Why ‘build your own app’ is becoming the next security headache
- Published: Friday, 23 April 2021 10:02
Hybrid working models and the growing availability of easy to use app-building tool kits could spur the start of a ‘build your own application’ trend. Companies need to be aware and need to consider the associated security threats says Ben Field.
Hybrid working models have come of age as companies emerge from the pandemic and re-evaluate the trust they place in employees to be productive and the overheads offices have consumed while left unoccupied.
Numerous household names have said they support more flexible working patterns, with many planning to reduce their office space and gain the savings that can be made on property. HSBC cites a potential saving of $5.5bn a year if they cut back space by 40 percent. This will be music to shareholders’ ears, but also those of the CTO as it constitutes investment that can be made in digital transformation, innovation, productivity tools, customer experience, and product development.
But speaking to CTOs shows that it’s not that straightforward. They now have thousands of home offices to keep going and secure, yet they can’t rely on the cash released to facilitate all the demands being made upon it.
It’s unsurprising then, that Forrester Research predicted that by this year more than half of software developers would be using no code and low code tools to build the lighter-weight applications people are asking for to do their job well. It’s a model that has real merit and potential. It provides flexibility in terms of budget as it’s very low cost, it’s fast so solutions can be built in a day and you need no coding experience to create something useful.
Forrester’s prediction was made before the pandemic, so it’s likely the numbers will be greater now and I suspect it’s not just professional developers who will be turning to build your own app models either. Employees will start to get in on the act and use it as a way to create a quick solution to a regular daily problem and overcome the IT team’s resource constraints.
This brings new risks: just as bring your own device forced a rethink on policy and corporate network security, so will build your own application. CTOs need to be aware of the risks, namely that it will create inefficiencies; and the network will become littered with cyber security hazards.
Things to consider include:
It’s ineffective and inefficient to have different business units creating apps. There are few apps to learn from, often the reason why they have been built in the first place, so it’s likely a number of apps doing similar things slightly differently will pop up. Wouldn’t it be better to have the synergy of a central service catalogue for business units to pick and choose from?
This highlights the question of resource. When you have a ‘part-time’ approach to development in the business unit, you are ultimately distracted away from the function’s core role and essential principles like security.
Keeping track of who is doing what is incredibly cumbersome, which is why it’s good to advocate a zero trust model. It will ensure that anything inferior and insecure is identified and if necessary, taken off the network. It should have:
- Identity verification – every person and device connecting to its network should prove its identity and get permission to connect, preferably with multi-factor authentication.
- Micro-segmentation – this is about controlling who can access what. It generally centres around data based on value and importance. The most valued data should be ring-fenced with well-defined access rules.
- Least amount of access – each user should get the least amount of permission they need.
- Access to sensitive networks and data should be monitored, and alerts should raise and be handled once unauthorised access is detected.
When a model like this is in place, new and unqualified applications, such as build your own apps, can be detected and access halted. Such a model can be easier to implement as part of the move to the cloud, but it can be introduced retrospectively too.
There is however an upside that CTOs could embrace. Zero trust models represent an effective means to highlight where IT investment needs to go. Analysing the results of zero trust initiatives could uncover which areas of the business have more no-code enthusiasts than others and why.
Indeed, IT could work with enthusiasts to find verified solutions that have more impact. When you consider the transformations and process changes that movements like this generate, it can be argued that these small instances could all add up to create real tangible change with regards to how functions work and perform.
What does good look like?
The best models put the ICT function at the centre to provide governance and consultancy. They provide a flexible set of building blocks for code, options for hosting etc. that the business units can use almost like Lego blocks to build localised business applications. In effect they become best practice consultants to the business functions and ensure the local business units know the short cuts to use and avoid and are leveraging best-practice.
This form of set up lets companies harness the horsepower, creativity, and local budgets from the units, while keeping centralised standards and governance in place. Done well, it contributes to having a leaner core ICT team and a secure set of apps hitting the network - an imperative for compliance and reputation.
Business transformation is often viewed as a massive change that takes years to embed. The pandemic has proved the contrary. Plans to deliver digital change has been brought forward by years, especially in retail. The need for contactless business models was so urgent that business had to adapt and make the impossible happen.
But it’s also shown that employees are resilient and have many of the answers that the more corporate view of the business doesn’t have. Working with them to realise their ideas and need to be productive – wherever they work – could be just as transformative.
Ben Field is regional director for the cybersecurity firm Radware’s UK, Ireland and Nordic operations.