IT Security & A Low-Code Balancing Act
Wherever speed and agility are highly prized, low-code platforms have become increasingly popular, providing organizations with the ability to swiftly craft and deploy applications. Among these platforms, Microsoft Power Pages holds a prominent position, enabling users to build external-facing websites with minimal coding expertise. Yet, like a hidden crevice concealed within a seemingly solid rock face, Power Pages presents a security challenge that has left security professionals pondering the delicate balance between user-friendliness and robust security.
The Allure and the Achilles’ Heel of Power Pages
Microsoft Power Pages, born from the lineage of PowerApps Portals, emerged in 2022, boasting an impressive user base of over 100 million across a diverse range of industries, including healthcare, education, finance, and even government. With its intuitive drag-and-drop interface and feature-rich toolkit, Power Pages seemingly offered the perfect fusion of simplicity and functionality, democratizing website development for citizen developers. However, as security experts started to scrutinize its inner workings, a hidden vulnerability came to light — misconfigured access controls, leaving a vast amount of sensitive data susceptible to malicious actors.
Imagine a scenario where countless sensitive records, containing personal information, financial data, and confidential business details, are strewn across the open web, akin to misplaced jewels scattered along a bustling marketplace. These valuable pieces of information are unintentionally exposed through websites built with Power Pages, all because of absent or improperly set access controls. The situation resembles a scene from a suspense novel where unsuspecting individuals venture into a seemingly ordinary location, unaware of the dangers that lurk beneath the surface.
This revelation surfaced through the rigorous investigation conducted by Aaron Costello, a SaaS security research specialist at AppOmni. Costello’s deep dive into the intricate mechanisms of Power Pages websites, meticulously examining their security configurations, unveiled a finding that caused significant unease within the cybersecurity world. Numerous Power Pages sites had either overlooked or improperly implemented access controls, leaving the virtual doors ajar for anyone with even rudimentary technical skills to access sensitive information.
Unmasking the Vulnerability
To fully grasp the extent of this security flaw, we need to understand Power Pages’ data management mechanisms. Similar to a fortress safeguarding its valuable assets within a heavily guarded vault, Power Pages websites rely on Microsoft’s cloud-based relational database, Dataverse, as their data repository. To shield this treasure trove, the platform offers a multi-layered access control system, akin to the fortress’s multiple layers of gates, walls, and vigilant guards.
At the outermost layer, we encounter site-level settings. These settings determine how users gain entry into the digital fortress, whether through a welcoming open gate or a strict authentication procedure with mandatory registration requirements.
Moving inward, we find table-level controls. These act like the fortress’s inner chambers, each guarded by meticulous gatekeepers who determine which user roles — ranging from ordinary workers to high-ranking officials — can access specific data and perform certain actions.
The most detailed layer of access control resides at the Dataverse column level. Think of this as the fortress’s individual treasure chests, where each piece of sensitive information is stored under lock and key. Power Pages offers a masking feature, obscuring specific data fields, much like a skilled illusionist’s sleight of hand. For instance, the initial digits of Social Security numbers can be hidden, providing enough information for verification without jeopardizing the entire sequence.
However, the unfortunate reality is that many website administrators either neglect these crucial security measures or inadvertently misconfigure them. This leaves the virtual fortress susceptible to infiltration. Costello points out that gaining unauthorized access to sensitive data on these sites can be as easy as finding a hidden passage in the fortress walls. It becomes a matter of knowing the right URLs to bypass the security measures and access restricted areas undetected.
“In numerous cases, administrators inadvertently grant users the ability to view all data when their intent is to only allow access to their personal records,” Costello explains. This implies that a low-level employee could unknowingly gain access to highly confidential information regarding executives, salaries, or sensitive business strategies, potentially jeopardizing the security of the entire castle.
In certain situations, websites unintentionally leave the main gate wide open, allowing even anonymous users, akin to wanderers roaming outside the castle walls, to view data from tables. Costello’s research did not encounter a single Power Pages website implementing column-level security, indicating that the treasure chests within the castle are left unlocked and unguarded, inviting any passerby to view their contents.
