There are many challenges around application management in the enterprise that can be attacked in many ways. An Application Owner program gets its tentacles into addressing many of them, but it is seldom the single answer to the problem on its own. Application Owner programs frequently target one or more of these three major goals: increasing security, addressing challenges around app hygiene, and increasing overall visibility.
More eyes are better, but it doesn’t mean you don’t need one or more security scanners and tools to help identify risks to your environment. Having a dedicated human proactively checking on updates and news from the vendor can be a great way to get ahead of issues related to security risk, which can effectively reduce the number of instances where vulnerable applications are detected in your environment.
Identifying the existence of a new version and its potential security impact is a huge benefit of an application owner program but must be considered a part of a broader approach. Is there a security update? Let’s get an update out! Is there a vulnerability detected on an endpoint? Let’s get an update out! Is there a virus detected on an endpoint? Is there malicious activity detected on an endpoint?
Every organization needs to have solutions in place to address a broader range of security risks and capture things that are out of scope or otherwise slip by application owners. Multiple tools and multiple stakeholders together represent a wise, best-practice approach to reducing security risk overall.
Improved application hygiene
Application hygiene is frequently a challenge and certainly isn’t one an application owner can be expected to solve. While an application owner can help with awareness of what should be done with their application, remediation may be delayed or deferred for reasons outside their control. From an application owner’s perspective, the update suggestions they communicate may seem the most critical, but that will often not be the case when the larger picture is considered. Still, it is valuable to have a champion for an update to help drive action and help hold the organization accountable.
For example, “version spawl,” whereby there are multiple versions of the same program deployed, has understood consequences related to security and support that expose themselves as a risk to the organization. Having individual application owners chase down the status of individual tickets to address the problem is far better than having such remain a back-burner task for the desktop management team, which sees it as one large low-priority backlog item that may never get attention.
Even when it comes time to update applications that are end of life, it isn’t easy to prioritize the effort due to the size of the problem. This doesn’t mean the application with the loudest and most demanding application owners should win, but several individual advocates working to justify prioritization equate to an effective way to tackle large problems like these.
Visibility at scale
Even with a focused team dedicated to reviewing and remediating application issues, in an environment with hundreds of applications, it just doesn't scale well to have a small team trying to keep an eye on them all. By assigning applications to individuals, even just the responsibilities of an application monitor can pay huge dividends. Consider the simple practice of subscribing to announcements for a software vendor to keep up with news and new releases. Having emails coming in about each application to single (or even just a few) email accounts would quickly become noise nobody would review, while such content is easily manageable individually.
In other articles, we’ll regularly touch on the goals and benefits of application owner programs as well as the challenges and solutions in achieving them. Subscribe to be notified about the publishing of future articles.