In today’s digital age, organizations are under immense pressure to define, ideate, build and deliver services at consistently shortening time to market. With a demanding market, an unpredictable and slowing economy, and a global shortage of skilled labor, low-code platforms are increasingly seen as a boon for enterprises aiming to fuel digital transformation by building new apps, modernizing application landscapes, or automating processes quicker and more efficiently. Low-code/no-code (LCNC) tools have seen steady growth due to their effectiveness in addressing some of the challenges in technology – primarily for digitizing workflows, enhancing user experiences, promoting internal efficiency, and their ability to quickly fill the workforce gap. Low-code application platforms are emerging as a key accelerator for app development and delivery. However, there are still challenges ahead due to a vacuum of battle-tested IT governance for low-code platforms. This article covers our view on the governance of one of the leading LCNC tools, Power Platform, and why it is important while planning, securing, deploying, and supporting applications built on the platform.
Low-code – introduction, demand and market
The pandemic has brought about years of change in the way organizations across sectors and regions do business. A study by McKinsey revealed that companies have accelerated digitization by three to four years ([LaBe20]) in just a few months’ time of the pandemic. It even found that the share of digital or digitally enabled products has accelerated even more. The study calls out that filling the gaps for technology talent is one of the major challenges companies are facing and will continue to face: “Respondents from the companies that have executed successful responses to the crisis report a range of technology capabilities that others don’t – most notably, filling gaps for technology talent during the crisis, the use of more advanced technologies, and speed in experimenting and innovating.”
This raises the immediate question of where you can find the technology talent needed to provide this increasing volume of applications in a world where talent shortage is already a problem.
Figure 1. Power Platform extends your development potential. [Klik op de afbeelding voor een grotere afbeelding]
Low-code/no-code platforms can help. One part of the answer is that everybody in an organization is empowered to build applications, using low-code/no-code, without the need for IT centralized delivery. For example, in a study conducted by Forrester (depicted in Figure 1) for Microsoft’s LCNC tool, Power Platform, app development costs were reduced by 74% and application management and maintenance costs by 38% ([Forr20]). Gartner states that by 2025, 70% of new applications developed by enterprises will use low-code or no-code technologies, coming from less than 25% in 2020.
According to Gartner, low-code application platforms are defined as software that enables rapid development and deployment of custom applications by abstracting and minimizing traditional-coding, in order to develop a complete application consisting of user interfaces, business logic, workflow, and data services. It also provides reasonable tools to properly secure and govern these platforms ([Wong21]).
Low-code platforms change the game for building solutions in an enterprise. The focus shifts from IT-owned projects, to democratized implementation of apps – driven by business, domain experts, and non-IT people. Traditionally, applications were left to the IT departments to be developed, maintained, and supported. As a result, a large backlog of IT projects exists, neglecting many smaller but still valuable business cases due to time, cost, and resource restrictions. This results in both frustration and un-leveraged business value.
With the low-code platforms, the IT department is no longer in a central position as an implementing and operating authority. It is, together with the whole organization, the enabler for the digital savvy business users, the Citizen Developers (CD).
Given the capabilities the low-code platforms are bringing to the ecosystem, it is becoming the solution of choice for Line of Business leaders including CIOs, and CTOs to fill immediate gaps in the workforce, development capacity and tackle IT challenges to ensure business continuity.
Take a look at the key industry trends, and indicators vis-à-vis low-code/no-code (LCNC):
- Forrester research said that the total spending on the low-code market will reach $21.2 billion by 2022 ([Forr20]).
- According to Business Wire, the future is low-code or no-code with an expected growth rate of 44.4% by 2022 to $27.23 billion (up from $4.32 billion in 2017) ([Busi18]).
- The digital world expects over 500 million apps and digital services to be built and deployed by the end of 2023, according to IDC FutureScape. That is more than all of the software solutions created in the last four decades ([IDC22]).
- A report by Gartner forecasts that by 2024, low-code adoption will be so widespread that 75% of the software solutions built around the world will be made with the help of such tools ([Gart21]).
Figure 2. Low-code trends & indicators. [Klik op de afbeelding voor een grotere afbeelding]
The imposing numbers and claims in Figure 2 show the trends that the LCNC industry is expanding at a fast pace. Be it Digital Process Automation (DPA), Robotic Process Automation (RPA), Business Process Automation (BPA), Business Intelligence (BI), or, application development, the LCNC market and demand for the tools are growing in all these segments with very positive growth outlook. Rising low-code platforms are driving about 50% annual growth in a market populated by dozens of vendors.