Other sites try to maintain a level of security by limiting certain sections to authenticated users, similar to requiring a special key to enter specific chambers within the castle. Yet, they weaken their own defenses by enabling anyone to register and authenticate, effectively distributing keys to everyone who requests one.
Throughout his investigation, Costello focused on organizations with established cybersecurity disclosure policies. These organizations have acknowledged the importance of security, at least in theory, and are presumably more receptive to receiving vulnerability reports. Even among these organizations, Costello found an alarming number of exposed records across various Power Pages websites, highlighting the fact that castle owners with advanced security measures can still have weaknesses if residents or employees don’t properly use those advanced systems.
Consider this real-world illustration: a significant business service provider inadvertently exposed personal data of over one million employees belonging to the UK’s National Health Service (NHS). This data encompassed phone numbers, email addresses, home addresses, and more — all freely available on the internet for anyone to see, demonstrating the high cost that can occur when the walls of a castle fall to outside attack.
Past Mistakes Echo in the Present:
As Costello aptly points out, this security challenge isn’t exclusive to Power Pages. Similar vulnerabilities have been identified in other widely used SaaS platforms like Salesforce, ServiceNow, and NetSuite, each serving various purposes. The fundamental issue isn’t inherent to any specific platform but rather a systemic misunderstanding and misuse of access controls. The vulnerability lies not in the design of the castle walls, but in the failure of the castle guards to implement and follow appropriate procedures.
In its defense, Power Pages doesn’t leave users completely in the dark about security risks. It employs warning banners when misconfigurations are identified, akin to placing cautionary signs near potential hazards within the fortress. These banners aim to highlight potential dangers associated with specific settings and configurations. This can be likened to posting reminders for guards to ensure gates are securely locked and treasure is properly secured.
However, as Costello’s research reveals, organizations frequently disregard these warnings. Perhaps the perceived simplicity of the low-code environment creates a false sense of security, or they are too focused on ease of use for their Power Page that they neglect the warnings related to security configuration, which could end up resulting in catastrophe.
The Human Element in the Equation
One possible reason for the prevalent misconfigurations might be linked to the user demographics of Power Pages. By design, low-code platforms appeal to a broader audience, including individuals with varying levels of technical expertise. These citizen developers, who may lack the specialized security training of a seasoned fortress guard, might have a less comprehensive understanding of cybersecurity best practices, which could be improved through comprehensive training.
The very feature that makes Power Pages appealing — the simplicity of website development — can be a double-edged sword. It’s like handing someone a powerful tool without fully explaining its intricacies and potential dangers.
Costello observes, “If you’re primarily focused on dragging and dropping interface elements without fully comprehending the implications of access controls, you may inadvertently create vulnerabilities.”
A Chorus of Counterpoints:
While Costello’s research exposes a valid security concern, it’s important to acknowledge alternative viewpoints and interpretations. Just as a complex theatrical production involves various actors contributing to a multifaceted narrative, diverse perspectives contribute to a richer understanding of Power Pages’ security landscape.
Power Pages advocates and experts acknowledge the vulnerabilities, but emphasize the built-in security measures and safeguards of the platform. Steven’s research does highlight the need for more awareness about the issue and a reminder that platform owners, administrators, and end users should all follow good security procedures to maximize the benefit of security controls built into the system.
Each newly created website in Power Pages defaults to a private setting. This implies that the virtual drawbridge is initially raised, and the castle gates are firmly secured, preventing unauthorized entry. A preliminary security check is performed right at the start, which is like designing a castle from the start with security at the core of the plan.
Whenever Dataverse data is integrated, the platform provides multiple warnings. Power Pages aims to ensure that you are aware of the possibility of your data being visible to everyone unless table permissions are explicitly configured and the anonymous web role is correctly applied. These warnings can be compared to a castle’s strategically placed alarm bells, ready to ring the moment a single door or window is left open or unsecured.
Importantly, no data is actually exposed until the explicit configuration of table permissions and web roles. This measure adds a vital security buffer, ensuring that even if specific chambers within the castle are inadvertently left unlocked, the treasure within remains protected in locked chests.
Moreover, Power Pages supports page-level permissions, enabling fine-grained access control over what each user can access, offering room-by-room security within our castle analogy. This means that administrators and owners of the castle are able to define different levels of access for various pages or sections of the Power Page, increasing security and offering flexibility as needed.
