IT security, at its best, is about enabling the business and its employees to operate securely without unnecessarily straining productivity or the bottom line. However, as more companies push technology-driven initiatives such as digital transformation, many are struggling with balancing the two.
One of the key areas where this is playing out is with applications developed by business users, sometimes referred to as citizen-developed apps. These applications are built by regular employees using little to no code, and deployed through a cloud-based application-platform-as-a-service (aPaaS) model. Citizen-developed apps are growing in popularity; according to Forrester, the low-code market will grow from $1.7 billion in 2015 to more than $15 billion by 2020. Companies use these apps for everything from procurement and order management to tracking who will bring secret Santa gifts for the office Christmas party.
While organizations are realizing massive gains in productivity and cost savings by leveraging low- or no-code development tools, it may come at a cost. Since apps can be built and deployed with limited (or no) involvement of IT, many organizations have concerns over user and data governance. However, the issue is not necessarily about the tools themselves but about how the organization manages them. While that list of holiday gifts doesn't pose a high security risk, others that contain sensitive corporate information can.
The good news is that security and IT leaders can determine exactly how much power and freedom they want to give citizen developers and, conversely, how much control they need to avoid the perils of shadow IT. Here are some best practices for securing citizen-developed enterprise applications.
Update your policies: While most companies have security policies in place, these policies now need to specifically address use of cloud services, including aPaaS. Beyond documenting the policy, it's important to educate employees on data and user governance guidelines. What data is OK to store in cloud services and what is not, and with whom can data be shared? Regulatory requirements also affect the types of applications they develop and how they use them. For example, in the US, protected health information is subject to HIPAA, credit card data is governed by PCI, and education records are subject to FERPA. Similarly, policies and guidelines around citizen development are getting more popular. According to Gartner's Strategic Planning Assumption, by 2020 at least 70% of large enterprises will have established successful citizen development policies, up from 20% in 2010.
Classify and risk-rank your data: The Data Classification Matrix instructs users on sensitivity levels of data: commonly public, internal use, and confidential. Consider the type of data that users intend to upload to applications and adjust security measures from there. "Riskier" data might include personal information such as Social Security numbers, company financial information, details on proprietary technology, and so forth. Instituting data classification schemas can ensure that users know exactly what information is completely confidential, internal only, or open to the public. By classifying information, app builders will be able to handle data in accordance with security policies.
Enforce (and review!) role-based access: In aPaaS, as with other IT services, role-based access is important to utilize. One way to ensure certain applications are accessed only by authorized users is to implement single sign-on and utilize security groups. For example, if the finance team is working on a project involving sensitive financial data, add everyone involved to a finance security group and quickly assign permissions to the finance team via a group. For applications involving sensitive employee data, you might utilize a user group so that only people in the HR department can access that information.
Once you have set permissions and access rights to your applications, review who has access to what at least once a quarter, making sure that new hires, departures, and employees whose roles have changed have the appropriate access.
Review and implement security settings for app access: Security is a balance between usability and security. Finding the right balance for your organization largely depends on what data types will be processed and stored. Review the security enhancements and options available for locking down citizen-developed apps from your aPaaS vendor, including network, authentication, and session settings. You may consider IP filtering such that the aPaaS can be accessible only from your corporate office. Pay particular attention to strengthening authentication controls by requiring two-factor authentication and strong passwords. For applications that aren't storing sensitive data, you may consider less-strict security measures, which will also keep citizen developers and users as productive as possible.
The rise of citizen development will grow over the next several years, and organizations can realize the potential it offers while maintaining user and data governance. Security oversight may be different for every company, but as long as there is a clear alignment among end users, developers, IT, and security leaders for where along the productivity-control spectrum you want to be, your organization's needs can be met from both ends.