Call them citizen-developed apps, call them low-code apps, or call them no-code apps – they’re here, and they’re not small anymore. A Forrester study has revealed that the low-code application market will grow from $1.7 billion in 2015 to $15 billion by the end of 2020. The pace of this growth succinctly captures the proliferation of low-code or no-code applications in enterprise IT.
Employees who are not directly responsible for application development but knowledgeable in the basics of development find it much easier to use application Platform as a Service (aPaaS) models to develop basic functionality apps, and solve localized problems quickly.
Whereas lethargy in IT delivery is often to blame for this, the self-help approach often results in agility within teams, as things get done quickly. These low-code or no-code apps can be used for all kinds of purposes, right from inventory reporting to organizing weekend team outings!
Where’s the problem, then?
Nobody can deny the productivity gains that apps from citizen developers can bring in for the enterprises, particularly the ones that showcase their value in business problem-solving, and can be scaled for wider usage by the IT teams.
However, there’s a latent cost and risk associated with these apps that enterprises can’t afford to ignore. Because the involvement of IT in the development of these apps is typically nonexistent, there’s barely any data governance around them. Access privileges, integration security, and data privacy – these are critical aspects of any business application, and it’s highly likely that citizen-developed apps will not score well on these parameters.
Slowly but surely, citizen-developed apps become the base of shadow IT within enterprises. How do business-IT co-coordinators balance low-code apps’ benefits and security readiness? This guide helps with answers.
Develop and disseminate guidelines of secure citizen app development
Gartner’s Strategic Planning Assumption published a report suggesting that by 2020, more than 70 percent of enterprises would have strong citizen development policies in place (it was 20 percent in 2010). Until then, you should adhere to these strong points:
- Educate teams about the regulatory requirements the enterprise is supposed to meet; for instance, HIPAA for health-care information, PCI for credit card data, and FERPA for educational records.
- Spread awareness about what kind of data is safe to keep in cloud storage, and what’s not.
- Conduct training to help users understand the nuances of decisions made related to application accesses and user role privileges.
- Implement mechanisms to seek information about citizen developments in place in your enterprises every month.
Drive judicious use in citizen apps
Most known risks of citizen-developed apps stem from injudicious use of sensitive data and upload of confidential information on risky platforms. To avoid this, enterprise IT leads can utilize Data Classification Matrix or similar tools. This matrix helps an enterprise categorize all kinds of data.
The different categories are: commonly public, confidential, internal use only, and so forth. This helps citizen developers make judicious decisions based on the data they’re going to use to create low-code apps. Also, it helps IT teams identify riskier low-code apps that might be using sensitive data without complete security.
Role-based access is a time-tested and proven effective measure of enforcing security policies, and it applies equally well in terms of how users leverage aPaaS for creating low-code apps. To make sure that only a small group of authorized users is able to access an application, implement single sign-on and add security group settings in the mix.
An example: If the human resources team is doing a project around cleanup of employee data, create an HR security group, add all identified authorized users to the group, and use group security settings to control application access for the entire team.
Once this is done, a good follow-up practice is to conduct quarterly reviews of permissions and access rights, with special focus on removing individuals who’ve left the team or the organization, and adding new joiners.
Vendor-side implementation of restrictions to soft-block citizen apps
Another approach of making low-code app development secure is to implement security-related practices from the aPaaS side. For instance:
- Multi-factor authentication requirements for access to certain applications, and less stringent requirements for the more mundane applications.
- IP filtering to ensure that any access to an application is made from your office network only.
- Locking down or soft-blocking citizen-developed apps, coupled with a simple IT approval process that could unlock the apps, powered with automated workflow that sends approval requests to the right person based on the reporting hierarchy of the requesting individual.
- Restricting certain data types from use in unauthorized applications.
These practices need to be implemented with focus on bringing citizen apps in the open, instead of blocking them out, so for every blockage you create, there must be clear and nonintimidating information to help users share the app details with IT teams.
Rewarding citizen-developed apps with a view on motivating disclosure
It’s paramount that all your communication about the need to secure citizen-developed apps be nonintimidating. If you have identified teams where the culture of self-help apps is most prevalent, it’s worth implementing a reward mechanism.
More than anything, this will motivate disclosure of these apps. From an IT perspective, make sure that you focus on securing the disclosed apps, instead of making them dysfunctional. This can help significantly reduce the threat surface area resulting from belligerent use of low-code citizen apps.
Out of the shadows
Not long ago, citizen apps were viewed purely in a negative light, the most often-cited argument being the integration and data security risks they brought. However, because of the ease of creating low-code apps, and the serious problem of IT delivery being outpaced by business requirements, citizen apps have become a reality that IT security leads need to live with.
Photo credit: Shutterstock