Low-code 101 Webinar #2 – Spotlight on Security

To survive and thrive in today’s global economy, it’s crucial for organisations to identify and mitigate the cybersecurity risks to their top business initiatives.

So, today, we’re putting the security features of low-code under the spotlight. I’m delighted to speak to Angela Chamberlain, one of our Solution Architects who has joined me today in our busy Poole office. Hi Angela, thanks for coming down to join me today overlooking Poole Quay.

Angela: Hello Laura and hello to all those watching today…

Laura: Here’s what we’re going to look at today:
• The issue of shadow IT
• Control and governance
• Data protection and GDPR
• Access and authentication methods on the platform
All this will be covered in the next 15 minutes, just enough time for you to enjoy a tea-break!

Angela, to start off can you just summarise Create and explain what you can do with low-code?

Angela: Yes, sure. Create low-code is a cloud-based digital platform which allows business users and IT to rapidly develop applications with little or no coding. It uses a drag and drop Visual Studio, which is fast to learn and deploy.

Laura: Lots of organisations struggle with shadow IT and the hidden costs of non-IT staff who are spending time setting up systems and re-checking the validity of data… How does low-code help to overcome this?

Angela: In large organisations, IT functions are under pressure to provide accelerated business change, however the vast majority of budget and resources are dedicated to maintaining legacy hardware and software estates, and to managing the vital, back-office applications that the business runs on.
The business requires the changes ‘right now’ and therefore they bypass IT, creating a ‘shadow IT’. This can pose a risk as it lacks governance and adds to the IT debt. You need low-code to involve the citizen/business developers, to remove the IT shortages, to get closer to the business. But at the same time, you need integrations, you need IT governance. Sometimes, you do need some code. This is where catering to both the business developers and AD&D Pros genuinely gives us some unique advantages.

Laura: That brings neatly on to my next question about control… So you’ve explained that low-code is easy enough for teams to use outside of the IT Department, then how do we provide enough governance to satisfy IT over what they are working on?

Angela: As we mentioned, tech savvy business users can rapidly build on the platform. IT, however, will still maintain the governance of the platform and ensure that the correct solutions are developed for the business. When deploying the platform, IT will have control over technical parts of the platform like user access, security and integration and hosting.
It will also have visibility and control over the Create Controller. This is a high level view of all the applications developed on Create within the organisation and control over access level to build on those applications.
Access to the build environment, where the application gets configured, is restricted to those users who have passed the training and have been accredited. Once certain parts of the application have been built, before the changes can be pushed to the test and live environments, the snapshot of the build needs to be authorised, which provides a further level of governance and control.

Laura: So, thinking about GDPR and data protection, what is the security model for low-code?

Angela: IT security has been a focus for us, especially as we have many European customers where GDPR and data protection and security is at the forefront of the thought process when building new applications.

Laura: How is the access to the application controlled?

Angela: The build area of the deployment is where the configuration takes place for Object management, Interface creation, Process creation, Communications, Rules, Data Exchange and Configuration. Access to the build area can be managed at the Role level for each build component, providing extensive controls over editing ability.

Laura: What Authentication methods are available on the platform?

Angela: At the point of registration, customers are prompted to provide a unique email address and password to ensure the account is fully secure so that only the customer is able to log in. Customers will not be able to login to the portal without providing their email address and password. The email, password and password confirmation fields must be valid and match. It is possible to also enforce passwords which are complex in nature.
After registering an email confirmation containing a verification link confirming successful registration will be sent to the newly registered customer account. Only once the activation link is clicked by the customer will the account activate.
Should further security to be required as part of the log in process then this can also be achieved using two factor authentication whereby a time limited access code can be issued to the customer at the time of requesting access.
For internal user (caseworkers) Create supports Single Sign on and can integrate with Active Directory for SSO log-in.

Laura: Can you tell us how we deal with personal and sensitive data?

Angela: Personal data or sensitive personal data can be encrypted using AES 256 encryption. For the purposes of delivering and reporting, the Applications can store customer data, case details, documents and communications & any other required information, all in the backend database. Further data-at-rest protection is also provided by encrypting the storage where the data is held.

Laura: Where is the data held?

Angela: Create uses a modern industry standard model trusted by many to deliver a flexible and scalable SaaS platform to its customers designed to meet the requirements at all scales of enterprise. The primary option to deliver this is within the AWS (Amazon Web Services) Public Cloud.
For those wanting to build applications in Create, we are also able to offer a bespoke private cloud option for hosting.
Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand.

Laura: Finally Angela, what data destruction periods do we recommend?

Angela: Retention and destruction periods can be put in place on all data held within the system based on rules configured within the application’s administration interface allowing the customers to adhere to data policies. This includes the ability to obfuscate data where required.

Laura: Thanks for talking to us today Angela, I think you’ve cleared up a lot of questions!
If you have any other specific issues on the security aspects of low-code, please do get in touch with us – we are happy to help with any direct questions.
Our next “Low-code 101” session will bring integration into the spotlight, which I hope that you’ll find interesting. If you are keen to learn more in the meantime, download our Podcast series, Life in Low-code, it covers some really useful topics. You can access this in the Netcall blog.
Thank you for watching, we hope you’ve found this session useful. Don’t forget to follow us on Twitter and LinkedIn and of course there’s a whole host of information at Netcall.com.
For now, from Angela and I…. Goodbye and thanks for joining us!

Angela: Goodbye…!