3 minute read
GUEST VIEW by Mark Nunnikhoven
by d2emerge
Mark Nunnikhoven is Distinguished Cloud Strategist at Lacework.
Guest View
BY MARK NUNNIKHOVEN Is low code a security risk?
Low-code/no-code platforms address the increasing demand for customized IT solutions by letting those closest to the issue build the solution. These tools provide a set of building blocks that anyone can connect together to solve a problem.
But as with any new technologies, there can be increased risks. Should you be concerned about the security of low-code/no-code platforms?
Two types of platforms
The first step in any risk assessment is determining the desired functionality of the tool. This often leads to areas that need more investigation. Low-code / no-code platforms provide a variety of components that can be assembled into a customized solution — things like text boxes, date/time pickers, number inputs, and more. The data entered using these components stays on the platform, making it easier Shouldyoubeconcerned to analyze from a security peraboutthesecurityof spective ponents . Ultimately, these comaren ’t that much differlow-code/no-codeplatforms? ent from in use. any other SaaS platform So, let’ s label low-code / nocode platforms that only have components like this contained. What really sets this new wave of tools apart from the previous generations is the cloud. The cloud has made APIs (application programming interfaces) the norm. Let’ s imagine a scenario where your team is at an event. They ’ re talking to a potential customer, then ask for some information to enter into your low-code / no-code app. As that record is created, the app connects to Salesforce and creates an opportunity in your sales workflow, automatically assigning an account manager. It then checks with your email marketing tool to look for this contact. Discovering they are already in the marketing funnel, it moves them to a different path in order to avoid overwhelming them. Connected platforms make direct connections to other services either data input or output or both.
Connected risks
and processed.
If you consume data from a service like Marketo in your custom app and then send that data to another outside service, what’ s the risk?
You often won ’t know. And that is in and of itself, the risk.
That nature of low code / no code means that connections to third-party services are often done with an individual’ s credentials instead of a service account. This means that “Mark” has made a connection between the custom app and the other service, regardless of who ’ s actually using it.
This lack of granularity can mean big challenges for security. The team no longer has visibility into who is accessing that data, as all access is logged under that one user…if it’ s logged at all.
Security has long struggled to gain visibility into what’ s happening in the company ’ s IT environment. With the rapid adoption of these platforms, it’ s likely that there will be significant visibility gaps until this space matures to meet enterprise needs.
How to adjust
Low code / no code is a win for the business overall and a win for the CIO because these platforms empower business teams to solve their own prob-
lems.
Security should encourage their adoption but safely. That starts with a risk assessment to determine if it’ s a “ connected” platform. If it is, then verify the credentials used to connect to third-party services. Ideally, they are service accounts and not ordinary users.
Your next step is to research and enable any logging for the platform and its connections. It’ s critical that you maintain and even expand visibility into the activities on these platforms. That visibility is likely going to be your only security control to respond to data breaches or exposure issues.
The 65% of all application development that Gartner predicts will happen on these platforms in the next few years doesn ’t mean a move away from traditional development. It’ s a wave of new development as these platforms remove barriers allowing more people to solve their problems.
That’ s a win for your business. z