The Good Tech Companies - Cloud Sprawl Is Real. Continuous Discovery Is Your Best Defense
Episode Date: May 9, 2025This story was originally published on HackerNoon at: https://hackernoon.com/cloud-sprawl-is-real-continuous-discovery-is-your-best-defense. Static audits can't keep up ...with today's cloud sprawl. Discover why continuous discovery is key to securing apps and identities in real time. Check more stories related to cloud at: https://hackernoon.com/c/cloud. You can also check exclusive content about #cloud-security, #identity-management, #application-security, #ci-cd-pipelines, #cybersecurity, #devops, #cloud-infrastructure, #good-company, and more. This story was written by: @strataidentity. Learn more about this writer by checking @strataidentity's about page, and for more stories, please visit hackernoon.com. Gerry Gebel: It's easy to lose track of how many apps are running in a cloud environment. He says the result is a real-time security gap that can be easily exploited. Apps without MFA, apps relying on legacy authentication, or workloads redeployed by an outdated script are easy prey.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Cloud sprawl is real, continuous discovery is your best defense, by straight to identity.
Ask any cloud engineer how many applications are running across their environment,
and you'll get a ballpark number. Ask again 5 minutes later, and they might double it,
not because they're being evasive, but because they just didn't know the exact number.
It's hard to believe, but between C, CD pipeline redeployments, zombie workloads, legacy apps
in obscure corners of infrastructure, and too many identity providers, IDPs, to count,
it's easy to lose track.
When you don't know what's running, you can't manage and secure it.
What this isn't, a governance problem reserved for IAM compliance checklists.
What it is, a real-time security gap.
Orphaned apps without MFA, apps still relying on legacy authentication, or workloads redeployed
by an outdated script or easy prey for bad actors.
With everything else becoming continuous, from integration to deployment, discoveries
should be too.
The fragmentation issue. In a typical
enterprise today, apps are deployed across AWS, Azure, GCP, and maybe a private cloud or two.
Even within a single cloud provider, there's sprawl. Using Google Cloud Platform, GCP, as an
example, an application can be deployed in multiple ways. You've got options that include App Engine,
Cloud Run, Compute Engine, Google Kubernetes Engine, and Apigee Gateway.
Other cloud platforms like Azure and Amazon Web Services similarly have many deployment
options for application workloads. Some are similar, like Kubernetes Support,
but other technologies could be unique to that cloud platform.
Without a central discovery mechanism,
some of these apps can easily fall through the cracks. Even infrastructure as code, IAC,
like Terraform, doesn't always capture the whole picture, especially when developers
bypass templates for manual deployments or forget to update tags.
Of course, there is a similar sprawl for the identity systems that control access to these
application environments.
Enterprises can have a mix of Okta, Microsoft Entra ID, and Amazon Cognito, as well as on-premises Active Directory or legacy web access management products, legacy siteminder instances, and in-prem Active Directory, often coexisting.
Fragmented identity apps might authenticate against different IDPs depending on when or
where they were deployed.
For example, a team might choose Okta for internal apps, while customer-facing systems
rely on Microsoft Entra ID or Cognito.
The result is a sprawling mesh of credentials, policies, and access patterns that make it
nearly impossible to audit consistently.
Even knowing whether MF ICE turned on for a given app becomes a research project. This level of identity fragmentation is certainly
inconvenient, but worse, it's dangerous. Attackers don't need to compromise your
crown jewels, they just need to find that unguarded door. When apps are deployed without
adequate visibility and controls, you are leaving doors wide open.
Why traditional audits don't cut it?
One audit model example involves bringing in a big four consultancy,
running an audit, generating a report, and calling it a day.
The report was already out of date the moment it was emailed.
C, C D pipelines might redeploy decommissioned apps.
A dev team might spin up something new without informing security.
Or worse, a dormant app with a loose site minder policy might still let anyone within
it company.
Come email walk writein'.
What's more troubling, these audits are inherently narrow in scope.
They capture a point-in-time snapshot of a system that is constantly changing.
Any meaningful discovery is siloed to the people involved in the audit process and often
stored in static documents that nobody revisits until the next round.
There's no continuity, no automation, and no assurance that the data remains accurate
beyond the day it was collected.
