Where assessing whether production applications can be trusted is still a manual questionnaire, it may be time to automate.
For many CISOs, analyzing trust in enterprise production applications is still a manual process: questionnaires surveying the teams running the apps; chasing their return; collating them and then analyzing the content. The purpose is not to count vulnerabilities and threats, but to assess whether the company can trust the production applications it operates. It is important for the CISO and is demanded by the board.
It is tedious and time-consuming. At best, it can be done quarterly, but very often it is an annual task. The result is a point in time subjective judgment that does not reflect how the modern business changes from day to day. Where an enterprise might have operated a few hundred applications a decade ago, it now has thousands of applications in production and will have more tomorrow. Data gathering by manual questionnaires simply does not scale.
“For years, CISOs have been forced to bring leadership point-in-time snapshots and call them a risk picture.,” comments Tejas Ranade, co-founder and CPO at TrustCloud. “They know it’s incomplete. Their boards know it’s incomplete, but the industry has had no better solution.”
TrustCloud has now developed a product designed to change this and bring an archaic practice into the age of AI-driven and -managed automation: Application Assurance. “We plug into the entire ecosystem that runs an application,” explains Ranade.
“This includes security tools that monitor the app, infrastructure tools that constitute the runtime, documentation repositories that store policies and procedures, ticketing systems, etcetera. We monitor all of this continuously for the CISO. We don’t look into the application; we monitor all the data about the application. This tells the CISO whether this application is adequately secure and what is the risk.”
The data is collected by hundreds of TrustCloud connectors throughout the enterprise plugging into the enterprise data sources, aggregating, normalizing and automatically analyzing that data. The process serves two purposes: it completely replaces the manual point-in-time collection of data with continuous automated monitoring, and it replaces subjective interpretation with objective AI-driven interpretation.
The automated collection, centralization and analysis of data does, however, create two new problems: data residency and trust in TrustCloud itself. For data residency, “We work with highly regulated enterprises across many industries: manufacturing, pharma, government, and so on,” says Ranade.,
“Some have very specific needs around data residency; so, we’re architected for a variety of different residency models. The data could live in a managed TrustCloud cloud as a secure managed service, but it can also live in the customer’s environment with selected data being pushed into TrustCloud for analysis. We support many data residency options to satisfy different customer requirements.”
Trust in TrustCloud itself is the second issue. TrustCloud collects and centralizes information about applications in production. Such information would be valuable to bad actors, so TrustCloud’s own security is a potential concern.
The firm understands this and attempts to be as transparent as possible. Its own security is frequently audited by prospective customers; everything operates at least privilege where it only uses and keeps the data it needs; it allows its customers to specify what data it can hold; and its security program adheres to all regulatory guidelines. “In the end,” says Ranade, “we are no different than our customers. They are in sensitive, highly regulated industries, and what they do for themselves, we do for TrustCloud, holding ourselves to the same or higher standard.”
There is a further advantage to using a third party to demonstrate trust in applications. Applications don’t simply grow in quantity and complexity; they change in type. What is already too complex to be handled by a manual process will only worsen in the future with the increasing use of new and easily generated vibe-coded in-house and third party production applications. Agentic systems bring new problems.
“A top of mind concern for CISOs today,” explains Ranade, “is understanding what agentic applications are being built in their enterprise – understanding what security guardrails should be put in place for those agentic apps; understanding what vendors they are bringing on board with agentic capabilities and how to assess these vendors. We already work with customers to do assessments of agentic applications to ensure the CISO knows what agents are in the environment, what security guardrails need to be put in place, and what data points can be monitored to show how each agent is being secured and governed by company policies. This is not simply something we can do, it is something we are already doing.”
So, as new application types evolve, a third-party assurance monitor can help CISOs rapidly understand what trust can be maintained. It doesn’t secure the apps themselves but helps the CISO ensure the right level of protection around them.
By automating the collection and analysis of data used for trust assessments, TrustCloud seeks to revolutionize the process for CISOs: less time-consuming effort, and more accurate objective assessments that can be used to both improve the security around applications in production and demonstrate trust in these applications to the board on demand.
Related: After AI Reaches Production: 12 Ways Security Teams Can Take Control
Related: Lema AI Emerges From Stealth With $24 Million to Tackle Third-Party Risk
Related: The New Rules of Engagement: Matching Agentic Attack Speed
Related: Caught Off Guard: Securing AI After It Hits Production
