We’ve gotten used to thinking about securing a software-as-a-service (SaaS) platform and the cloud as two separate animals. This separation stems from the way SaaS and the public cloud first emerged as small point solutions and an extension of the traditional data center, respectively. Now, with the advent of low code, this separation is false, and it prevents us from seeing what is right in front of our eyes. Low code makes SaaS platforms part of the public cloud, a place where developers build multiple applications instead of using one: a cloud platform.
Failure to change our mindset leads to where we are today, where those applications are left up for grabs with no security in sight. And to make matters worse, low-code applications are embedded right into platforms like Salesforce and Microsoft Dynamics, which we all use and hold our most sensitive business data.
How did we get here?
Origin stories are always interesting because they explain something important about the way we understand the hero of the story. While SaaS began as an extension of the corporate network, the public cloud began as an extension of the data center. The very different starting points explain why securing SaaS starts with shadow IT (perimeter protection) and securing the public cloud starts with workload protection (lift-and-shift servers and their networks/ host agent). It also means that different security teams are tasked with securing SaaS and the cloud, which of course leads to a separation of tools, different threat modeling, and, above all, the development of different security mindsets.
Both SaaS and the public cloud have changed dramatically since those early days. Public cloud vendors have introduced more granular compute paradigms, gradually introducing infrastructure as a service (IaaS), platform as a service (PaaS), and serverless to help developers focus on the business problem. They’ve also built an entire ecosystem of ready-made solutions for complex but common problems – identity, permissions, logging, configuration, and deployment, to name a few.
SaaS used to mean a single point solution for a specific problem. Salesforce started as a CRM, ServiceNow as a ticketing system, and Office365 as email, spreadsheets, docs, and slides. (Although these are more than one solution, they are very specific.) Compare that to today: Salesforce Developers build apps for almost any business need on top of the Salesforce Platform, ServiceNow low -code app handles almost anything from HR to health and finance processes, and Power Platform, Microsoft’s low-code platform embedded in Office365, is used by more than 20 million users across industries to solve every business need, from productivity to procurement and COVID-related processes.
Clearly, they have become enterprise-grade application development platforms, not pointing solutions to specific business problems. Many developers are now choosing to build their applications on abstractions provided by the platform, whether they are serverless functions in the public cloud or extendable building blocks in SaaS low-code platforms.
The Business Developers Introduction
Comparing how SaaS platforms started and where they are today clearly shows how far they have come from their earlier versions. But there’s still a big change we haven’t mentioned yet: the introduction of business developers.
Low-code SaaS platforms derive their power from the data they maintain and their existing users. Those are both not limited to IT but instead lean heavily towards business. Having access to both business data and business users means that SaaS is ideally positioned to tackle the most pressing issue facing many businesses today — digital transformation.
With the global shortage of developers and the difficulty of streamlining a business process with so many stakeholders, low-code platforms introduce a shortcut, allowing business users to streamline their processes not waiting for IT.
Low code is emerging from business users, so in his 2019 Inspire keynote, Microsoft CEO Satya Nadella discussed the opportunity of low code to empower people and create new white-collar jobs like Excel did .
Just like the public cloud is an application development platform that allows developers to focus on their business logic, SaaS platforms have become application development platforms using low code to empower business users to become developers and address any business needs.
SaaS is now focused on new types of developers who address a whole range of unmet business needs with dedicated applications, creating a new type of cloud: the business cloud.
Securing Low Code as an Extension of the Cloud
Realizing that some SaaS platforms are now application development platforms and an extension of the cloud, we must reevaluate the responsibilities for securing those applications and bring them under the umbrella of the security team.
We should treat platforms like Salesforce, ServiceNow, and Office365 the same way we treat AWS, Azure, and GCP, where we focus on applications built and hosted on these application development platforms instead of treating the entire platform as one application. .
Shadow IT, for example, remains an issue with the smaller and ever-growing number of SaaS point-solutions. But it doesn’t make sense to consider any single platform mentioned above as an app to discover and catalog. Instead, we should discover and catalog the applications built using those platforms — and there are thousands of them. In most organizations, this enormous complexity is hidden behind a line in an application inventory.
Applications built using SaaS low-code platforms should be reviewed with the same security rigor we use for those built in the cloud because, at the end of the day, an application is an application, no matter where it’s built and hosted.
Crucial to the security of our business applications are the people, processes, and tools involved in creating, maintaining, and protecting those applications. For applications built in the cloud, we have professional developers, automated CI/CD processes, and a variety of security tools from code scanning and dynamic analysis through monitoring and avoid runtime. For applications built on low-code SaaS platforms, we have some professional developers but also non-security-savvy business users, with little to no deployment process and no security controls or guarantees.
Thinking about low-code platforms as part of SaaS makes it difficult for us to see that a large part of our business applications are now being developed by the business, outside of IT and outside of security control . To begin to see the problem and figure out our approach to it, we must shift our mindset to recognize low-code platforms as part of the cloud and treat applications on those platforms as we would any other application .