Many organizations want to enable Power Automate aka Microsoft Flow for their users. But before they do, they need an answer to one question: how do we ensure that Power Automate (Flow) won’t expose our organization and its data to risks?
Automation for the masses
Power Automate (Flow) is a powerful productivity tool available as a part of Office 365. In the hands of a skilled person, it is an invaluable asset that helps you to automate time-consuming and routine tasks, saving you precious time and allowing you to focus on your job.
Using Power Automate (Flow) connectors, you can stitch multiple services together to build powerful automation workflows. Some connectors are tied to specific services like Outlook, Planner or Trello, and some are more generic, allowing you to call an API or connect to a database of your choosing.
What’s truly empowering about Power Automate (Flow) is that every person with access to Power Automate (Flow) can start automating their work right away, without setting up projects, getting budgets or approvals. But it’s exactly because users can do anything they want that it makes organizations hesitant to give them access to Power Automate (Flow). They’re afraid that the organization and its data might get exposed to risks they can’t control. Are they right?
How admins can control Power Automate (Flow)
There is no doubt that Power Automate (Flow) is a tool for business users – non-developers who have the know-how to simplify their daily work. But Power Automate (Flow) also has great potential in large organizations, where the IT has limited budgets, resources, and many processes in place. Power Automate (Flow) administrators have a number of tools at their disposal to manage Flows in their organization.
View all Flows
First of all, Power Automate (Flow) administrators can see all environments in their organization. For each environment, they can see all flows. For each flow, they can see who created it and when and what connectors the flow uses.
Properties of a Flow displayed in the Flow admin center
Configure data loss prevention policies
Another security capability that Flow admins have at their disposal is data loss prevention (DLP) policies. Using DLP, admins can divide connectors into two groups: those that have access to business data and those that don’t. When the DLP policy is applied, users won’t be able to build flows with connectors from two different groups.
It doesn’t seem like much and despite a great opportunity, it leaves organizations hesitating if they will be able to successfully manage Power Automate (Flow) in their organization.
Setting the ‘No business data allowed’ data group in the data loss prevention policy in Power Automate (Flow)
What admins can’t do
Security-aware organizations want to be able to understand how their users work with Power Automate (Flow) and where the organization’s data is going to. Unfortunately, there are some limitations that prevent them from managing Power Automate (Flow) effectively.
See inside the flow
While admins can get some information about every flow in their organization, they can’t see the flow itself. They can see that a flow is making an HTTP call but they can’t see to what. They can see that a flow connects to a database, but they can’t see to which database. They also can’t see if there are any credentials stored in plain-text that could be exposed to others when sharing or exporting the flow.
Include custom connectors in DLP policies
Organizations can increase their benefit of using Power Automate (Flow) by building custom connectors that will allow users to connect to line of business applications. Unfortunately, at this moment, you can’t change this.
Custom connectors get assigned to the default group
The risks of using Power Automate (Flow)
Like with every custom solution, there are certain risks involved when using it. This isn’t necessarily bad as long as you understand the risk and its impact so you can make an educated choice if you want to accept or mitigate it.
Power Automate (Flow) makes it extremely easy to connect multiple different services together and exchange the data between them. In fact, it’s so simple, that users don’t need to worry about complexities such as authentication and with just a couple of clicks, they can access data inside and outside their organization.
But this makes it all too easy for users to store an email attachment in a Trello board or a Dropbox account for convenient access. They don’t mean harm and just want to get their job done as quickly as possible. However, they’re not always keeping in mind the consequences for them and their organization.
More tech-savvy users can use Power Automate (Flow) to securely connect to enterprise applications protected with Azure Active Directory. To authenticate, they will implement OAuth storing credentials in plain-text in a variable inside the flow. But if they share the flow with others, export it or submit it as a template, these credentials will become visible to others.
Power Automate (Flow) – better together
There is a huge opportunity for organizations to automate some of their mundane work with Microsoft Flow. With careful planning and right consideration, Flow will deliver on its promise without exposing the organization to any unnecessary risks.
Right now, Microsoft Flow offers rudimentary controls for data loss prevention. But disabling connectors that you can’t control, such as HTTP action, will only backfire. In the end, users will find a different way of doing what they want, perhaps even one outside of your control which in the end is even worse.
So instead, you could consider discovering Flows that use risky activities and start a conversation with their owners about the possible risks. Together, you could decide to assess the contents of the flow and verify that it doesn’t pose any risks to your organization or its data. It sounds more tedious, but it’s an acceptable middle ground between allowing users to do anything and disabling everything.
One day, Power Automate (Flow) will get very popular in your organization, so whatever process you choose to assess flows, keep in mind that it should scale to stay seamless and timely with the latest developments in your organization.
At Rencore, we have a new governance tool which, among many things, includes detection of flows. Rencore Governance allows you to choose what you want to track, build relevant reports, and automate with your business processes in mind. If you would like to learn more about Rencore Governance and see it in action, please head to the Rencore Governance product page by clicking the button below.