The Microsoft Power Platform has some unique selling point(s) USPs that give them a favorable position over other leaders in the Gartner magic quadrant for low-code applications. Given the vital importance of maintaining a single source of truth in enterprises, Power Platform brings the business process on a single platform allowing the full cyclical approach to Analyze (Power BI), Automate (Power Automate), Act (Power BI), Assist (Power Virtual Agents) and Assemble (Power Apps) enabling end-to-end capabilities that work together and integrate seamlessly with the Microsoft ecosystem, eliminating the need and dependency on multiple separate software tools. The cherry on the cake is its seamless integration with Azure Active Directory for a comprehensive, integrated security and a single-sign-on approach throughout your systems.
Power Platform is designated for a wide range of users and use cases. It opens up the approach of building applications of varying complexity, ranging from simple personal productivity to more complex use cases by bringing together teams from different areas for the purpose of bringing apps to life faster, also known as the “Fusion Teams” (see Figure 3) approach. A fusion team comprises:
- Code-first developers (also referred to as professional developers), who can extend or build upon the platform using traditional code first within IT departments.
- Citizen Developers, who can build solutions without writing code and, most importantly, know their requirements. Operating within the business, they are experts in their domain and do not require a deep knowledge of IT.
- And finally, IT professionals, who can operate as the administrator or in the governance team.
Figure 3. Fusion teams – low-code is a team sport. [Klik op de afbeelding voor een grotere afbeelding]
Governance of the Power Platform
The confluence of rising IT needs, coupled with the scarcity of developers and seamless integration with the Microsoft ecosystem of products has driven an increasing desire and need for Power Platform. However, there are some challenges that need to be addressed to establish solid confidence in adopting any low-code platform in the organization. The most common inhibitors to adoption that are observed are:
- Security risks regarding Shadow IT
- Business-managed IT (BMIT)
- Data security concerning connectors,
- App or flow ownership managed by the business
- Maintaining environment health
- Information security & risk management
- Compliances issues
- Monitoring and tracking of apps and flows, etc.
To address these concerns and to leverage the full potential of the platform for the benefit of an organization, it is imperative to establish a successful governance framework.
Digital governance is the key mechanism organizations use to ensure that software development aligns with strategic objectives, business goals, commercials, data protection, maintaining compliance standards, and protecting the chain of value creation, value delivery, and value capture. It encompasses the norms and standards that shape the regulation regarding the development and use of technologies by offering a formal framework for achieving measurable progress while safeguarding the value flow.
While governance is important to ensure that problems are anticipated and solved early, to leverage the full potential of the Power Platform, it is important to strike a balance between the organization’s needs in terms of security, compliance, and regulations (such as GDPR, etc.), yet at the same time giving teams enough freedom to innovate and create value for themselves and the enterprise.
The Microsoft Power Platform provides the necessary means to strike that balance: “long-leashing” your organization, but still enabling central governance. The central effort of CIOs and Risk departments to mitigate risks is initially contrary to the idea of the autonomy that Microsoft Power Platform requires. Governance is distinguished into the following divisions:
- Proactive governance
- Reactive governance
Proactive governance deals with the central requirements that are defined within the platform (the so-called guardrails), ideally before it is rolled out. This includes security requirements, environment and licensing strategies, cost implications, roles, and responsibilities. Being proactive, can and should be done upfront to ensure the first level of governance and security.
Reactive governance describes continuous monitoring and alerting based on standardized yet specific indicators to enable a clearer view of the Power Platform. It is used to assess adoption KPIs, as well as to respond quickly where necessary.
Figure 4. Kick-start the low-code journey with the 7 layers (source: Microsoft). [Klik op de afbeelding voor een grotere afbeelding]
A comprehensive governance concept is fundamental to every technology and software platform. This is especially true for low-code platforms due to their democratized nature. Figure 4 covers the seven layers or areas as advised by Microsoft ([Pich19]) to get started, while considering using, adopting, deploying, managing Power Platform and its governance. The beauty is that each of these layers is independently manageable and gives the flexibility to choose the layers in any order. Each of these layers concerns the proactive or reactive governance or both approaches. It’s important to mention that the governance is not a one-off exercise, it needs to be constantly reviewed and refined based on the evolving needs of the organization itself, but also given new functionality is provided by Microsoft regularly.
