The low & no-code series – Appian: The science of compliance

The Computer Weekly Developer Network gets high-brow on low-code and no-code (LC/NC) technologies in an analysis series designed to uncover some of the nuances and particularities of this approach to software application development.

Looking at the core mechanics of the applications, suites, platforms and services in this space, we seek to understand not just how apps are being built this way, but also… what shape, form, function and status these apps exist as… and what the implications are for enterprise software built this way, once it exists in live production environments.

This post is written by Malcolm Ross in his role as VP of product strategy/deputy CTO at Appian – (arguably) one of the most vocal and established a low code enterprise software organisations with formative roots tracing back the very start of the millennium.

Ross writes as follows…

Low-code applications [and suites and toolsets] are exploding in growth, with new tools and vendors seemingly born each week offering low-code capabilities. Nowadays, it’s easy for anyone in an organisation to create new IT solutions that meet their needs using [the more abstracted no-code end of the] low-code platform spectrum.

While business users might be enjoying their new freedoms for self-serve digital innovation brought on by low-code, IT leaders might be cringing with concern over managing an exponential growth in IT solutions.

Self-serve app sprawl?

With data privacy regulations, security threats and the ever increasing reliance on digital technology to operate our businesses, IT governance is more important than ever.  These important IT controls are at risk of being bypassed by ‘citizen developers’ – with these custom self-serve digital innovations ignoring security, reliability and legal requirements. Not all staff will have the level of insight required when it comes to things like GDPR or HIPAA standards, for example.

But, it’s important to realise that, in reality, low-code platforms are here to stay. We’re heading into an era where licences for low-code will be as important to a business as tools like spreadsheets and word processors. 

The ability for organisations to create bespoke applications with low-code tools that deliver business value is a positive one. But this new era of innovation must be done in a way that protects business security and ongoing operations.

The key responsibility that now falls to IT teams is not in fighting the trend, but making sure they empower their business with the right tools and support new development paradigms that empower these low-code developers outside traditional IT roles.  IT teams should be overseeing the selection of suitable platforms that meet security, reliability and legal standards… and rolling the chosen solution out across a business.

So, when it comes to selecting a low-code platform, what are the areas you need to examine and consider? 

Low-code governance sanity-check

Firstly, you should start with DevOps practices.

Low-code tools should not sit outside proper governance frameworks… so a few questions you might ask of a low-code provider may include:

  •     Can users operate on a DEV / TEST / PROD mindset?
  •     Can new apps or updates be reviewed by a governance team before being published?
  •     Does the platform scan for development best practices and provide recommendations to developers?
  •     Does the platform support creation of unit tests and other tests to validate an application before publishing?
  •     Does the platform automatically scan for security misconfigurations?

In addition, low-code tools often operate in a cloud model and should come with security and compliance certifications. Global regulations impact all organisations and independently audited security certifications give confidence to buyers of the reliability of platforms. IT teams should look for common certifications, such as:

  •     SOC 1, SOC 2 and SOC 3
  •     PCI-DSS for payment processing and data security
  •     ISO 27017:2015
  •     ISO/IEC 27001:2013

Additional compliance standards might also apply to your specific region or industry, such as:

  •     HIPAA / HiTRUST certification for US Healthcare Patient Data
  •     FedRamp for US Government
  •     UK G-Cloud for UK Government
  •     GxP for Life Sciences

If security is baked in, it gives IT teams more peace of mind that employees using the tools are working to a high standard right from the start.

The host with the most (support)

Next, take a look at software availability and regional hosting options.

IT teams need to be able to depend on systems that offer high levels of availability, with up-time guarantees, disaster recovery and data redundancy plans. Nothing is more important than a company’s data – so IT teams need a platform that performs with high security and integrity 24/7. For multinationals, globalised geographic hosting is an important part of this requirement.

The tool you pursue needs to meet your business needs, whether it is ensuring data stays within a specific region and transfers no further, or simply available across multiple zones globally.

Scope out scope, don’t just hope

Finally, make sure you are examining the scope of capability when it comes to a low-code platform. The first stage of this lies internally – what are your business requirements and what digital experience do you want to deliver to your employees and customers? For example, does your business need to create the following types of applications?

  •      Mobile apps
  •      Consumer-facing apps
  •      Employee facing apps
  •      Case management or service desk
  •      Process automations and workflows
  •      Robotic process automations and AI
  •      Complex business rules
  •     Apps that combine data from multiple sources
  •     API Integrations

Appian’s Ross: Know your compliance code, know your workload, know your support mode, get your employees told… and get out on the low-code road without getting snowed.

Selecting a platform with the broadest scope of capabilities ensures maximum value for your business without needing to train and maintain multiple environments.

Cometh the hour to empower

Now you’ve selected a platform, the conversation turns to making sure users get the most out of it. Low-code presents so many opportunities to enterprises that IT teams play a key role in empowering users to build applications that help them in their work.

Help users understand how to access it in the right way and provide liberal access to learning and training to get the most out of a platform.

There are incredibly active community groups that are sharing best practices and supporting new entrants to low-code tools online.

Alongside these, community editions with free access can allow instant entry to low-code platforms, encouraging adoption and development en masse within an organisation. Business engagement in software development is here to stay, so support the teams that need it.

By examining all these areas in the research phase – DevOps, security, availability and capability – IT teams can sit back, relax and embrace the freedom that low-code offers.

Data Center
Data Management