and another and another. While shifting security left into the app lifecycle sounds like a great solution, it too often leads to the path of least resistance—a multitude of incompatible app and API security services that complicate and frustrate efforts to secure all apps and APIs.

We’re already seeing the impact of complexity of cloud tools and APIs on organizations in the inability to consistently apply security across all applications. A mix-and-match, à la carte approach to app and API security is not working for most organizations as seen in the substantial increase in breaches over the past year attributed to vulnerabilities and exploits of—wait for it—app and APIs.

The reality of hybrid IT on security is that the patchwork, à la carte approach to securing apps and APIs is not going to work long-term. We need a better approach, and it needs to recognize that IT and the enterprise are, and will be for the foreseeable future, hybrid.