Platform Overview – environment, apps, platform
Power Platform provides an easy interface for business users to create apps and flows while simultaneously providing robust tools for pro developers, making it possible to integrate innovative solutions across Azure, Dynamics 365, and standalone applications. A common issue that arises is the ownership status of these apps and flows. If a user creates an app and then leaves the organization, the app is left without an owner, and is unable to be edited or shared. Without governance, this problem too often becomes apparent after the fact.
You should have product discovery periodically to understand the status and origin of apps and flows in your environments. Having a Strategy & Vision defined is fundamental for any further efforts in the Power Platform. For instance, as a part of the strategy, consider identifying such artifacts that are orphaned or unused, and then act according to governance policy, e.g., archiving orphaned apps or changing the app ownership. The Power Platform Center of Excellence starter kit provides functionalities to identify such objects and reassign the orphaned apps by changing the app ownership or archiving the unused apps.
The same applies to the platform evaluation as the Power Platform is constantly evolving, and new features must be continuously evaluated to determine how they can be used meaningfully by the organization.
You must know your environment to govern it better. A Power Platform environment is a space to store, manage, and share your organization’s data, apps, chatbots, and flows, and is tied to a geographic location. Environments serve as a container that administrators can use to manage apps, flows, connections, and other assets, along with permissions to allow organization members to use the resources. Therefore, start by understanding, and developing an environment strategy.
An environment strategy primarily entails environment provisioning, managing access rights and other layers of data security, and effectively organizing underlying resources in a way that supports productive development in your organization.
Figure 5. Example environment strategy diagram (source: Microsoft). [Klik op de afbeelding voor een grotere afbeelding]
Figure 5 exemplifies such an environment strategy as published by Microsoft ([Mora19]). There are multiple types of environments that all have different purposes, such as:
- Default – This environment is the standard out-of-the-box environment. Each tenant has a default environment and should be used for personal productivity only and should not be used for critical business applications. It is recommended to rename this environment accordingly to reflect the purpose.
- Developer – These environments are intended only for use by the owner, which makes it perfect for the development teams to work in isolation on an application.
- Sandbox – These environments are non-production environments, which should be used for development and testing your development before moving into a production environment.
- Production – This is your environment where your solutions will be accessed by end users. It is advised that the development team does not have any admin access to this environment, and it is purely the IT team that deploys the solutions to this environment.
Furthermore, assign your admins the Power Platform service admin role, which grants full access to Power Apps, Power Automate & Power BI. Restrict the creation of net-new trial and production environments to admins. Next, establish the environment management policy, and processes to request the creation of environments, and request access. Clear roles and responsibilities across the organization on support, and ownership. Defining the tiered application models along with specific lifecycles of apps support.
Besides the environment, understand your organization’s tenants to govern it better. A tenant refers to the container in which all your different environments sit. Check the tenant settings and harden them as per your organization’s requirements.
Next to it are connectors and on-premise data gateways, which have a crucial role while interacting with different systems. Connectors are essentially proxy wrappers around the application programming interfaces (APIs) provided by services that allow apps and flows to easily interact with the service. On-premise data gateways enables Power Apps and Power Automate to reach back to on-premises resources to support hybrid integration scenarios. The gateway leverages Azure Service Bus relay technology to securely allow access to on-premises resources. Inside the tenant, within each database environment – there are data connectors and controls. These need to be secured with the right roles and permissions to ensure the users have access only to the tools and environments they need.
A major benefit of Power Platform and its integration into the Microsoft ecosystem is that users are automatically authenticated. It is the key that enables proper governance of the Power Platform. Every action maker, and Citizen Developers make, happens with an authenticated account. This means that they cannot go beyond their granted permissions on SharePoint, Teams, Dataverse (formerly, CDS, Common Data Service), or any other system where data interacts. Defining security is fundamental to the implementation of the Power Platform within an enterprise. It contains necessary decisions on:
- Azure AD conditional access at the Tenant level .
- Setting up data loss prevention policies at the Environment level designed to enforce rules for accessibility of connectors and access to business data.
- Establishing resource permissions for apps, flows, and custom connectors at the Resource level.
