Michael Bargury

Security research, hacking, AppSec, primarily focused on AI agents.

9 minute read

The Edge Logo

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

AI Has Your Business Data

No-code has lowered the barrier for non-developers to create applications. Artificial intelligence will completely eliminate it.

Picture of Michael Bargury

Michael Bargury, CTO & Co-Founder, Zenity

March 20, 2023

5 Min Read

Photo of two toy robots standing on a laptop keyboard, staring at the display, which contains a layout of book pages

Source: Josef Kubes via Alamy Stock Photo

LinkedinFacebookTwitterRedditEmail

Ever since ChatGPT captured our imaginations, people have been contemplating its pending impact on the business world. This week these thoughts became a reality, with Google and Microsoft embedding artificial reality (AI) features into their business productivity suites.

Microsoft took another major step by releasing AI Copilot for Power Apps, Microsoft’s low-code platform. Power Apps can connect far and beyond the Microsoft ecosystem, with almost 1,000 built-in connectors to everything from Salesforce to on-prem and Amazon Web Services. With one swift move, AI has been integrated into the day-to-day workflows of the world’s largest organizations.

This is an amazing achievement, and other low-code/no-code platforms will surely try to catch up quickly. But ask yourself: Who will make the decision to integrate data with AI? Who will grant access? The answer: Every business user, and you won’t even know because they’ll let AI impersonate their accounts.

AI + Low-Code/No-Code = A Perfect Storm

In recent years, low-code/no-code has given business users newfound freedom. They were granted developer-level power that enabled them to customize their digital experiences with the technical skills they already had rather than having to learn new ones. Business users have started building applications that solve the problems that hurt most, on top of their day-to-day business data, without relying on IT or waiting for resources. After just a few years of low-code/no-code, many enterprises find themselves with tens or hundreds of thousands of applications, built outside of IT with no oversight or control.

Forget about continuous integration and continuous delivery (CI/CD) or security reviews — most of these applications follow the “push save to deploy to production” model instead. Quickly and quietly, applications developed outside of IT without the software development life cycle (SDLC) have become a significant portion of enterprise business applications. This has already become a major concern for enterprise security.

Enter AI. Imagine that every conversation you had with ChatGPT involved you giving it access to business data and left behind a nice little application you could play around with and share with others. Have a long business email? Let AI shorten it for you. Need to find relevant customers in your CRM? Let AI generate statistics for you. Need to analyze user behavior over product telemetry? Let AI query the database for you. Don’t stop there! Create mini-applications to allow answering those questions repeatedly, and share them with your co-workers! Every application requires access — your access. Low-code has lowered the barrier for non-developers to create applications. AI, however, will completely eliminate it.

Low-code/no-code provides ease of connectivity to business data by removing the difficult hurdles around authentication, and it provides a host of widgets business users can combine creatively to address their needs. AI brings power to everyone, allowing them to create by simply asking for what they want. The two techniques fit together like hand in glove. Superpowered by AI, low-code/no-code expands from “everyone can build an application” to “everyone builds an application for everything they think of, all of the time.”

You Are Not in Control

Who decides what data the AI can access? You might be thinking this would be IT or the security team, but you would be wrong. Business users are making those decisions. But how?

Imagine a scenario where every business user in a large enterprise starts to build their own applications. Setting aside the skill gap, the No. 1 hurdle to progress would be identity and access. Provisioning an application identity and granting the right permissions to it would require approval, which would trigger questions and perhaps even a security review. You won’t get to tens of thousands of applications in a large enterprise this way.

To circumvent this hurdle, low-code/no-code platforms made a significant compromise: Applications can — and mostly do — impersonate users rather than have their own identities. This completely negates the permission issue. As a low-code/no-code developer, I can embed my own identity within my newly created application. I can even share my credentials with others, so they’ll be able to build their own applications with my access to data or perform operations on my behalf. No more waiting for approval — we have a green light to create!

The problem with this credentials-sharing-as-a-service is that it completely negates the enterprise permission model. If users are sharing their credentials with each other, there’s no easy way to distinguish them. Moreover, an application can leverage credentials across your organizational boundary — say, an employee’s personal email account — in combination with a business account. To add a cherry on top, moving data between one account and another is done by automated copy and paste on the low-code/no-code platform’s cloud. No data gets transmitted, so there is no opportunity to block data leaking out.

Credential sharing and data leakage have been a major issue with low-code/no-code applications. AI doesn’t change that, but it magnifies the scale of the problem. When AI is plugged into a low-code/no-code platform, the AI gains potential access to everything the platform can access. The transition between potential and in-practice access is up to whoever prompts the AI to build a low-code/no-code application for them. We are trusting our business users with making the right choice without any guardrails or guidance.

Business Users Build Enterprise Applications

More than a specific technology, low-code/no-code is an idea — a strong push into IT decentralization and business empowerment. It has already brought tremendous productivity benefits to the world’s largest organizations because the employees who know best how to impact the business are the business users.

For professionals in IT and security, this is a paradigm shift. No longer can we rely on the security savviness of developers or official security mandates. We must embrace business users and help guide them in the right direction. If we fail to do so, the forces of productivity and data-hungry AI will surely be glad to do that for us.

LinkedinFacebookTwitterRedditEmail

About the Author

Michael Bargury

Michael Bargury

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

See more from Michael Bargury

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

More Webinars

Events

More Events

You May Also Like

Edge Picks

thumbnail Cyber Risk

Browser Extensions Pose Heightened, but Manageable, Security Risks Browser Extensions Pose Heightened, but Manageable, Security Risks

URL bar of a browser showing part of a website address Endpoint Security

Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028 Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028

Icons for Chrome, Edge, and Firefox browsers on a screen Endpoint Security

ClickFix Spin-Off Attack Bypasses Key Browser Safeguards ClickFix Spin-Off Attack Bypasses Key Browser Safeguards

Stream of 0s and 1s running alongside padlock icons Endpoint Security

Extension Poisoning Campaign Highlights Gaps in Browser Security Extension Poisoning Campaign Highlights Gaps in Browser Security

Latest Articles in The Edge

5 Min Read

5 Min Read

6 Min Read

2 Min Read

Read More The Edge

Cookies Button

About Cookies On This Site

We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. By clicking “Continue” or continuing to browse our site you are agreeing to our and our partners use of cookies. For more information see Privacy Policy

CONTINUE

Company Logo

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

More information

Allow All

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

Always Active

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Functional Cookies

Always Active

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.    If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

Always Active

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Back Button

Search Icon

Filter Icon

Clear

checkbox labellabel

ApplyCancel

ConsentLeg.Interest

checkbox labellabel

checkbox labellabel

checkbox labellabel

Confirm My Choices

Powered by Onetrust

Updated:

You May Also Enjoy