Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/19/2017
10:30 AM
Mike Lemire
Mike Lemire
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

4 Steps to Securing Citizen-Developed Apps

Low- and no-code applications can be enormously helpful to businesses, but they pose some security problems.

IT security, at its best, is about enabling the business and its employees to operate securely without unnecessarily straining productivity or the bottom line. However, as more companies push technology-driven initiatives such as digital transformation, many are struggling with balancing the two.

One of the key areas where this is playing out is with applications developed by business users, sometimes referred to as citizen-developed apps. These applications are built by regular employees using little to no code, and deployed through a cloud-based application-platform-as-a-service (aPaaS) model. Citizen-developed apps are growing in popularity; according to Forrester, the low-code market will grow from $1.7 billion in 2015 to more than $15 billion by 2020. Companies use these apps for everything from procurement and order management to tracking who will bring secret Santa gifts for the office Christmas party.

While organizations are realizing massive gains in productivity and cost savings by leveraging low- or no-code development tools, it may come at a cost. Since apps can be built and deployed with limited (or no) involvement of IT, many organizations have concerns over user and data governance. However, the issue is not necessarily about the tools themselves but about how the organization manages them. While that list of holiday gifts doesn't pose a high security risk, others that contain sensitive corporate information can.

The good news is that security and IT leaders can determine exactly how much power and freedom they want to give citizen developers and, conversely, how much control they need to avoid the perils of shadow IT. Here are some best practices for securing citizen-developed enterprise applications.

Update your policies: While most companies have security policies in place, these policies now need to specifically address use of cloud services, including aPaaS. Beyond documenting the policy, it's important to educate employees on data and user governance guidelines. What data is OK to store in cloud services and what is not, and with whom can data be shared? Regulatory requirements also affect the types of applications they develop and how they use them. For example, in the US, protected health information is subject to HIPAA, credit card data is governed by PCI, and education records are subject to FERPA. Similarly, policies and guidelines around citizen development are getting more popular. According to Gartner's Strategic Planning Assumption, by 2020 at least 70% of large enterprises will have established successful citizen development policies, up from 20% in 2010.

Classify and risk-rank your data: The Data Classification Matrix instructs users on sensitivity levels of data: commonly public, internal use, and confidential. Consider the type of data that users intend to upload to applications and adjust security measures from there. "Riskier" data might include personal information such as Social Security numbers, company financial information, details on proprietary technology, and so forth. Instituting data classification schemas can ensure that users know exactly what information is completely confidential, internal only, or open to the public. By classifying information, app builders will be able to handle data in accordance with security policies.

Enforce (and review!) role-based access: In aPaaS, as with other IT services, role-based access is important to utilize. One way to ensure certain applications are accessed only by authorized users is to implement single sign-on and utilize security groups. For example, if the finance team is working on a project involving sensitive financial data, add everyone involved to a finance security group and quickly assign permissions to the finance team via a group. For applications involving sensitive employee data, you might utilize a user group so that only people in the HR department can access that information.

Once you have set permissions and access rights to your applications, review who has access to what at least once a quarter, making sure that new hires, departures, and employees whose roles have changed have the appropriate access.

Review and implement security settings for app access: Security is a balance between usability and security. Finding the right balance for your organization largely depends on what data types will be processed and stored. Review the security enhancements and options available for locking down citizen-developed apps from your aPaaS vendor, including network, authentication, and session settings. You may consider IP filtering such that the aPaaS can be accessible only from your corporate office. Pay particular attention to strengthening authentication controls by requiring two-factor authentication and strong passwords. For applications that aren't storing sensitive data, you may consider less-strict security measures, which will also keep citizen developers and users as productive as possible.

The rise of citizen development will grow over the next several years, and organizations can realize the potential it offers while maintaining user and data governance. Security oversight may be different for every company, but as long as there is a clear alignment among end users, developers, IT, and security leaders for where along the productivity-control spectrum you want to be, your organization's needs can be met from both ends.

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Mike Lemire is the Compliance and Information Security Officer at Quick Base, the platform for app enabled business. Previously, Mike managed the Information Security and Compliance programs at Yesware, Acquia, Pearson Higher Education, and RiskMetrics, and has held ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.