Prior to making a website live, Power Pages performs a thorough security scan, providing an ultimate checkpoint to detect any overlooked vulnerabilities, much like the captain of a castle guard thoroughly reviewing security arrangements each day.
These extensive security features built into Power Pages caution against reaching broad conclusions based solely on isolated incidents of misconfiguration. This does not negate the importance of those incidents and the findings, but helps understand that they do not tell the full story of Power Pages security and highlight the importance of the user’s awareness in understanding and using security features built into the platform.
Shared Stewardship:
The debate goes beyond platform-specific flaws. A fundamental principle applicable across all domains is the shared responsibility model. Whether it’s low-code, pro-code, or a hybrid approach, building secure systems always requires meticulous architectural considerations. Just as architects of a castle and the residents of the castle must all play their role to ensure proper safety, so too should Microsoft and those who use Power Pages share the responsibility to configure it properly.
Implementing effective security countermeasures to reduce potential risks is a collective endeavor, involving both the platform provider and those who use the platform to build Power Pages. This can be likened to the shared responsibility of both the castle’s architects and the castle’s occupants in maintaining the integrity and security of the structure.
While Power Pages offers various security measures, there’s an argument for Microsoft to consider further enhancements, much like how a castle’s designers can learn from historical sieges to identify weaknesses and create more effective defenses.
They could adopt a strategy similar to AWS’s approach to S3 buckets, making the ramifications of incorrect configuration abundantly clear, which will improve overall platform security and decrease the risks related to improper configuration by users. This means that, just like S3 bucket settings at AWS, which have gone through multiple stages of security feature additions to reduce open buckets risk, Microsoft could similarly add multiple additional steps and warning to make misconfiguration more difficult and unlikely, which would reduce the risk to Power Pages security.
Balancing Agility and Protection
The pursuit of rapid development should never compromise caution and due diligence. Low-code platforms undoubtedly provide significant benefits, accelerating prototyping and deployment timelines. Yet, they can potentially create a false sense of security, leading users to underestimate the importance of careful planning and attention to potential hazards. This isn’t to claim that low-code platforms are inherently insecure, but rather that the ease of implementing complex functionality requires an even more cautious and deliberate approach.
Security protocols should not be treated as optional add-ons or afterthoughts in the development lifecycle. Instead, they must be integrated from the inception of a project, and given equal priority to other aspects like usability or performance. Security architects, IT professionals, and platform providers all have a crucial role in advocating for, teaching, and enforcing good security practices across both seasoned and novice developers. Ensuring that those guarding a castle understand potential threats and know how to counteract them are key to overall castle security, and those guarding and those living in the castle need to be united in their commitment to keeping threats at bay.
Expanding the Scope of Security
While bolstering platform-level security remains essential, addressing the human element is equally paramount. Offering comprehensive, accessible, and intuitive educational resources targeted at both non-technical and experienced developers could significantly boost their confidence in creating secure applications.
Promoting formal architectural review procedures is essential. Implementing checklists and integrating code analysis tools into low-code platforms can support developers in identifying and rectifying security concerns early in the development process, making this as routine as checking the walls and gates for breaches each day.
Providing developers with frequent training on cybersecurity best practices could bridge knowledge gaps and help make security protocols a habit during development. Just as regularly training castle guards is crucial to maintaining the effectiveness of a security posture, ongoing security training and development helps keep the security features of a Power Page effective at protecting its precious data.
The Path Towards a Safer Digital Frontier
Discussions around Power Pages security should be viewed as an opportunity for constructive change, rather than as a cause for undue alarm. Embracing the concept of shared responsibility, championing continuous learning, and empowering both platform developers and end-users are vital steps towards mitigating risks. As Seneca astutely observed: Every new beginning comes from some other beginning’s end. Let the narrative around Power Pages’ security evolve to one where agility and robust security coexist in harmony, guided by collective wisdom and experience, where the tools used to create Power Pages continue to evolve and improve based on new information about vulnerabilities discovered, just as the walls of castles change based on new weapon technology developed by those looking to breach them.
Visit platformeconomies.com today for more sweet contents.
