Low-code and no-code application development have been emerging over the last few years, as a way to empower more users to innovate and lower the barriers to automating work. Armed with this capability from technologies like Zapier, AWS Honeycomb, and Microsoft PowerApps, users can begin to merge their creativity, domain knowledge, and some of the benefits of software development together.
But what about cybersecurity and low-code/no-code? Well, the jury is still out as to whether or not this trend is beneficial. Like most things, it depends on the circumstances:
- The scenario or business process supported
- The data handled by these tools
- The planned support and maintenance model
- The integrations used with other applications and cloud services
When considering the security of these platforms, the above dimensions matter a great deal to the overall risk. There is no one-size-fits-all risk assessment for these technologies and their planned use.
Shared Responsibility Model
These platforms typically deploy as a part of a software-as-a-service model, which may follow a model similar to the one below.
The low-code/no-code platform complicates this model in several ways:
- Multiple provider solutions are connected together with data, or other application context, shared between them
- Different risk profiles likely exist for each connection point
- The user is building new workflows or lightweight applications on top of functionality inside of the low-code/no-code platform
- The user is using functionality exposed by these other connected services. This functionality is in some ways an abstraction of lower layers of this shared responsibility model. By extension, it shifts back in favor of more user control.
This model is not as clean as it is with typical cloud service provider consumption. It also changes as use cases evolve.
Opportunity Cost
Teams must consider today’s risk alongside the risk of what might change. There is complexity in the shared responsibility model, but it’s not the only focus. Risk is in everything we do.
There is a natural tendency to focus only on what’s changing or what’s new, not on the risk of something staying as-is: for example, spreadsheets filled with sensitive data passed over email; or data saved on a user’s file system, all of it subject to loss or mishandling. Creating a simple automated flow to connect several applications together is usually solved through the manual exchange of files and analysis. How does that change the risk profile?
The answer is different for every scenario. But it’s something we as cybersecurity professionals need to consider, while asking ourselves a fundamental question:
What’s the risk of doing nothing?
We may not want mission-critical business processes built on these kinds of platforms. However, if they enable simple things to move faster or operate more safely, that might be worthwhile in your environment. These platforms can also be very useful for rapid experimentation to find solutions that add value. This learning process may pave the way towards building a more robust, scalable, and mission-reliable solution.
Empowering Domain Experts
The growth and maturity of low-code/no-code platforms are exciting, and highlight what is possible when engineering-like capabilities are put in the hands of more people. That’s especially true when focused on empowering people with problem and domain expertise.
However, these platforms are no silver bullet. The complexities around risk and shared responsibility make them optimal for small-scale task automation, support, and experimentation, but not as much for large-scale mission-critical functions.
There’s a growing trend to empower end-users to not accept the status quo in how to do their work or how business processes come together. As a cybersecurity team, prepare for how this risk assessment comes together in your environment and seek to enable where you can.
