In recent years, we have witnessed a tectonic shift in the way organizations develop and maintain software. As part of this shift, IT operations are quickly getting decentralized.
Traditionally, IT and development teams developed, owned, and monitored both internal and external business applications. This legacy approach directly slows down the business side. When a marketing professional, for example, conceives a new desired capability or a new application, they need to go through multiple cycles with project and product managers, convince executives to spend time and resources, and elaborate on the requirements for the development team in IT. Aside from being extremely slow and cumbersome, this process typically ends up with misunderstood requirements and oftentimes with the wrong architecture.
Today, business groups within the enterprise are hiring their own developers, placing more power in the business side’s hands for building their own tools and applications internally. Low-code is the main driver for this change. Low-code reduces the barrier to entry for application development, to the point that literally *anyone* can build applications today. As the VP of platform ecosystem at HubSpot put it back in 2018, “Now every marketer is an app developer – even if they don’t know it.”
Low-Code is Driving IT Decentralization
In recent years, low-code/no-code has facilitated and accelerated the IT decentralization trend that has been going on for many years now, and it has done so with record speed. In 2020, Gartner released a prediction stating that by 2023, the number of active citizen developers at large enterprises will be at least four times the number of professional developers. In 2021, only a year later, a Gartner survey revealed that four out of five technologists within the enterprise are outside of IT.
In this new decentralized IT world, organizations must ensure that while productivity goes up, fundamentals like security, privacy and compliance remain a priority. This is a very tough challenge to overcome. While the responsibility for fundamentals remains with IT and security teams, development is now highly distributed. None of the processes and tools on which enterprise security was built are in place for low-code development. Information security fundamentals like security review processes, application security testing and ways to monitor and detect threats are severely lacking. In fact, low-code’s tremendous gains are rooted in its implications for the Secure Development Lifecycle (SDLC) process, which can be summarized by “Click Save to deploy.” In many cases, IT teams don’t even know that their business teams have started using low-code, making shadow IT another major part of the low-code security challenge.
The Emerging of the New Business Cloud
Low-code has multiple paths directly into the heart of any organization. In some organizations, where digital transformation is a strategic effort, low-code is introduced by senior management in order to accelerate productivity across business teams, usually coupled with a Center of Excellence that helps educate users and find key use cases to focus on. In other organizations, low-code is introduced bottom-up by the business teams themselves. Anyone, from a single business team to an entire business organization, can introduce a low-code platform to solve their own needs.
Moreover, major SaaS vendors are increasingly shifting towards becoming low-code platforms themselves. Almost every modern enterprise uses big SaaS vendors like Microsoft, Salesforce or ServiceNow, and these vendors have all integrated low-code platforms directly into their offerings and right into the heart of every big enterprise.
What we’re witnessing here is the formation ofa new kind of cloud: the Business Cloud. The business cloud does not compete directly with the public cloud. Instead, it aims to solve business use cases that were not previously addressed and to enable business professionals and developers to address their own needs with increased productivity and business agility.
The tectonic shift in the way applications are being developed leaves IT and security teams unable to control, secure and monitor business-critical applications. This shift exposes organizations to security breaches and data leaks. Hackers have already taken note, turning low-code platforms against their owners and using them to hide in plain sight. In one case, hackers leveraged a low-code platform to maintain privileged access to Office 365 for over 240 days.
The Shared Responsibility Model – Who is Responsible for Low-Code Security?
How should the industry react to these changes? Who should own the security risk, it is the vendor? The organization who uses low-code? What can we learn from past technology shifts to better address this one?
We have seen a similar change like this before, with the adoption of the public cloud. A few years ago, companies leveraging AWS, Azure, and GCP, among others, realized that even though cloud providers are heavily investing in the security of the platform, the consumers of these platforms own the applications’ logic, and therefore are responsible for the risks they introduce. This concept is commonly referred to as the Shared Responsibility Model, and organizations must own their part, or risk a potential breach. The same is true for low-code; organizations must own their part of the low-code shared responsibility model.
With regards to low-code applications, IT and security teams were left with an impossible decision: either enable the business, or maintain control. The business team needs to unleash thousands of new developers, solve thousands of use cases and move fast. IT/security teams need to maintain security, ensure business continuity and guarantee compliance.
Which decision has your organization made?
Introducing Zenity: An End-to-End Security Platform for Modern Business Applications
Zenity is the world’s first and only governance and security platform for low-code/no-code applications. It provides IT and security teams with the tools they need to discover, assess, govern and monitor applications across low-code platforms. With Zenity, IT and security teams can have their cake and eat it, too; they can enable the business while also staying secure.
IT/security teams can set guardrails, monitor and detect threats, intervene when needed and empower the business team. At the same time, business teams can unleash citizen developers, build with confidence, seamlessly comply with organizational policies and work together with IT. Zenity is the bridge that IT and business teams can use to work together and accelerate business transformation while maintaining control.
At Zenity, we are committed to helping our customers and the Infosec community at large to address the low-code security challenge. We invest in researching low-code platforms and their usage, mapping security threats and helping our customers to detect and mitigate threats to low-code applications. We are fortunate to be working with many Fortune 500 companies, seasoned industry experts and top VCs to tackle this emerging challenge.
If you’re interested in learning more about Zenity or being part of the low-code security movement, we invite you to reach out, subscribe to our newsletter, and follow us on social media.