How low-code governance helps IT protect data, limit sprawl
Low-code app developers must adhere to policies that govern data and resource usage. Lacking governance puts budgets, security and compliance at risk.
Governance is no easy task, especially as technological advancements lower the barriers to application development.
Low-code application development platforms enable developers to quickly build software through a GUI and with less manual work than other approaches. These platforms also enable IT and line-of-business professionals without traditional coding experience -- called citizen developers -- to build apps that satisfy their needs.
Citizen development on these low-code platforms can give rise to some unique governance challenges. So, you must consider the programmer's identity as much as the technology to create an effective governance strategy.
With developer governance, organizations establish practices that meet security and compliance requirements. Governance strategy must include both policy and technology constraints that cover what work is done and how it's done, respectively. Tune that strategy to the IT expertise of the people that will use the low-code development platform.
Low-code governance is not possible without IT oversight, no matter who does the actual development work. With oversight, managers should define and enforce policy constraints. Plus, they should select low-code tools that both reduce the risk of noncompliance with the policy constraints and facilitate audits of low-code applications. Policy and technology constraints can help reduce three chief risks: data duplication and inconsistency; data insecurity; and resource inefficiency and sprawl.
Set data policies
Data governance is perhaps the most significant governance challenge low-code users report, according to CIMI Corp. research. Organizations should store data in only one place to prevent inconsistencies, as well as unnecessary duplication and synchronization problems. Citizen developers should not create databases, except on a transient basis; their activities should focus on applications' analytics and reporting. If there is a need for a custom database, the management responsible for oversight should create and share it. This arrangement helps avoid data duplication and violation of compliance or regulatory standards.
Data security and compliance regulations can constrain individual data elements or relationships between elements. For example, an organization cannot design an application to combine employee name and address with a Social Security number, except in a protected database. Violations of these constraints create vulnerability and legal risks for companies. Compliance enforcement is a difficult problem for low-code platforms, because analytics might require exploration of data fields and combinations that pose compliance risks.
To deal with these risks, restrict developers' access to databases that contain sensitive data, and require a compliance sign-off to access databases, outside the core applications that maintain them.
Some -- but not many -- low-code platforms restrict database creation and use. Consider using an independent data warehouse model to serve both as a repository and a basis for analytics. Most companies use data pipelines to gather information and then validate and analyze it. When you use a data warehouse in conjunction with a low-code platform, you can apply strict governance controls. Base your data governance strategy and choice of warehouse tools on the kind of data you plan to analyze -- whether it's structured or unstructured, real-time or historical.
Once you have a data warehouse strategy in place, you can evaluate a wider range of low-code tools from vendors like Appian, Bonitasoft, Nintex and OutSystems. But always review the data warehouse type of approach for policy compliance prior to execution.
Pick -- and stick -- with one platform
To give governance a fighting chance, focus on a single low-code platform; don't let workers pick their own. It's nearly impossible to impose low-code governance when different departments pick different platforms. It's typically more practical to select a platform with variable code, which means it offers a range of low-code options to suit various application demands, to ensure you can use a single product throughout the company. Tools like Pega Platform, OutSystems, Mendix and Betty Blocks offer flexible approaches that support citizen development, IT professional use and oversight.
Use resources efficiently
While the oversight group doesn't want to grind projects to a halt, resource usage and efficiency present unique low-code governance challenges. Fast-tracked application development, including citizen development, tends to encourage app builders to make less discriminating decisions. Some enterprise teams generate thousands of low-code applications in a single year, which increases IT resource utilization significantly. IT governance can justify whether a departmental ask actually requires a new application and ensure that the application build gets maximized for reuse potential in the future.
Project discipline is the key to resource governance. Every citizen developer and IT professional who uses a low-code platform must check in a project with the oversight group, which will weigh the utility of the goal vs. the resources it requires and then frame the approach to adhere to data governance principles.
Tool selection counts, but that alone will not absolve you of low-code governance challenges. Citizen development, absent of IT oversight, almost surely leads to trouble, no matter how you apply platforms and tools. The oversight group must also carefully watch the use of these platforms and tools. Populism in IT -- enabling more people to develop more apps to support their work or clients -- must be balanced with costs, security and compliance.