Reduce IT-Risk with Low and No Code‍

No-code/low-code applications often sync data or trigger operations across multiple systems, which creates a path for data to find its way outside the organizational boundary. This means that operations in one system can have unexpected consequences in another.

In a number of cases, attackers have been able to exploit these connections to access sensitive data or to execute unauthorized operations. In other words, even though the original purpose was good — to improve efficiency and productivity — no-code/low-code applications can be used by outsiders as a vector to gain unauthorized access.

As the CEO of Makeitfuture - Tiberiu Socaci - said:

Low and No Code is a risk if not managed properly at a stage that concerns us that work daily with low and no code.

When can low and no code be harmful?

A person sets up automation to run whenever a new email arrives in their company mailbox. Automation copies the recipients, topic, and text of the original email received in the business mailbox and sends a new email to the maker's personal email account. The automation gets around DLP restrictions since data is copied to a different mailbox rather than emails being forwarded from the corporate inbox.

Maker Mike configures automation to sync updates across two SharePoint sites, copying each new file from site A to site B.  User Marc fails to realize that a sensitive document gets replicated to site B when they inadvertently write it to site A. The document is removed from site A by user Marc. The document is still accessible at site B, though.

How to prevent unauthorized access in iPaaS, organizations face the need to:

Audit all existing no-code/low-code applications for authorization misuse vulnerabilities.

Implement risk matrixes and threat modeling processes for new no-code/low-code applications prior to deployment.

No-code/low-code applications are frequently used to synchronize data between various systems or to start certain activities on one system when another change.

No-code/low-code applications, which act as data movers, make it simple for data to leak out to a different organization or a personal account. No-code/low-code applications that implicitly link an operation in one system with a change in another can have unanticipated results when used as operation triggers, you need to monitor this!

Additionally, a single data source may be used to trigger several applications, creating chained data movement or operation triggers that are challenging to forecast or completely map.

What helps me to secure my Low and No Code iPaaS?

• Restrict platform connectors to a list of authorized services. Constantly monitor the services you have authorized and control the access as well the processing.
• Restrict the production of customized connectors to specialists, but keep as many as needed to your citizen developers.

Both can be ensured with ASERVMENT. Sign-Up and secure your citizen developers.

• Keep an eye on platforms for data flow, including multi-hop paths, outside the corporate boundaries. Well this is something you need to map down and it is currently hard to automate and measure. If you think we should focus on this mapping let us know and drop us a message.