Why low-code and identity must co-exist
Software development has emerged as a critical task for organizations looking to compete in the digital economy. It increasingly fuels innovation and even disruption. Yet, building, testing, and verifying major chunks of code usually takes months – and finding the talent to handle the task can be formidable.
Due to the skills gap and to scale delivery, many companies turn to low-code application development platforms to build and deliver applications faster.
Typically, these low-code tools deliver a graphical user interface (GUI) that helps non-technical people — citizen developers, if you will — become involved in the software development process. Rather than a developer typing code line-by-line, these tools assemble building blocks of code that implement the business logic of applications.
Yet, what’s often overlooked in the enthusiasm to adopt low-code tools is that these types of development platforms affect many areas of the enterprise, including identity management and cybersecurity. For example, a low-code application must interoperate with various on-premises systems, as well as cloud identity platforms such as Active Directory, Azure AD, Okta, and others.
The fallout from poor integration with identity systems can be significant, and extremely painful. Especially as business requirements change and an organization needs to start adding new capabilities like passwordless authentication, multi-factor authentication (MFA), identity proofing, user behavior analytics, or complex role- or attribute-based authorization. Without a strong identity management framework in place, managing myriad authorizations and authentications manually can prove difficult and can undermine security, including zero-trust initiatives.
The complexity of today’s IT environments isn’t lost on anyone. Low-code, while simplifying and speeding software development, introduces challenges. Organizations may find that they are mired in a framework that lacks the flexibility they need to deliver a seamless but highly secure user experience, particularly for complicated role-based access connected to single sign-on (SSO). Updates, changes, and other events can wreak havoc and force teams to push constant application updates to cope with the ever-evolving threat landscape.
For example, the legacy approach of using software development kits (SDKs) to perform identity integrations like adding support for MFA, creates additional layers of complexity. This is the case whether low-code tools are used or not. That’s because the SDK approach establishes a deeply coupled relationship between the applications and the identity system they use. Often each new identity capability that needs to be added requires yet another SDK for integration, which increases interdependencies and the likelihood of failure.
In practical terms, an organization might require different SDKs with different authentication and authorization capabilities, depending on the application and framework it is building or using. However, today’s applications require a more flexible and contextual framework that spans systems and, in some cases, delivers deeper insight into what a user is doing at any given moment.
In fact, migrating away from an SDK-centric approach isn’t just a good idea, it’s vital. What’s more, attempting to circumvent the problem using APIs isn’t particularly helpful because an organization typically winds up with the same basic problem: there’s a high level of complexity tied to a rigid identity framework. Making matters worse, this approach can also introduce security gaps and other weaknesses.
A more manageable approach when using low-code development frameworks to build applications is to connect them to a single abstraction layer for identity services. This addresses three primary challenges associated with identity management in low code environments: moving away from a platform-specific approach, breaking free of low-code tools that tie the application to a specific identity provider, and establishing an identity framework that matches the specific needs of your business.
Abstraction is key
An abstraction layer reduces the load on citizen developers, who lack the technical skills and awareness of security requirements that prevent them from making updates and upgrades or adding new capabilities to keep up with evolving requirements—frequently within a DevOps or DevSecOps environment that is optimized for continuous integration and delivery.
Abstraction also eliminates the need for specific applications to be hardcoded to a specific identity system or API.
In this world, embedded logic is built into the identity framework through a form of distributed intelligence. What’s more, the process takes place without pushing out code and requiring processing on apps. There’s also no need for app owners or identity management providers to play a role in the process.
Abstraction offers another advantage: it handles various standards associated with identity management, including SAML. Most organizations rely on several standards for processes and tasks associated with authorizations and authentications. When using low code tools, overseeing standards and orchestrating them can become cumbersome and unmanageable as well.
As enterprises increasingly turn to low code frameworks to improve performance and lower costs, it’s vital to keep software development and identity in lockstep. Abstraction can help bridge the gap.