The low & no-code series – Appian: The science of compliance

Self-serve app sprawl?

With data privacy regulations, security threats and the ever increasing reliance on digital technology to operate our businesses, IT governance is more important than ever.  These important IT controls are at risk of being bypassed by ‘citizen developers’ – with these custom self-serve digital innovations ignoring security, reliability and legal requirements. Not all staff will have the level of insight required when it comes to things like GDPR or HIPAA standards, for example.

But, it’s important to realise that, in reality, low-code platforms are here to stay. We’re heading into an era where licences for low-code will be as important to a business as tools like spreadsheets and word processors. 

The ability for organisations to create bespoke applications with low-code tools that deliver business value is a positive one. But this new era of innovation must be done in a way that protects business security and ongoing operations.

The key responsibility that now falls to IT teams is not in fighting the trend, but making sure they empower their business with the right tools and support new development paradigms that empower these low-code developers outside traditional IT roles.  IT teams should be overseeing the selection of suitable platforms that meet security, reliability and legal standards… and rolling the chosen solution out across a business.

So, when it comes to selecting a low-code platform, what are the areas you need to examine and consider? 

Low-code governance sanity-check

Firstly, you should start with DevOps practices.

Low-code tools should not sit outside proper governance frameworks… so a few questions you might ask of a low-code provider may include:

•     Can users operate on a DEV / TEST / PROD mindset?
•     Can new apps or updates be reviewed by a governance team before being published?
•     Does the platform scan for development best practices and provide recommendations to developers?
•     Does the platform support creation of unit tests and other tests to validate an application before publishing?
•     Does the platform automatically scan for security misconfigurations?

In addition, low-code tools often operate in a cloud model and should come with security and compliance certifications. Global regulations impact all organisations and independently audited security certifications give confidence to buyers of the reliability of platforms. IT teams should look for common certifications, such as:

•     SOC 1, SOC 2 and SOC 3
•     PCI-DSS for payment processing and data security
•     ISO 27017:2015
•     ISO/IEC 27001:2013

Additional compliance standards might also apply to your specific region or industry, such as:

•     HIPAA / HiTRUST certification for US Healthcare Patient Data
•     FedRamp for US Government
•     UK G-Cloud for UK Government
•     GxP for Life Sciences

If security is baked in, it gives IT teams more peace of mind that employees using the tools are working to a high standard right from the start.

The host with the most (support)

Next, take a look at software availability and regional hosting options.

IT teams need to be able to depend on systems that offer high levels of availability, with up-time guarantees, disaster recovery and data redundancy plans. Nothing is more important than a company’s data – so IT teams need a platform that performs with high security and integrity 24/7. For multinationals, globalised geographic hosting is an important part of this requirement.

The tool you pursue needs to meet your business needs, whether it is ensuring data stays within a specific region and transfers no further, or simply available across multiple zones globally.

Scope out scope, don’t just hope

Finally, make sure you are examining the scope of capability when it comes to a low-code platform. The first stage of this lies internally – what are your business requirements and what digital experience do you want to deliver to your employees and customers? For example, does your business need to create the following types of applications?

•      Mobile apps
•      Consumer-facing apps
•      Employee facing apps
•      Case management or service desk
•      Process automations and workflows
•      Robotic process automations and AI
•      Complex business rules
•     Apps that combine data from multiple sources
•     API Integrations

Appian’s Ross: Know your compliance code, know your workload, know your support mode, get your employees told… and get out on the low-code road without getting snowed.

Selecting a platform with the broadest scope of capabilities ensures maximum value for your business without needing to train and maintain multiple environments.

Cometh the hour to empower

Now you’ve selected a platform, the conversation turns to making sure users get the most out of it. Low-code presents so many opportunities to enterprises that IT teams play a key role in empowering users to build applications that help them in their work.

Help users understand how to access it in the right way and provide liberal access to learning and training to get the most out of a platform.

There are incredibly active community groups that are sharing best practices and supporting new entrants to low-code tools online.

Alongside these, community editions with free access can allow instant entry to low-code platforms, encouraging adoption and development en masse within an organisation. Business engagement in software development is here to stay, so support the teams that need it.

By examining all these areas in the research phase – DevOps, security, availability and capability – IT teams can sit back, relax and embrace the freedom that low-code offers.