Today’s average large enterprise is likely to have nearly 80,000 apps built out of copilots and low-code platforms. This creates a potential security nightmare, as more than six out of ten of these apps have security vulnerabilities, according to a recent study. The study released by Zenity finds that enterprise copilots and low-code development are experiencing a 40% year-to-year growth in the utilization of these tools, posing significant security risks.
The evolution of technology in the form of copilot and low-code platforms has made it easier for business users to develop their own applications without needing a coding background. While this democratization of app development has its advantages, it also introduces new vulnerabilities. This study’s findings are based on data surveyed from large organizations, but the implications are equally important for small to medium-sized businesses. So, what can enterprises do to secure these vast numbers of apps and mitigate the associated risks?
Set Up for Security in Advance
Ensuring that security controls are in place from the get-go is vital for any enterprise dealing with low-code and copilot apps. One of the primary recommendations from the study is to set up for security in advance by flagging any app with hard-coded secrets or insecure steps in how it retrieves credentials. This proactive approach helps in identifying potential vulnerabilities before they can be exploited.
Contextualizing the apps is another crucial step. Critical business apps often interact with sensitive internal data and therefore must have proper authentication controls. It’s essential to understand the business context of each app, such as what data it interacts with, who it is intended for, and what business function it serves. This contextual understanding helps in setting up appropriate security measures tailored to the specific needs of each app.
Once the contextualization is done, prioritizing proper authentication becomes the next crucial step. This means ensuring that all apps that require access to sensitive data are adequately authenticated. Enterprises should implement multi-factor authentication and other strong authentication methods to secure app access and safeguard sensitive information. By setting up for security in advance, enterprises can significantly reduce the number of vulnerabilities in their copilot and low-code apps.
Implement Protective Measures
Due to the nature of copilots and Artificial Intelligence, stringent protective measures need to be in place to prevent unauthorized access and mishandling of sensitive data. Strict guardrails are essential to prevent oversharing of apps, unnecessary bridging of access to sensitive data via AI, and sharing end-user interactions with copilots. Without these measures, enterprises are at a heightened risk of malicious prompt injections and data leakage.
Guardrails help in maintaining a balance between the ease of app development and the security requirements of the enterprise. For instance, organizations should ensure that apps and copilots do not unnecessarily share sensitive data with AI systems. This includes setting limits on how much data can be accessed and ensuring adherence to data privacy regulations.
Another key aspect of implementing protective measures is to monitor user interactions with copilots. This helps in identifying any unusual activities that could indicate potential security threats. By setting up these protective measures, enterprises can create a safer environment for developing and using low-code and copilot apps.
Control Guest User Access
Managing guest user access is another critical aspect of securing low-code and copilot apps. Guest users are often subject to different security standards compared to full-time employees, yet they may still have privileged access to apps and copilots built across low-code platforms. Limiting application and copilot access to only those who absolutely need it is crucial for minimizing security risks.
The study revealed that the average enterprise has over 8,641 instances of untrusted guest users having access to apps developed via copilots and low-code platforms. Over 72% of these cases provide privileged access to untrusted guests, meaning that these guests can create, modify, or delete apps without proper oversight. This lack of control can lead to numerous security breaches and data mishandling incidents.
To address this issue, enterprises must establish stringent access control policies and ensure that guest users are granted access only to the applications they need for their duties. Regular audits should be conducted to review guest user access and revoke permissions that are no longer necessary. By controlling guest user access effectively, enterprises can significantly reduce the number of vulnerabilities in their low-code and copilot apps.
Reevaluate Connections to Sensitive Data
Given the nature of copilots and Artificial Intelligence, robust protective measures are essential to safeguard against unauthorized access and misuse of sensitive information. It’s crucial to establish strict guardrails to prevent apps from oversharing, avoid unnecessary access to sensitive data by AI, and manage end-user interactions with copilots. Absent these safeguards, enterprises face increased risks of malicious prompt injections and data breaches.
Guardrails play a key role in balancing app development ease with enterprise security needs. For example, companies must ensure that neither apps nor copilots inappropriately share sensitive data with AI. This involves setting limits on data access and adhering to privacy regulations.
Monitoring user interactions with copilots is another crucial protective measure. This surveillance helps detect unusual activities that may indicate security threats. By implementing such measures, enterprises can foster a safer environment for developing and utilizing low-code and copilot apps. These efforts not only protect data but also enhance trust in AI and copilot integrations.