Taking Power Platform Security and Governance from 0 to 60: Part 2

Recap of Part 1

In the first part of this blog series, we explored the foundational steps required to kickstart a robust security program for any organization’s low-code/no-code development environment within Microsoft Power Platform. We discussed the importance of differentiating between sensitive and non-sensitive data, identifying the makers and builders, and implementing the principle of least privilege access.

To recap briefly:

• We emphasized the need to classify data based on sensitivity and apply appropriate controls and restrictions using Data Loss Prevention (DLP) and default settings… while taking into consideration DLP bypass concerns
• We highlighted the significance of identifying and engaging with the individuals responsible for creating applications and automations, known as “makers” and “builders”
• We stressed the importance of implementing the principle of least privilege access, which includes processes for guest access approval, robust authentication mechanisms, and regular permissions audits

Now, let’s dive deeper into two of these critical areas: guest access and handling sensitive data (and hard-coded secrets). Particularly, we will address how to prevent data leakage.

Guest Access: Navigating External and Third-party Access

In an interconnected world, granting guest access to external collaborators or third-party vendors is often necessary for business operations. However, this introduces a complex security challenge. To address this issue effectively, consider these key steps:

1. Define Guest Access Approval Processes: Establish clear processes for granting guest access to Power Platform environments. Determine which vendors or external partners need access and what level of access is appropriate. It’s essential (and possible!) to strike a balance between productivity and security.
2. Leverage Azure Active Directory (Azure AD): Utilize Azure AD B2B features to invite external users securely. Azure AD provides identity and access management capabilities that can be integrated into your Power Platform environment, ensuring that guest users adhere to your organization’s security policies.
3. Regularly Monitor and Audit Guest Access: Continuous monitoring and auditing of guest access is vital. Regularly review and revoke guest access when it is no longer required, and ensure that external users only have access to the resources they need for their specific tasks.
4. Revoke access: Make sure to implement automation processes that not only monitor guest access but also can revoke any non-approved or unused access to mitigate potential risks from being introduced to your organization. 
5. Monitor non-corporate accounts. A very common scenario that we see a lot is business users creating apps and automations that sync their corporate emails and calendars with their personal accounts. This inherently causes data leaks, yet is often undetected, and must be monitored and blocked to prevent potential sensitive data leakage.

By committing to the principle of least-privilege, and cutting down on organization-wide access to powerful apps such as Power Apps and Power Automate, security teams can maintain stricter governance without hindering productivity. This does take work, however, in assigning least privilege, but as we have seen, removing unnecessary access rights can be the difference between breach and no-breach.

Handling Sensitive Data and Hard-Coded Secrets

As Power Platform environments grow, so does the potential for mishandling sensitive data and hard-coded secrets. This is particularly true when talking about the risks introduced via citizen developers, who by-and-large lack knowledge about application security best practices. To mitigate these risks:

1. Implement Secrets Management: Avoid hard-coding sensitive information, such as API keys or user & password for login purposes, directly into your applications or automations. Instead, use secure secrets management solutions like Azure Key Vault or other solutions to securely store and retrieve sensitive data. Also, implement guardrails to detect any applications or automations that have hard-coded credentials and secrets embedded within them. 
2. Encrypt and mask data. Encrypt sensitive data both in transit and at rest. This is relevant for not only apps or automations, but also to the logs that are being written after every run. Apply data masking techniques to limit the exposure of sensitive information to users who don’t require full access. For whenever apps or automations are being built, Power Platform has these capabilities as part of the flow definition settings. 
3. User Training and Awareness: Ensure that all makers and builders are aware of the importance of handling sensitive data responsibly. Provide training on the mentioned above and best practices for data security, including proper encryption and secrets management. 

Data Leakage and Flows: Controlling the Flow of Data

Data leakage can occur when data moves in unintended or unauthorized ways within your Power Platform applications and automations. To prevent data leakage and control data flows:

1. Implement Data Loss Prevention (DLP) Policies: Continuously update and fine-tune your DLP policies to restrict the movement of sensitive data. Define policies that specify how and which data can be used where, or transferred, and enforce these policies across your environment. However, as mentioned in previous blogs, this is not enough, and must be continuously tested and reinforced. 
2. Data Flow Analysis: Regularly analyze the flow of data within your applications and automations. Identify potential points of data leakage and take proactive measures to secure these pathways; whether it be unapproved guests, or unsanctioned dataflows from endpoint-to-endpoint.
3. Real-time Monitoring: Utilize real-time monitoring and alerts to detect and respond to any unauthorized data flows or access attempts promptly. Due to the speed at which low-code development is happening on Power Platform, simple detection is no longer enough. Security teams must be able to proactively and in some cases automatically block unapproved dataflows or data combinations in real-time to avoid data leakage. 

Coming Next

Stay tuned for Part Three, where we’ll explore advanced security measures, compliance considerations, and best practices for long-term success in securing your organization’s low-code/no-code development ecosystem.