Why low-code/no-code should not mean low/no security
Over the years, cloud services have helped democratize IT by making it accessible, available and affordable for nearly any organization. The fusion of IT and business functions has helped drive greater value from technology investments and placed digital strategies at the heart of new business models.
It is only logical that the next step would be to bring this democratization to the end user — like Fred in Accounts or Jane in Human Resources. Employees like Fred and Jane can quickly develop their own business-centric applications with GUI-driven low-code development platforms that require no programming expertise. On the surface it sounds like an amazing business tool for the modern enterprise, but it poses challenges for those in charge of securing the organizations data and enforcing compliance, including:
|Security mindset||Little or no awareness of best practices and security policies to be followed in the development phase|
|Lack of visibility||Use of shadow IT without organizational controls, reviews and governance|
|Data governance||Little knowledge of data sources, how it is managed, processed and protected|
|Compliance and auditability||Difficulty demonstrating compliance with internal/external mandates|
The infallibility of organizational security
For a long time, security experts have struggled to gain visibility of enterprise- app and service usage that may put organizational data at risk. With the increased adoption of SaaS we have seen in the past few years, security solutions such as CASB, SASE and SSPM are helping organizations gain greater visibility and control of what, how and if these services are used.
However, the concept of development has introduced shadow IT applications to an organization, impacting the security and compliance of data. In this scenario, how can security professionals avoid breaches within these applications that may infiltrate other critical systems?
This article focuses on five key topics that need to be addressed when governing the security and compliance of low-code application development:
Identities and secrets
Segmentation and configuration
Static and dynamic testing
Data handling and access
Logging, monitoring and management
Let’s explore each of these in detail and discuss how enterprises can continue to leverage low-code without worrying about its impact on organizational security.
Handle with care: Managing identities and secrets
Identity is the primary perimeter in a public cloud architecture and the first line of a defense-in-depth security posture. As we move away from physical infrastructure and compute resources, the more important it becomes to secure our identity and secrets. In this context, both of these are primary ways that users gain access to an application, and in turn to other applications or databases. Both are equally important and improper handling could cause an identity breach.
Unlike security professionals, low-code developers may not understand the full scope of access, such as a user’s authorized credentials or a secret’s permissions. An organization can protect itself from leaked credentials and secrets by ensuring that user accounts and secrets are not exposed within its applications. Operations requiring privileged access should be implemented just in time and with just enough access through zero trust verification methods. If standard security practices have these procedures in place, it will limit the chance of exposure in low-code application development.
Break it down: Segmentation and configuration
Although identity is the perimeter to protect resources in your applications and data, no security control is 100% foolproof and attackers tend to find a way in. That’s why a defense-in-depth approach is critical. Not only should a security team create a zero trust identity policy for protecting user credentials and application secrets, they should also apply that same zero trust methodology to the configuration of applications. Since these low-code applications are to be deployed across the organizational infrastructure, information barriers can be useful in avoiding connections to specific, mission-critical applications, especially those with sensitive and confidential information.
Segmentation of the virtual networks and databases that contain this information should be woven into the security policies. Proper segmentation of applications’ access to integral systems protects against misconfigurations that can cause a data breach. Ideally, strive to avoid configuration errors, but if one is there, it is imperative that the damage is minimized.
Stay sharp: Static and dynamic testing
Static testing is the process of having someone review the code prior to production, although it is just an “eye test” of the written code, not the code in action. Therefore, it may not identify possible vulnerabilities that only appear when the application is running. On the other hand, dynamic testing is used to test code while an application is running. It has the potential to uncover more vulnerabilities, but since the code is in production, these vulnerabilities may be exploited by an attacker, underscoring the importance of monitoring the application during testing.
Static and dynamic testing can help identify the configuration errors discussed in the previous section. Testing is a critical phase that provides peace of mind prior to an application going into production. Company procedures need to be in place within a DevSecOps deployment process. This may not be feasible within your organization for agile low-code development within departments, but it is an important step to avoid API- and code-based vulnerabilities, such as cross-site scripting and injection attacks.
Since low-code development is by definition executed by people outside the IT department, the development of these applications is often not aligned with the same DevSecOps processes. Therefore, security teams should integrate security testing into their processes prior to releasing the low-code application into production.
Precision-perfect: Data handling and access
An organization may store personal information like internal and external user identities, financial information, personally identifiable information (PII), personal health information (PHI), customer information and business information, just to name a few. This wealth of information makes them extremely attractive targets that must be safeguarded.
Organizations need to be aware of what type of data their systems contain and cognizant of how it is handled and accessed. They must properly label and classify this data to enable the security team to apply policies that prevent data leakage through data mishandling or giving unauthorized users and applications access to data.
The security team should also create processes for low-code developers to classify data — and these processes should be checked with data auditing and exploring solutions. Once these processes and policies are in place, data loss prevention tools can identify PII, PHI, and other information that may affect the company’s privacy and compliance.
The final frontier: Logging, monitoring and management
Finally, the key to any successful security posture is how applications are monitored and managed for potential anomalous activities and threats. Policies should be in place for all application development to ensure that proper logging takes place and security operations systems have access to review these logs through a SIEM/SOAR solution with analytics capabilities — such as the Atos AIsaac MDR platform.
Ensuring fast, secure low-code application development
Even though security operations professionals are not directly involved in the development of low-code applications, they are still responsible for the controls and policies that govern the secure development of these applications. Establishing airtight governance with the appropriate policies, controls and information barriers in place will drive a strong security posture throughout the organization and allow security operations to breathe a sigh of relief.
In conclusion, a robust security approach can fast track an organization’s efforts to enable low-code application development and empower non-technical staff to achieve their business goals and accelerate growth. If you are looking to leverage the speed and flexibility of low-code, Atos’s Cybersecurity team can help address cloud security posture and protection, identity and data sovereignty, and a proper DevSecOps approach for low-code application development.
About the author
Amo is a Senior Expert at Atos and globally leads Cloud Security by working with customers, partners and industry to overcome the cyber security challenges faced in cloud adoption. Amo has been in the IT industry for over two decades, holding senior leadership and technical positions that have led to him become a leading business technologist in Digital and Security. Amo graduated with a bachelors honours degree in Mathematical Business Analysis and continues to be a certified information security and risk practitioner with CISM and CRISC accreditations from ISACA. In 2021 Amo was awarded joint best newcomer inventor for the patent filling of Cloud Security Engine. In his personal time Amo is an assistant coach for a local junior football team.
Follow or contact Amo
Dwayne is the Global Principal Cloud Security Tech Lead at Atos. He supports the cloud security portfolio for the technical capabilities, solution business plans and strategy for Atos, and leads cloud education for Microsoft and AWS.
He has served in many roles over a 30-year career in IT, including as a solution engineer and product manager. Dwayne is a Microsoft MVP, an ISC2 CISSP and 18x certified in multiple Azure and M365 security, data engineering, architecture, and administrator roles. He is the author of multiple books on security and is a Security Professional Community Manager for Packt publishing.
Follow or contact Dwayne