In 2023, Samsung experienced a data breach caused by a vulnerability in a third-party app. This breach affected people who purchased from Samsung’s UK store between 2019 and 2020. According to TechCrunch, Samsung did not discover the attack for three years. Attackers accessed customers' personal information, such as phone numbers, emails, and addresses. We all heard about last year's Midnight Blizzard attack on Microsoft as well. Breaches of this caliber can happen if organizations don't take action to improve poor security and governance of their applications.
That’s where App Governance Accelerator stands out. ENow’s solution helps organizations gain and maintain control over their Entra ID application landscape, reducing the attack surface and strengthening security. It provides deep visibility into applications, identifies potential risks, and equips IT teams with the insights needed to:
With App Governance Accelerator, organizations can proactively manage application security and stay ahead of evolving threats.
In the video above, Alistair Pugin sits down with ENow’s CEO, Jay Gundotra, to understand where the idea for AppGov came from. Jay credits this tool as being born out of a problem needing a solution. One of Jay’s friends from the media/entertainment industry contacted him because their company was experiencing exponential growth in the volume of SaaS applications in their environment. There was a lack of visibility for enterprise applications; there was lots of citizen development, and the team was seeing it very quickly get away from them from a visibility and governance perspective... Voilà, the idea for AppGov was born!
In the interview, Jay highlights Microsoft's constant innovation and frequent changes, emphasizing the need for IT Pros to stay informed to prevent these shifts from becoming a “blind spot” for their organizations. As awareness of this growing application risk increases, the next crucial step is ensuring organizations have the right support and frameworks in place to secure executive buy-in and effectively address the challenge.
Alistair Pugin, a Microsoft Security and Microsoft 365 Apps and Services MVP, highlighted a common blind spot: the lack of awareness about how identity connects to applications. Many organizations, users, and admins sign up for enterprise applications without fully considering the identity aspect or the permissions granted. There's often an assumption that apps from reputable vendors are inherently secure, but that’s not always the case. In our conversations, most companies are surprised to discover the extent of API permissions already present within their application landscape.
Jay and Al also discussed a key challenge: Who is responsible for app governance within an organization? Should it fall under collaboration, cybersecurity, or identity, or should there be a dedicated role bridging the involved teams? Of course, the appropriate choice will naturally depend on an organization's size and the maturity of its security strategy.
They pointed to last year’s attack on Microsoft systems—traced back to Midnight Blizzard—as a wake-up call. Following the attack, many organizations conducted audits of their environments. Jay stressed that if companies haven’t yet done so, they should use Microsoft’s tools or ENow’s free AppGov Score resource.
Looking ahead, Jay emphasized the need to 'assign' app governance to a dedicated collaborator—someone who can balance security, governance, and business productivity.
By clearly defining ownership and addressing these questions, organizations can start to take a proactive and structured approach to application security and governance.
In a world of innovation and rapid technological advancements, the community plays a huge role in keeping up with changes, navigating new systems, or, in this case, managing the security aspect of applications. Jay emphasizes the community component of AppGov. It was built because someone in his community needed help solving a problem. We've continued to build out these community resources because we recognized a knowledge gap in application governance in Entra and how it relates to identity security. Looking for additional help in these areas? Aside from this AppGov blog, we have a few additional resources:
One of the resources provided by ENow is the AppGov Score tool. AppGov Score is a free security assessment tool that quantifies an organization’s Microsoft Entra ID application governance state. It gives an organization a starting point to understand potential risks associated with enterprise applications, app registrations, permissions, and default tenant settings within their Entra environment.
In addition to the AppGov Score tool, we’ve created the AppGov Community Forum, a dedicated space for discussing Application Governance & Security. Moderated by Microsoft Security & Identity MVPs and subject-matter experts, the forum provides answers to key questions about Entra ID, Enterprise Applications, Application Registrations, and the impact of Tenant Settings on an application’s lifecycle. It also allows IT professionals and experts to share how they’re addressing governance challenges, like in the discussion about Veeam’s free backup app.
Why this matters:
By combining these resources, organizations can take a proactive approach to securing their Entra ID applications
We appreciate your involvement in the AppGov Score Community—whether you're reading a blog, asking a question, sharing insights, or exploring the AppGov Score tool. Every perspective contributes to a deeper understanding of application governance risks, helping us all navigate this evolving challenge together.