Security Governance Framework for Low-Code/No-Code Development

No-code/Low-code puts new technology in the hands of every person in an organization.
Unfortunately, many of these employees are not tech savvy and lack security training and awareness.
In this document, we describe a recommended security governance framework for low-code/no-code (LCNC) applications and automations, such as those developed on Microsoft Power Platform.

Maintain Secure and Compliant Environments

IT and security leaders need to develop an end-to-end security governance framework that can support business growth and modern development, while providing guidance and tools to develop, operate, monitor, manage and remediate LCNC risks. The framework described in this document
was developed to help organizations get from 0 to 1, and it shouldn’t be considered an “all or nothing” option. Organizations can adopt a crawl/walk/run model and distribute the different components described here.

Empower Citizen Developers

Organizations are increasingly leveraging low-code / no-code development to get more done without exclusively relying on professional developers. Gone are the days where a select few are needed to create applications and workflows to boost efficiency and productivity for the entire workforce. Citizen developers are now able to use low-code / no-code platforms to quickly build things they need.

However, with great power comes great responsibility. Citizen developers may not have the same security acumen as professional developers and IT. Tight security and governance is needed.

At Zenity, we are laser focused on enabling security and platform teams to seamlessly protect applications, workflows, automations, bots, integrations, and connections that are developed using any low-code / no-code development platform. Our solutions are built to help improve:

Visibility

Generate a continuous cross-platform inventory of all No-Code / Low-Code apps, automations, connectors, data objects, bots, and more. Gain insights that include business criticality, security risk scores, relationships, and timeline of activities.

Risk Assessment

Perform continuous risk assessment to pinpoint vulnerabilities and insecure components within implemented business logic. Mitigate risks like identity impersonation, supply-chain risks, data exfiltration, excessive sharing, and other scenarios.

Governance

Apply security and compliance standards with customized policies, remediation actions and enforcement playbooks. Ensure that any unused or unowned low-code applications are identified, assigned ownership, or removed from the environment.