Dollars and securities and sell-its not forget the cost.
These assessments often take weeks of effort and hundreds of thousands of dollars.
The result is a pretty-looking presentation, with charts and bullet points that look great
in a boardroom.
But what value do they bring to an engineer trying to track down which IDP governs access
to a containerized app running on a forgotten GCP cluster?
Meanwhile, attackers aren't waiting for your next audit cycle.
They're scanning your attack surface, looking for endpoints that your spreadsheet didn't
catch.
That's why the shift to continuous discovery is a necessity today.
What does continuous discovery look like?
Many security teams are stuck playing blindfolded whack-a-mole with application visibility.
They discover one shadow app only to find three more hiding in the cracks.
The problem isn't due to laziness or lack of tooling, it's that environments are constantly shifting.
Between dev teams spinning up new services, C, CD pipelines redeploying old ones, and infrastructure evolving by the week, maintaining a static inventory is impossible.
That's why continuous discovery scales. It shifts visibility from something you know once a quarter to something you build into the fabric of your operations.
Here's what that means.
Asterisk cloud native scanning.
Asterisk call into APIs across cloud platforms.
GCP, Azure, AUS.
To list deployments across services.
App Engine, ECS, Lambda, Cloud Run, etc.
N identity correlation.
Map each app to its IDP. verify MFA enforcement, and catalog authentication
patterns, SAML, OIDC, LDAP, header-based, etc. NCI, CD monitoring. Catch apps that reappear
after being decommissioned because a pipeline didn't get the memo. N tagging and classification. Apply metadata to organize by compliance scope.
E. G. PCI apps, department, or data sensitivity. Continuous discovery provides the connective tissue
between your infrastructure and your identity architecture. It sets the stage for real-time
security posture management, proactive compliance, and efficient incident response. Without it,
the next application-related breach may not come from a sophisticated exploit,
but instead, something your team didn't even know was running.
Instead of periodic fire drills, continuous discovery treats application visibility as
a live process.
Real-world use case, the 2500 vs. 4500 app guess
In one Fortune 500 company, a newly appointed CTO was asked a seemingly straightforward
question.
How many applications are in your environment?
2500, she answered confidently.
Then paused.
Wait, we just acquired another company about the same size.
Let's call it 4500.
That answer didn't come from a system of record.
It was a guess, based on acquisition headcount and a rough assumption of parity.
There was no application inventory to consult, no dashboard to confirm the total, just back
of the envelope math.
And this wasn't a junior IT analyst.
This was a top executive being asked a foundational question about the organization's digital
footprint.
Scenarios like this are telling because they highlight the absence of our reliable,
continuously updated application registry.
Without one, companies are reforced to rely on memory, manual spreadsheets, and tribal knowledge,
all of which fail in dynamic, cloud-based environments.
It also uncovers the operational and security risks of uncertainty.
If the leadership team can't quantify the number of apps in play, how can they be so
that those apps are secure, compliant, and properly governed?
Why should engineers in IAM teams care?
Untracked apps are low-hanging fruit for attackers.
If you're managing IAM, and an app is still using basic authentication without MFA, that's
on you, whether you knew about the app or not. And if you're responsible for keeping things compliant, that 6-month-old
spreadsheet won't protect you when an auditor ASKSFOR current access and authentication
details. With continuous discovery, you know what's out there, you know who has access,
you know if it's secure, and you can prove it. The way to keep up with a world of changes.
Discovery goes far beyond compiling a list. It plays a critical role in surfacing hidden risks.
Those dark corners of your cloud estate where legacy applications, misconfigured services,
or unauthorized deployments may still be running quietly and unnoticed.
Overlooked systems can become attack vectors, compliance liabilities, or sources of unexpected cost.
Continuous discovery closes the loop, giving security and identity teams a real-time map of their application landscape,
what's running, how it's secured, and who has access, so they can take decisive action before issues escalate.
As noted, Jerry Gebel is professionally affiliated with a company operating in the identity management
and security space.
His views reflect his expertise and experience in the industry.
And thank you for listening to this Hacker Noon story, read by Artificial Intelligence.
Visit HackerNoon.com to read, write, learn and publish.