Many organizations want to enable Microsoft Flow for their users. But before they do, they need an answer to one question: how do we ensure that Flow won’t expose our organization and its data to risks?
Automation for the masses
Microsoft Flow is a powerful productivity tool available as a part of Office 365. In the hands of a skilled person, it is an invaluable asset that helps you to automate time-consuming and routine tasks, saving you precious time and allowing you to focus on your job.
Using Microsoft Flow connectors, you can stitch multiple services together to build powerful automation workflows. Some connectors are tied to specific services like Outlook, Planner or Trello, and some are more generic, allowing you to call an API or connect to a database of your choosing.
What’s truly empowering about Microsoft Flow is that every person with access to Flow can start automating their work right away, without setting up projects, getting budgets or approvals. But it’s exactly because users can do anything they want that it makes organizations hesitant to give them access to Microsoft Flow. They’re afraid that the organization and its data might get exposed to risks they can’t control. Are they right?
How admins can control Microsoft Flow
There is no doubt that Microsoft Flow is a tool for business users – non-developers who have the know-how to simplify their daily work. But Microsoft Flow also has great potential in large organizations, where the IT has limited budgets, resources, and many processes in place. Flow administrators have a number of tools at their disposal to manage Flows in their organization.
View all Flows
First of all, Flow administrators can see all Flow environments in their organization. For each environment, they can see all Flows. For each Flow, they can see who created it and when and what connectors the Flow uses.
Properties of a Flow displayed in the Flow admin center
Configure data loss prevention policies
Another security capability that Flow admins have at their disposal is data loss prevention (DLP) policies. Using DLP, admins can divide connectors into two groups: those that have access to business data and those that don’t. When the DLP policy is applied, users won’t be able to build Flows with connectors from two different groups.
It doesn’t seem like much and despite a great opportunity, it leaves organizations hesitating if they will be able to successfully manage Flow in their organization.
Setting the ‘No business data allowed’ data group in the data loss prevention policy in Microsoft Flow
What admins can’t do
Security-aware organizations want to be able to understand how their users work with Flow and where the organization’s data is going to. Unfortunately, there are some limitations that prevent them from managing Flow effectively.
See inside the Flow
While admins can get some information about every Flow in their organization, they can’t see the Flow itself. They can see that a Flow is making an HTTP call but they can’t see to what. They can see that a Flow connects to a database, but they can’t see to which database. They also can’t see if there are any credentials stored in plain-text that could be exposed to others when sharing or exporting the Flow.
Include custom connectors in DLP policies
Organizations can increase their benefit of using Flow by building custom connectors that will allow users to connect to line of business applications. Unfortunately, at this moment, you can’t change this.
Custom connectors get assigned to the default group
The risks of using Flow
Like with every custom solution, there are certain risks involved when using it. This isn’t necessarily bad as long as you understand the risk and its impact so you can make an educated choice if you want to accept or mitigate it.
Flow makes it extremely easy to connect multiple different services together and exchange the data between them. In fact, it’s so simple, that users don’t need to worry about complexities such as authentication and with just a couple of clicks, they can access data inside and outside their organization.
But this makes it all too easy for users to store an email attachment in a Trello board or a Dropbox account for convenient access. They don’t mean harm and just want to get their job done as quickly as possible. However, they’re not always keeping in mind the consequences for them and their organization.
More tech-savvy users can use Flow to securely connect to enterprise applications protected with Azure Active Directory. To authenticate, they will implement OAuth storing credentials in plain-text in a variable inside the Flow. But if they share the Flow with others, export it or submit it as a template, these credentials will become visible to others.
Microsoft Flow – better together
There is a huge opportunity for organizations to automate some of their mundane work with Microsoft Flow. With careful planning and right consideration, Flow will deliver on its promise without exposing the organization to any unnecessary risks.
Right now, Microsoft Flow offers rudimentary controls for data loss prevention. But disabling connectors that you can’t control, such as HTTP action, will only backfire. In the end, users will find a different way of doing what they want, perhaps even one outside of your control which in the end is even worse.
So instead, you could consider discovering Flows that use risky activities and start a conversation with their owners about the possible risks. Together, you could decide to assess the contents of the flow and verify that it doesn’t pose any risks to your organization or its data. It sounds more tedious, but it’s an acceptable middle ground between allowing users to do anything and disabling everything.
One day, Flow will get very popular in your organization, so whatever process you choose to assess Flows, keep in mind that it should scale to stay seamless and timely with the latest developments in your organization.
At Rencore, we offer a free Health Check App which, among many things, includes detection of Flows. Once the automated discovery is completed, you’ll receive a report on a limited number of vulnerabilities. It’s a great place to start discovering and understanding Flows.