There was a time when risk-averse organizations could severely limit the ability of their business users to make costly mistakes. With limited technical knowledge, strict permissions, and a lack of tailwind, the worst thing a business user can do is download malware or fall for a phishing campaign. Those days are gone.
Today, every major software-as-a-service (SaaS) platform comes with automation and application development capabilities that are designed and marketed directly to business users. SaaS platforms such as Microsoft 365, Salesforce, and ServiceNow are embedding no-code/low-code platforms into their existing offerings, putting them directly into the hands of business users without asking for -corporate approval. Capabilities that were once only available to IT and development teams are now available throughout the organization.
Power Platform, Microsoft’s low-code platform, is built on Office 365 and is a good example because of Microsoft’s strong foothold in the enterprise and the rate at which it is being adopted by business users. Perhaps unwittingly, businesses are putting developer-level power in the hands of more people than ever before, with less security or technical knowledge. What could possibly go wrong?
Quite a lot, actually. Let’s examine some real examples from my experience. Information is anonymized, and business-specific processes are removed.
Scenario 1: New Vendor? Just do it
The customer care team at a multinational retail company wants to enrich their customer data with consumer insights. In particular, they hope to find more information about new customers so they can better serve them, even at their initial purchase. The customer care team has decided on a vendor they want to work with. The vendor needs the data sent to them for enrichment, which is then retrieved by their services.
Basically, this is where IT comes in. IT will need to build some kind of integration to get data to and from the vendor. The IT security team obviously needs to be involved as well, to ensure that this vendor can be trusted with customer data and approve the purchase. Procurement and legal will also play an important part. In this case, however, things went in a different direction.
Dedicated customer care team are Microsoft Power Platform experts. Instead of waiting for resources or approval, they just went ahead and built it themselves: collecting customer data from production SQL servers, forwarding it all to a vendor-provided FTP server, and getting enriched data back from the FTP server to the production database. The entire process is executed automatically whenever a new customer is added to the database. Everything was done through drag-and-drop interfaces, hosted in Office 365, and using their personal accounts. The license is paid out-of-pocket, which keeps procurement out of the loop.
Imagine the CISO’s surprise when they see a bunch of business automations moving customer data to a hard-coded IP address on AWS. As an Azure-only customer, this raised a huge red flag. Furthermore, data is sent and received over an unsecured FTP connection, creating a security and compliance risk. When the security team found it through a dedicated security tool, the data had been moving in and out of the organization for almost a year.
Scenario 2: Ohh, Is It Wrong to Collect Credit Cards?
The HR team at a large IT vendor is preparing for a once-a-year “Give Away” campaign, where employees are encouraged to donate to their favorite charity, with the company pitching in by matching for every dollar donated by employees. Last year’s campaign was a huge success, so expectations were through the roof. To enable the campaign and alleviate manual processes, a creative HR employee used Microsoft’s Power Platform to create an app that simplifies the entire process. To register, an employee logs into the application using their corporate account, submits their donation amount, selects a charity, and provides their credit card details for payment.
The campaign was a huge success, with record-breaking employee participation and little manual work required from HR employees. For some reason, however, the security team was not happy with what had happened. While registering for the campaign, an employee from the security team realized that credit cards were being collected in an app that didn’t seem like it should be. Upon investigation, they found that the credit card details were indeed improperly handled. Credit card details are stored in the default Power Platform environment, which means they are available to the entire Azure AD tenant, including all employees, vendors, and contractors. Furthermore, they are stored as simple plaintext string fields.
Fortunately, the data processing breach was discovered by the security team before it was spotted by malicious actors — or compliance auditors. The database was cleaned, and the application was patched to properly handle financial information according to regulation.
Scenario 3: Why Can’t I Just Use Gmail?
As a user, nobody likes enterprise data loss prevention controls. Even if necessary, they introduce annoying friction in day-to-day operations. As a result, users always try to avoid them. A perennial tug-of-war between creative business users and the security team is corporate email. Syncing corporate email with a personal email account or corporate calendar with a personal calendar: Security teams have a solution for that. That is, they deploy email security and DLP solutions to block email forwarding and ensure data management. This will solve the problem, right?
Nope. Repeated research across large and small businesses has found that users are creating automations that bypass email controls to forward their corporate email and calendar to their personal accounts. Instead of forwarding emails, they copy and paste data from one service to another. By logging into each service with a separate identity and automating the copy-paste process without code, business users can easily bypass security controls — and there’s no easy way for security teams.
The Power Platform community has even created templates that any Office 365 user can download and use.
With Great Power Comes Great Responsibility
Empowering business users is great. Lines of business should not be waiting for IT or fighting for development resources. However, we can’t just give business users developer-level power without guidance or guardrails and expect everything to be fine.
Security teams need to educate business users and inform them of their new responsibilities as application developers, even if those applications are built with “no code.” Security teams must also put guardrails and monitoring in place to ensure that when business users make mistakes, as we all do, it doesn’t snowball into full-blown data leaks or compliance audit incidents.