- Assign Dataverse security roles.
- Defining Cross-tenant inbound and outbound security and compliance concepts, detailing access from and to the data sources.
These belong to the proactive governance area; it is important to have these defined and implemented properly before the rollout of the platform.
Monitor is the reactive area of the governance approach. It is important to monitor who is accessing your apps and flows and how these are being used to ensure security policies are effective. The Security & Compliance Center can be used to review out-of-box activity logs and analytics. Configure audit logs and make use of APIs to access logs and leverage management connectors for powerful reporting.
Alert & Act
Alert & Act too are the reactive area of the governance approach. It is advised to automate your audit and alert process using Power Automate. It deals with ongoing monitoring of standard and specific KPIs of your apps and flows across the enterprise to gain meaningful insights into adoption. This greatly helps in discovering any risks early in the process, identifying and empowering champions, welcoming new makers, and fostering the best practices.
With the digital innovation and enablement, the Power Platform brings to the organization – both the IT and risk management functions are quickly overwhelmed by the number of apps that are built. It is no longer about one app at a time that undergoes a development lifecycle. Therefore, it is important to automate the policies outlined, have alerting mechanisms in place, necessary actions defined and applied to remediate the potential risks with the growing number of apps. As an example, create workflows using management connectors that either permit or restrict behavior based on your organization’s Data Loss Prevention (DLP) policies.
The application lifecycle includes governance, development, and maintenance. In Power Platform, with Application Lifecycle Management (ALM), you get a bird’s eye view of your projects including requirements management, resource management, nurturing and system administration such as data security, user access, change tracking, review, audit, deployment control, and rollback in a way that other approaches fail to deliver. You get increased visibility into workflow, enhanced compliance, faster deployments, and higher quality products. Learn and facilitate the ALM toolset and best practices. Solutions are the mechanism for implementing and deploying ALM in Power Apps and Power Automate. A solution is either managed or unmanaged. The beginning state of solution is the unmanaged solution. Unmanaged solutions are used in development environments while you make changes to your application. Managed solutions are used to deploy to any environment that isn’t a development environment for that solution. It is a finalized solution that can be distributed and installed.
Educate & Support
An overarching aspect of managing Power Platform is nurturing the continued growth and onboarding of makers and driving your organization to adopt a digital culture. A maker is someone who creates and enforces business processes, structures the digital collection of information, improves the efficiency of repeatable tasks, and automates business processes. Evangelism, community, and training are proven ways to create awareness of the platform’s capability and provide support within an organization. At the same time, it is an integral part for people in an organization to understand concerns, and regulations that they need to respect. Therefore, it is vital to provide well explained, persona-based entry points into the Power Platform. That can be done through central communication, as well as providing specific information to new makers to ensure they have the resources they need to be productive and successful with these tools. To enable people, clear and concise communication is crucial.
Experience from the practice
When approached by organizations who struggle with leveraging the full potential of the Power Platform within their organization, the following patterns are usually observed:
- The adoption of the Power Platform is either minimal or cannot be assessed at all. Key indicators are not regularly reviewed.
- The fear of security breaches or of not being compliant with regulations results in a reduced, half-hearted implementation of the Power Platform.
- Regular review and adjustment of the strategy & vision, governance, and assessment of new features of the Power Platform are not conducted.
- Transparent internal communication that provides guidance and information on guardrails and assists Citizen Developers is missing.
- The need for proactive governance is usually known but is only partially implemented and followed.
Based on our experience, organizations are mostly aware of proactive governance requirements. Along with IT, Security, and Risk departments, they usually have restricted access according to best practices before rolling out the platform. One common mistake is that the IT department continues to be put in control of app requests and creation.
Low-code platforms, therefore, require a clear commitment and investment from the whole organization, ensuring that the topics described above are not only implemented “once” and therefore half-heartedly, but also continue to be developed further. This is the only way to keep leveraging the full value of the use cases over time.
Establish a Center of Excellence
To improve business agility, and productivity in a governed, secure, auditable, and manageable way, while being compliant with regulatory requirements as well as reducing costs, and empowering makers, organizations should establish a Center of Excellence (CoE). A CoE helps organizations focus and align their resources and expertise regarding a specific capability to accomplish and sustain performance and value. CoE is designed to drive innovation and improvement, and as a central function it can break down geographic and organizational silos.
