A study by the Everest Group shows that shadow IT comprises 50 percent or more of an organization’s IT spending. This shows that shadow IT can be problematic, but it is not totally disadvantageous. There are valid reasons why many organizations use unsanctioned and unmonitored IT systems or components. For one, it supports innovative solutions and allows departments to creatively find ways to address their specific needs.
However, the benefits of shadow IT are obliterated when there is a failure to resolve its biggest challenge: security. Shadow IT poses significant security risks including low visibility into an organization’s technology environment, increased possibility of data loss and theft, compliance issues, disrupted workflows, and vulnerabilities that can be exploited to commit various kinds of cybercrime.
One of the biggest sources of shadow IT is the growing popularity of low-code/no-code (LCNC) app development. Many organizations are now embracing LCNC development platforms to self-build apps that address their specific functional requirements. They rapidly produce apps in response to various operational concerns without the IT department knowing about them.
Zenity: Zen for low-code/no-code apps
Started in 2021 by a duo of cybersecurity experts, Ben Kliger and Michael Bargury, Zenity is the first and (so far) only governance and security platform particularly created for low-code/no-code apps. Its founders describe it as a “win-win environment where IT and information security can give business and pro developers the independence they want to move the business forward while retaining full visibility and control.”
Kliger, a former Information Security Consultant at Deloitte, and Bargury, an experienced cybersecurity specialist, noted how there was a lack of cybersecurity solutions that match the new dynamics when it comes to LCNC app development. The two noted that all existing app and development security solutions are intended for traditional development. Current cybersecurity systems fail to take into account the risks posed by shadow IT apps created using low-code/no-code platforms.
Zenity changes all of these by allowing organizations to monitor and protect their LCNC assets across different platforms. It maximizes the benefits of low-code apps by making sure security issues do not become stumbling blocks. Kliger and Bargury collaborated with the largest US corporations to understand what they really need and want when it comes to low-code/no-code applications.
How Zenity addresses the shadow IT problem
Zen entails enlightenment, and this is what Zenity, in a way, does for the use of low-code apps. It takes apps away from shadow IT by making them visible to those who should know what these apps are and what they do. Zenity makes those responsible for IT security not only aware of the presence of the apps, but also capable of tracking them and enforcing security rules and policies on them.
In a message sent by the founders of Zenity, five important roles were defined. They are as follows: (1) the enforcement of security policies, (2) continuous pinpointing of policy violations, (3) discovery of shadow IT business apps, (4) automatic remediation processes and fixing of issues, and (5) detection of anomalous behavior.
Zenity does these by, first, identifying all the low-code/no-code apps used in an organization across different platforms. This “discovery” phase results in cross-platform visibility, which allows the IT department, or at least the security team, to know: all the apps connected to the network, who the creators and users are, and what data is being transmitted or exchanged among these applications.
Once all LCNC apps are already inventoried, which means essentially taking the apps out of shadow IT, the organization gets to effectively implement protection, governance, and mitigation functions.
Zenity’s protection function is mainly about detecting suspicious and malicious LCNC app activities, especially those that are associated with supply chain attacks. This focus on software supply chain attacks is crucial, given how high-profile incidents like that of SolarWinds’ demonstrates the kind of threats faced by every organization that uses software from different vendors. There is a need to always be on the lookout for malicious or anomalous behavior to prevent attacks before they escalate.
When it comes to governance, Zenity facilitates the formulation and implementation of organizational app governance policies. It offers a systematic way of creating and configuring app guardrails, backed by rules-based automation. This helps get rid of the risks and prevent business disruption.
Lastly, Zenity’s mitigation aspect addresses the need to reduce risk surfaces through continuous risk assessments. All low-code/no-code apps and their components are ceaselessly monitored for possible configuration drifts, usage with security issues, as well as the use of third-party components that can be considered unsafe. Zenity accelerates the remediation of security risks by providing prompt alerts along with the description and details of the security policies violated and recommendations on the actions to be undertaken.
Does Zenity eliminate shadow IT?
Zenity is not designed to annihilate shadow IT, which is not entirely disadvantageous. What it does is allow organizations to benefit from shadow IT without compromising their security. Zenity helps organizations bring their LCNC apps out of the shadow IT cover with its cross-platform visibility thrust, but it is not meant to completely stop organizations from utilizing shadow IT.
In the case of departments that use Robotic Process Automation (RPA), for example, Zenity enables the discovery of all bots or virtual agents built with an RPA platform and spot risks and other security issues. Zenity does not stop organizations from using methods or tools that lead to more shadow IT systems and components, but it can bring to light apps that can potentially become vulnerabilities in an organization’s security posture.
Also, Zenity provides governance and security for all applications created using citizen automation and development platforms (CADP) and low-code application platforms (LCAP). It ensures visibility and app tracking, as well as the application of standard software development lifecycle (SDLC) security practices and governance.
This LCNC app security and governance platform supports the secure self-building of interconnected business apps and the “hyper-automation” of various processes, particularly those that are created using Integrated Platform as a Service (iPaaS). Zenity enables the continuous scrutiny of all iPaaS integrations, including the ways by which they store and transmit sensitive data between SaaS apps and on-prem endpoints.
Moreover, Zenity ensures secure business process configuration and data flows. This is important when using modern automation platforms like Intelligent Business Process Management Systems (iBPMS) to securely automate complex workflows. Organizations get to achieve cross-platform visibility for all their iBPMS apps, creators, and data. They also get the benefit of quickly finding and remediating misconfigured automations and being aware of dubious data flows and security standard compliance issues.
Offering a novel, trusworthy solution
Established in 2021 as a SaaS app security and governance solution, Zenity is relatively new in the cybersecurity industry. However, the specific pioneering solution it offers is showing great promise in the field of securing low-code apps, which are set to comprise 75 percent of all the apps used by organizations in 2024. It’s a solution that works and is vouched for by renowned cybersecurity figures.
Palo-Alto Networks’ Senior Director for Product Management Ory Segal lauds Zenity for stepping up to the challenge of securing LCNC applications and allowing organizations to “gain visibility and take control over the wild-west of business application development. “ Likewise, Varonis’ Director of IT Technology Omer Mar-Chaim notes Zenity’s role in promoting the secure use of low-code/no-code apps, calling it an “innovative platform that helps to safely promote citizen and business application development.”
Zenity does not promise to put an end to shadow IT, but as far as business apps are concerned, it helps ensure the secure use of low-code/no-code apps. These apps would otherwise form part of unsafe shadow IT if they are created and deployed in the same way they used to sans a viable security and governance platform.