It’s not even a question anymore: Every company is now a software company with a digital mandate. Applications are firmly established as the primary vehicle through which companies develop and deliver goods and services. They have become the most important asset of the modern enterprise, especially for those digital natives: the Lyfts, LinkedIns, and WhatsApps of the world.
Welcome to the age of application capital.
Today a company’s application portfolio can be worth billions, and apps are found wherever work is done—conferencing equipment, factory floors, thermostats, aquariums, you name it. And yet most companies only have an approximate sense of how many applications they actually have, where they’re running, or whether they’re under threat. Organizations worldwide have continually innovated, iterated, and built their application capital—without also building a cohesive organizational strategy for managing it.
Compounding this is the challenge of complexity. In our latest research, 90 percent of customers reported that they were using multiple clouds, averaging 2.5 per organization. More than half said they’re making decisions on where to host applications on a per-app basis. Larger companies could have hundreds—if not thousands—of permutations of applications, clouds and servers, and the support those applications receive might vary dramatically.
Why so different?
For most companies, application capital is poorly supervised at best and under serious threat at worst. But with so many apps spread far and wide, threats can come from almost anywhere, and the effects of a breach can be devastating for the organization.
A few years ago, the CEO of Target resigned after hackers stole millions of customer records from the company—the attackers had gained access to Target’s point-of-sale devices through an HVAC system. Just last year, a London-based casino lost its high-roller database after hackers got into their network through the digital thermometer in a lobby aquarium. These two seemingly innocuous entry points show the serious danger of free-range application portfolios. And yet I have not encountered a large organization that can report, with confidence, the number of applications they have in their portfolio.
In contrast, the way organizations manage physical and human capital has been a continual focus in business, refined over the course of decades. Companies like Airbus rely on a network of thousands of suppliers and precision timing across a worldwide supply chain to make one airplane. Airbus is also able to track and monitor the performance, usage, location, and health of each of its jet engines at any moment in time.
UPS has a similar level of sophistication when it comes to managing people. The company oversees a huge global delivery network that employs hundreds of thousands of workers, with such granular insight into their activities that it can prescribe how drivers should enter and exit their vehicles to maximize efficiency and minimize injury.
If we’re going to gain a toehold toward minimizing threats so we can maximize the value of the application ecosystem, organizations need to start investing the same energy and resources into their application capital as they do with physical assets and talent. The trick is how to apply the same rigor and discipline to the ephemeral nature of digital items.
Building an application strategy
To manage application capital effectively, companies need to start by establishing a companywide application strategy that sets policy and establishes a basis for compliance. The application strategy should address how applications in the enterprise portfolio are built, acquired, deployed, managed, secured, and retired. There are many ways to go about this, but we generally prescribe six distinct steps:
- Build an application inventory that includes the function and origin of every app, along with the data it consumes, services it communicates with, open-source or third-party components it contains, who has access to it, and who develops or maintains it.
- Assess the cyber risk for each application in terms of the relative cost or impact of a breach of the application itself or the identities associated with the application.
- Define application categories around the cyber risk associated with the applications, and assign minimum application service requirements for each.
- Identify the application services needed to support each of the application categories, such as web application firewalls, anti-DDoS, anti-bot, global availability, and load balancing services.
- Define parameters for application deployment and management for each application category, including deployment architectures, acceptable public cloud options and third-party services.
- Clarify roles and responsibilities around deployment, security, user access, third-party monitoring, and accounting for apps as they are added and removed.
The primary aim of an application strategy should be to enhance and secure all digital capabilities—even while the company continues to increase and expand those capabilities. The combination of these elements helps ensure that everyone is doing the right thing, accounting for and protecting all applications in the organization’s ecosystem while keeping the wheels of innovation turning.
One major difference between physical and digital assets makes this process all the more important: the ever-present threat landscape. Because applications extend beyond the company to the customers and partners who use them, effective stewardship of application capital is a business imperative.
This is an issue that is only getting more complex and challenging, so there is no better time to start. Learn more about how F5 can help.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...