This creates obvious risks, gaps in security, and potentially regulatory compliance risks. And as citizen developers grow within enterprises, organizations have to learn how to avoid situations like Britton cited above. “Proper and thorough training for citizen developers by IT and security departments is another important element that organizations should be thinking about to help citizen developers to develop the apps they need, properly. This will also improve the quality of the apps and build security and compliance awareness,” says Britton.
According to Kony’s Thompson, a critical aspect of any plan to maintain enterprise security and compliance is to make incorporating necessary controls as simple as possible for the citizen developer. “This can mean incorporating robust security measures into the development platform itself, developing key security services accessible via simple APIs, or bringing in developers that can work with the citizen developers either during or after the development process,” Thompson says.
For those enterprises that don’t have formal citizen developer programs in place — which is, in fact, most organizations today — the first step is to identify when someone has deployed an application outside the purview of IT. The second step is to determine if the application poses a risk or handles regulated data. The challenge here, of course, is having the ability to see when unsanctioned apps arise.
“You can’t secure what you don’t know about, so life just got more interesting for enterprise security teams. Security teams need to proactively engage line of business employees to identify these new apps, if there is proprietary information that must be secured, and ensure new attack vectors are not inadvertently introduced,” says Vikram Phatak, CEO at NSS Labs.
Thompson says a straightforward strategy is to carefully manage access to the network, cloud enterprise applications, and all other sources of enterprise data. By maintaining control of the data - such that the citizen app developer has to work with the enterprise IT team to access corporate data - they have the opportunity to install some institutional controls related to mobile security requirements,” he says.
An enterprise app store is something to consider, as well, he says. “In a corporate app store, mobile apps can be checked for security flaws, and have some level of external security measures applied,” he says. “Security teams can ask accounting to search purchase orders, invoices, and employee expense reports for names of known “low-code” platforms. Then speak to employees and find out how they do their jobs and simply ask what tools they use,” says Phatak.
VMware’s Britton provides additional guidance. “The first step in setting up these strategies for managing citizen developers is to recognize that IT can't be the Department of No. Second set up guidelines for what they can do and what they would need an exemption to do,” he says.
Sign up for CIO Asia eNewsletters.