Low-Code/No-Code Security Governance
From the Great Resignation to recent tech layoffs driven by the recent economic downturn, we’ve rarely seen this much upheaval as organizations struggle to meet their staffing needs and maintain operations. New technologies like low-code/no-code (LCNC) platforms make it possible for organizations to bridge the supply/demand gap for highly skilled and specialized engineering and developer talent. LCNC empowers business employees to build new applications to address specific business needs, without having to fully rely on IT colleagues. However, while this democratization of development for internal workflows and longtail applications makes it easier for organizations to accelerate digital transformation, it also leads to important questions regarding security and governance. If everyone in the organization can be a developer, does everyone also need to be a security pro?
The capabilities that make LCNC platforms desirable—speed, flexibility and low barrier to entry—also make them a calculated security risk. Like all aspects of LCNC, IT professionals and citizen developers must share responsibility for the security and governance questions that arise.
For companies seeking to make LCNC part of their plans for rapid innovation and optimization of existing resources, here are four considerations to ensure security and governance aren’t afterthoughts:
1. Invest in Comprehensive Education and Training
Just because LCNC platforms make it possible to create and scale applications with little to no formal coding doesn’t mean organizations should commit to providing minimal training as a matter of course. An intentional deployment of LCNC tools—complete with well-considered training sessions on security and governance best practices—will always result in stronger results. At a minimum, citizen developers should be assigned an IT colleague as a mentor to open lines of communication. This process of relationship building provides a channel for citizen developers to report security concerns without worrying about whether they’ll be criticized or punished.
Good software is secure software, and good company culture is one that incorporates security education and best practices at every step of the development process. Taking the actual development of longtail apps off of IT’s plate frees up time for those team members to provide more strategic security guidance and training for citizen developers.
2. Built-In Security With Layered Permissions
With LCNC solutions, enterprises are still able to limit permissions to certain users. This ensures that IT professionals with the necessary knowledge can make critical decisions that could impact the health, performance and security of the overall tech stack. In short: Citizen development can’t become a wild west of full control by everyone. Guardrails need to be baked into the process from the start. This is related to a zero-trust approach to the design and implementation of any IT system.
3. Design Intentionally for Transparency
When citizen developers are able to create solutions for their individual needs, IT professionals are freed up to focus on higher-level tasks including new features and system architecture. One of these higher-level tasks should be an intentional approach to LCNC implementation, focusing on visibility and transparency across the solution. Investing time and energy into visibility during the implementation phase will make it much easier to identify and pinpoint security breaches later on.
Security leaders must be able to track the movement of data in order to understand whether a leak or breach has taken place. Differentiating between service accounts and general user accounts for LCNC tools makes it easier to follow this movement. IT leaders should also take care to only build out functions as they’re needed, avoiding the complexity that can lead to poor governance or vulnerabilities.
4. Keep Track of Integrations
A security system is only as strong as its weakest link. In today’s cloud architectures, increased use of microservices and third-party integrations means that every company must be asking questions about the security strength of their partners. Organizations should carefully vet the partners they bring on through their LCNC platforms, asking targeted questions about the security and compliance of each API.
There’s no deadline or expiration date on a new integration, and IT leaders should take the time to do their homework before launching a new integration. Time invested in shoring up security will always be time well spent.
After years of digital transformation initiatives, businesses will never go back to the way things were before. Every employee can be a technical asset in 2022. Both business and engineering leaders alike must make adjustments to this new reality and take the intentional steps necessary to create a secure environment for growth and innovation. Anything less puts the organization at risk.