In our view, a Center of Excellence encompasses the below key areas in the context of Power Platform.
- Vision & Strategy
- Administration & Governance
- Business Value & Onboarding
- Nurture, Change & Adoption
We advise businesses to start with a set of workshops to identify the current state and maturity level of the Power Platform within their organization. Post assessment – set the target level and define how to go further on the CoE journey, in a phased approach to realize the value sooner. Our consulting approach covers all the key areas and aims to increase the maturity level of each of them separately.
Administration & Governance is one of the key areas in the Power Platform journey. Depending on the size of your organization, consider installing the Power Platform Center of Excellence Starter Kit (Starter Kit) instead of starting from scratch. The Starter Kit should not be misunderstood by CoE. The Power Platform Center of Excellence Starter Kit is a collection of the below set of components, tools, and templatized best practices designed with the Administration & Governance area in mind.
- Core components – Catalog tenant resources, DLP Strategy & Visibility, Change app ownership
- Compliance components – Sample App audit process, Archive unused apps, Act based on certain connector usage
- Nurture components – Onboard new makers, provide training and share best practices, and encourage adoption
The Power Platform Center of Excellence starter kit acts as a foundation element and kick-starts the Power Platform admin & governance journey. There are a few caveats to be mindful of:
- It needs to be separately installed and maintained.
- The kit itself is not supported by Microsoft.
- Multi-tenant setups need to be planned thoroughly with the starter kit.
- It is a generic template that might not match every organization’s requirements.
Therefore, it is recommended that once the starter kit is installed and configured within your environment you should consider extending and personalizing it to fit your organization’s requirements as defined by CoE.
With each passing day, the boundaries between business and IT are blurring at an accelerated rate. Business users, in many cases without formal programming experience, but with the help of low-code/no-code platforms, are building applications with increasing frequency. This growth can have an impact on organizations – both positive and negative. In the absence of proper governance, this can lead to a large number of unmonitored applications operating across an organization, potentially compromising data, security, risk, and compliance. Solid governance serves as a firm foundation to enable a safe and secure backbone for the digital journey, and to drive innovation and improvement.
[Busi18] Business Wire (2018, January 16). $27.2 Billion Global Low-Code Development Platform Market 2017-2022 by Component, Deployment Mode, Organization Size, and Vertical. Retrieved from: https://www.businesswire.com/news/home/20180116006370/en/27.2-Billion-Global-Low-Code-Development-Platform-Market
[Forr20] Forrester (2020). The Total Economic Impact™ of Power Apps. Forrester TEI Report | Microsoft Power Apps. Retrieved from: https://info.microsoft.com/ww-Landing-Power-Apps-Forrester-TEI-Report.html
[Gart21] Gartner (2021, February 16). Gartner Forecasts Worldwide Low-Code Development Technologies Market to Grow 23% in 2021. Retrieved from: https://www.gartner.com/en/newsroom/press-releases/2021-02-15-gartner-forecasts-worldwide-low-code-development-technologies-market-to-grow-23-percent-in-2021
[IDC22] IDC FutureScape (2022). IDC FutureScape: Worldwide IT Industry 2020 Predictions. Retrieved from: https://www.idc.com/research/viewtoc.jsp?containerId=US45599219
[LaBe20] LaBerge, L. et al. (2020, October 5). How COVID-19 has pushed companies over the technology tipping point – and transformed business forever. McKinsey. Retrieved from: https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/how-covid-19-has-pushed-companies-over-the-technology-tipping-point-and-transformed-business-forever
[Mora19] Moran, D. (2019, October 30). Establishing an Environment Strategy for Microsoft Power Platform. Microsoft. Retrieved from: https://powerapps.microsoft.com/en-au/blog/establishing-an-environment-strategy-for-microsoft-power-platform/
[Pich19] Pichler, M. (2019, December 19). Update to the Power Apps and Power Automate Administration and Governance Whitepaper is now available. Microsoft. Retrieved from: https://powerapps.microsoft.com/en-us/blog/update-to-the-power-apps-and-power-automate-administration-and-governance-whitepaper-is-now-available/
[Wong21] Wong, J. et al. (2021, September 20). Magic Quadrant for Enterprise Low-Code Application Platforms. Gartner. Retrieved from: https://www.gartner.com/doc/reprints?id=1-275QSBDL&ct=210813&st=sb