Why Application Discovery Is The Missing Link In Multicloud Identity

Posted by Gerry Gebel, Forbes Councils Member | 2 months ago | /innovation, Innovation, standard, technology | Views: 5


Gerry Gebel, Strata Identity Head of Standards, former Burton Group analyst and tech executive at Chase Manhattan Bank (now JPMorgan Chase).

For the average large enterprise, answering the question, “How many applications do we have running across our cloud platforms, and where are they?” seems simple enough. Until, that is, the follow-up questions start:

• Which identity provider (IdP) secures each application?

• Is multifactor authentication (MFA) enabled?

• Do they connect to a database, and where is that database hosted?

• Are these applications still in active use, or are some orphaned and running on autopilot?

In my experience, very few companies have an accurate and up-to-date source of truth to answer these questions.

While application discovery should be straightforward, in multicloud, multi-identity provider (multi-IdP) environments, it’s anything but. Without visibility into their applications, security teams are exposed to orphaned apps, zombie services and misconfigured access points—all prime targets for attackers.

If an organization doesn’t know where applications live, who is accessing them and how they’re configured, they can’t protect them. Worse, they may not even realize they have an exposure until it’s exploited.

Consider the scale of the problem. The typical large enterprise runs applications across three, four or even 10 cloud platforms—each with its own deployment models, access controls and infrastructure layers. Gartner has long warned that IAM risks stem from poor visibility and inconsistent identity governance across hybrid and multi-cloud environments.

The problem compounds in multi-IdP environments, where identity data isn’t confined to a single source. Instead, credentials and access policies are scattered across:

• Cloud platforms (AWS, Azure, Google Cloud)

• Infrastructure services (Kubernetes clusters, API gateways)

• SaaS applications and third-party integrations

• Enterprise databases and legacy applications

• Custom authentication layers

This identity fragmentation makes it difficult to map applications to their authentication sources, track privileged access or enforce consistent security policies.

Hidden Costs Of Poor Application Discovery

Application blind spots are more than just an inconvenience—they create real security, financial and operational risks.

If your team doesn’t know an application exists, they can’t monitor or secure it. Orphaned applications—those still running but no longer maintained—are prime targets for attackers. Worse, some apps are considered “sunsetted” but continue running due to automation (e.g., CI/CD pipelines redeploying them). With malicious bots continuously scanning the internet for open endpoints, an unprotected app is a ticking time bomb.

On the compliance front, security teams are expected to maintain detailed records of application access for regulations like GDPR, SOC 2, HIPAA and CFIUS. If auditors ask how many applications exist and who has access, an estimate won’t cut it. Organizations must be able to prove that they are enforcing MFA on all apps, tracking identity providers and decommissioning outdated services. Without automated discovery, compliance efforts become last-minute fire drills.

Finally, many enterprises unknowingly continue paying for cloud compute, storage and API services tied to applications that should have been retired. Without up-to-date inventories, IT budgets are drained by ghost apps consuming resources long after their business value has disappeared.

Reining In The Application Discovery Problem

Security teams can regain control over their application ecosystem with a structured approach to discovery, visibility and inventory management. Here’s a checklist.

1. Build a living, automated application inventory.

• Move away from spreadsheets and static lists—use a centralized application registry that updates dynamically.

• Implement cloud-native discovery tools that scan for deployed applications across AWS, Azure and GCP.

• Use network-based discovery and API logging to detect unmanaged applications communicating with enterprise infrastructure.

2. Track key attributes for every application.

To build a reliable and actionable application inventory, security teams need real-time visibility into the following key attributes for each application:

• Cloud Platform: Where is the application hosted? (AWS, Azure, GCP, private cloud)

• Infrastructure Layer: Is it deployed on Kubernetes? App Engine? Elastic Cloud Services?

• API Gateway: Is it exposed through an API gateway, and if so, which one?

• Identity Provider (IdP): What system is managing authentication? (Okta, Microsoft Entra ID, AWS IAM, etc.)

• MFA Status: Is multifactor authentication enforced?

• Database Connection: Does the application connect to a database, and where is it hosted?

• Login URL: What is the authentication entry point?

This data must be continuously refreshed—not just captured once and left to gather dust in a spreadsheet.

3. Integrate application discovery with identity governance.

• Correlate applications with their IdP to ensure authentication flows are properly mapped.

• Link application discovery tools with identity governance and administration (IGA) systems to track who has access and whether MFA is enforced.

• Monitor for orphaned applications that no longer have clear business owners but remain active.

4. Build security into the discovery process.

• Regularly audit identity misconfigurations, including missing MFA or excessive access permissions.

• Identify and eliminate zombie applications—those that appear retired but remain operational.

• Implement CI/CD pipeline monitoring to prevent retired applications from being automatically redeployed.

By following these best practices, enterprises can start building a foundation of continuous application visibility to reduce security blind spots and ultimately strengthen their multicloud IAM strategy. The goal isn’t just to discover applications—it’s to ensure they are secured, governed and aligned with business needs. This will also make providing an accurate answer to the questions stated at the top “possible.”

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?



Forbes

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *