One of the benefits of using Microsoft PowerApps is speed – which is great for stimulating innovation in the enterprise. However, what are the implications on security? Are speed and security mutually exclusive?
When thinking about mobile security, it is helpful to think about the ‘stack’, starting with the user’s identity, the device, the app, the data and the connectivity. All 5 layers need to be secure and some layers will require multiple sub-layers.
Deploying PowerApps is different to traditional apps because each new app is deployed directly to the device without going through a painful publishing process. If a traditional app is built with security in mind, publishing can be easy. However, if security is an afterthought it may require the injection of additional code to apply security policies to restrict user actions and protect the data in the app. This is known as “app wrapping” and can be a painful process that requires multiple iterations when moving an app from the development environment to the test environment and into production.
PowerApps publishing is easy because each new app you create is published directly through the PowerApps container on the device. The user can then open the app and pin it to home screen of the device, so it is accessible on the home screen or in a folder like any other app.
Firstly, the user identity is managed by Azure Active Directory with SSO and 2FA. This automatically applies all your standard identify related polices from AD.
PowerApps itself is part of Office 365 and PowerApps is typically deployed as a ‘managed app’ over MDM. This means PowerApps can be remotely wiped if the device is compromised and this will remove all the apps developed within the PowerApps framework.
More importantly, PowerApps now has the Intune SDKs that support App Protection Policies. This means we can easily define policies that restrict how the data in our app is treated. For example, we can set policies that prevent the user from copying data from a business app into a personal app, restrict ‘open-in’ actions, ‘save as’ actions. This is extremely powerful for apps with sensitive data.
The mobile device used to run PowerApps can be managed by MDM with policies to detect compromises. And if the device is procured through the Apple DEP program or Android Enterprise, then the device is permanently configured to your corporate profile which affords an additional security mechanism.
The data in PowerApps is part of the Common Data Service, hosted in Azure, and subject to the same stringent policies applied to all cloud data.
App proxy is used to secure connections from external data sources (e.g. DropBox, Jira etc) to the Microsoft environment. Conditional Access add cream on top of this stack by applying additional policies that limit app usage to the right people. For example, the app can be configured to work for users who are in a specific geo-fence and on a specific WiFi network.
Is enough enough?
Bringing all this together, if you are a nurse visiting patients all day, you could have up to 12 layers of security applied to your PowerApps. Clearly this makes it a secure environment but more importantly doing so in a way that is not intrusive.
We expect you will need to unlock and use your device 100 to 150 times per day, so it is critically important that you are able to unlock the device with biometrics and get straight into your apps every time – unless something changes in which case you should be prompted with an additional security challenge.
PowerApps may not be for every use-case but I do believe it provides enough security for the vast majority of mobile use-cases.