While shadow IT was always a challenge for enterprise IT teams, it rapidly started to accelerate with the growth of the smartphone, and then cloud computing with the incredible expansion of public cloud infrastructure and software as a service offerings that made it as easy as providing a credit card to access a cloud service. Today, shadow IT has spread beyond smartphones, tablets, and cloud services and is rapidly extending into the domain of the enterprise developer.
The trend could create profound risks for enterprise security teams if these shadow, or citizen, developers, aren’t reined.
What is driving citizen development is sheer demand for enterprise apps. According to Gartner, the market demand for app development will grow five times more quickly than IT’s ability to deliver apps through 2021.
According to research from low-code development platform provider OutSystems, 62 percent of enterprises it surveyed reported deep app development backlogs, with a number having more than 10 apps waiting to be developed. Additionally, 76 percent of IT professionals surveyed said it takes an average of more than three months to develop a custom application. For about 11 percent of those surveyed, that time extends to a year.
With backlogs like that, it’s no surprise that business managers and staff at many enterprises are not happy with how long it takes for the apps they need to be delivered, so they are taking app development into their own hands by turning to platforms such as Appian, Kony, OutSystems, Mendix, Salesforce.com, and others to build the apps that they need. These platforms make it relatively easy for nearly anyone, especially non-professional developers, to build and deploy functioning enterprise apps.
“The idea of having citizen developers, in general, is a good thing,” says Mike Thompson, senior director, mobile application development middleware at mobile cross-platform development provider Kony. “When people very close to the enterprise's operations are empowered to innovate via mobile applications, their actions can be a key part of digital transformation."
There’s little doubt of that. However, enterprises must learn how to manage citizen developer efforts, or they risk not only losing control of the security of the applications employees use and regulated data ending up in apps and places it shouldn’t. “If business units are creating apps without the support from IT, it's unlikely they'll create an app focused on security - which can be pretty scary for enterprise security [teams],” says John Britton, director of security at VMware.
Britton shared an example. Some time ago his team was asked to clean-up a shadow IT application that had been deployed at a business. While the citizen developer did try to include security in the form of usernames and passwords properly hashed in a database: they failed to build a forgot password function. ”The developer eventually gave up resetting passwords and removed the password hash function and stored passwords in the clear. Anyone with access to this database probably had access to the employees' corporate password, since many people don't practice good password hygiene and reuse the same password everywhere. This is just one example of how a shadow IT app can seriously risk enterprise security,” says Britton.
This creates obvious risks, gaps in security, and potentially regulatory compliance risks. And as citizen developers grow within enterprises, organizations have to learn how to avoid situations like Britton cited above. “Proper and thorough training for citizen developers by IT and security departments is another important element that organizations should be thinking about to help citizen developers to develop the apps they need, properly. This will also improve the quality of the apps and build security and compliance awareness,” says Britton.
According to Kony’s Thompson, a critical aspect of any plan to maintain enterprise security and compliance is to make incorporating necessary controls as simple as possible for the citizen developer. “This can mean incorporating robust security measures into the development platform itself, developing key security services accessible via simple APIs, or bringing in developers that can work with the citizen developers either during or after the development process,” Thompson says.
For those enterprises that don’t have formal citizen developer programs in place — which is, in fact, most organizations today — the first step is to identify when someone has deployed an application outside the purview of IT. The second step is to determine if the application poses a risk or handles regulated data. The challenge here, of course, is having the ability to see when unsanctioned apps arise.
“You can’t secure what you don’t know about, so life just got more interesting for enterprise security teams. Security teams need to proactively engage line of business employees to identify these new apps, if there is proprietary information that must be secured, and ensure new attack vectors are not inadvertently introduced,” says Vikram Phatak, CEO at NSS Labs.
Thompson says a straightforward strategy is to carefully manage access to the network, cloud enterprise applications, and all other sources of enterprise data. By maintaining control of the data - such that the citizen app developer has to work with the enterprise IT team to access corporate data - they have the opportunity to install some institutional controls related to mobile security requirements,” he says.
An enterprise app store is something to consider, as well, he says. “In a corporate app store, mobile apps can be checked for security flaws, and have some level of external security measures applied,” he says. “Security teams can ask accounting to search purchase orders, invoices, and employee expense reports for names of known “low-code” platforms. Then speak to employees and find out how they do their jobs and simply ask what tools they use,” says Phatak.
VMware’s Britton provides additional guidance. “The first step in setting up these strategies for managing citizen developers is to recognize that IT can't be the Department of No. Second set up guidelines for what they can do and what they would need an exemption to do,” he says.
The guidelines Britton advises include:
- Define programming languages these citizen developers can develop with. My recommendations would be memory-managed languages (Java, JavaScript, etc.). I would suspect that most of these citizen developers are building web-based applications or possibly mobile applications.
- Define how the citizen developers will connect to these applications. HTTPS or HTTP? Make sure to protect the data in transit.
- Provide guidance on how to encrypt data at rest.
- Provide mobile SDKs that they can use to ensure that the enterprise can manage the applications properly. Selling the need for a software life-cycle management - how do we deploy, how do we revoke access when someone leaves the group, how do we wipe data from the application if the device is lost or stolen?
- Create an advisory board to help mentor the citizen developers to build better applications.
It’s important that IT leadership and security teams realize that, just like earlier shifts in computing such as BYOD and the consumerization of cloud brought on by cloud computing, that they’re not going to put the brakes on the rise of the citizen developer. They’re going to need to seek out their internal citizen developers and work with the various business units to support and guide this new wave of developers in ways that are secure but also enable businesses to develop the apps everyone needs.
According to Gartner research, this will be the strategy for most enterprises. By 2020, the research firm predicts that 70 percent or more of large enterprises have citizen development policies in place.