Blog - Rencore

How to prevent the next Microsoft Power Apps data leak from happening

Written by Matthias Einig | Aug 25, 2021 2:49:03 PM

The seemingly age-old debate of online versus on-premises was a contentious topic throughout the last decade. And that discussion is still ongoing today.

It is about being best equipped to mitigate the risks of the platform you are on. Regardless of where that platform is hosted, there will always be a level of risk to mitigate. The difference today is there are now more robust solutions to help fill the gaps and manage the pain points of cloud data handling.

However, some organizations are not reacting quickly enough to ensure adequate operational cloud governance is in place. Users must have every opportunity to achieve their business goals, while the platform must remain operational and correctly configured at all times.

Low-code platforms like Power Apps attract less experienced power users with less understanding of the implications of their actions. Ultimately, this lack of process and governance in many organizations will eventually result in misconfigurations and suboptimal security settings which can introduce severe data security risks.

Yet another data leak incident

Let’s investigate the latest security breach concerning a Microsoft Power Apps data leak, and the importance of having dynamic, real-time Microsoft 365 governance.

According to Wired.com, over a thousand apps created using Power Apps unknowingly exposed 38 million records publicly across the internet. This exposure potentially affected multiple companies across multiple sectors, including apps created by Microsoft employees as well.

Furthermore, UpGuard gives a little more information on how this breach could have happened. When a developer or power user creates an app using Power Apps, the goal is usually to allow users to share information with or retrieve data through this app. In the case of a portal app, to serve its purpose it might require public access. For example, Covid-19 related apps for contact tracing or booking vaccination appointments, but also common business use cases like applying for a job at the company. The information can be anything personal like name, email, social security number, or even the location of the user when filling in a form in the app. Conversely, the personal information of those using the service should remain private.

If the security of such an app is lacking, standard APIs can easily retrieve this information. In fact, UpGuard explains:

Product documentation for Power Apps describes the conditions under which OData APIs can be made publicly accessible, and the main Power Apps marketing page lists the ability to access “your data either anonymously or through commercial authentication” as one of the top features.

It would appear that many overlooked the information concerning the configuration of labeling sensitive information.

Although documentation details the configuration, one could argue that the importance of such information should be far more explicit to the user. After all, the nature of Power Platform is also to be used by those without a traditional developer background. It doesn’t make sense to prevent using no-code and low-code platforms as it goes against the need to address business problems efficiently and quickly.

The solution? Effectively manage them!

After some initial reluctance to consider this a problem as it worked as designed, Microsoft has now reacted to the potential security issue by ensuring that newly created Power Apps portals will have table permissions enabled by default and can be managed in the power apps portal admin center. They also released a free Portal Checker app to detect lists that allow anonymous access. But the underlying problem will still remain. Power App Makers can still enable anonymous access without fully understanding the consequences. Further, constantly changing and expanding capabilities and APIs of the Microsoft 365 product suite, and rapidly increasing adoption of all those possibilities by business users make it impossible for IT administrators to manually stay on top of everything.

A cloud-first approach needs a cloud-first strategy. Microsoft cloud governance must mirror the modern needs of the business user it seeks to govern. Organizations must not only train their power users but also implement operational Microsoft 365 governance with tools like Rencore Governance.

Automated Power Platform Governance

Effective and dynamic governance tools help you stay in control. Not only do they report on created apps but also check them against policies in real-time. Automating actions around these policy violations significantly speeds up the resolution. In combination, this actively prevents security incidents such as this latest Microsoft Power Apps data leak from happening.

With Rencore Governance IT departments can centrally control many Microsoft 365 services including Power Apps1, Power Automate, Teams, SharePoint, OneDrive, Azure Active Directory as well as Microsoft 365 Users, Groups, and Licenses.

In a first step, the tool collects and continuously updated data from all connected services. The historic changes on record then allow to identify trends and report on usage, adoption, and costs. Administrators can navigate the components through their relations to identify for example PowerApps of disabled user accounts.

Rencore Governance provides the ability to build custom checks on any type of retrieved object and its related data. This allows our customers to implement governance policies to automatically identify violations of your organization’s compliance rules. Rencore Governance provides the ability to build custom checks on any type of retrieved object and its related data.

Knowing what parts of the service are not compliant is the first step. However, increasing adoption and hence growth is making it impossible to stay on top of everything manually. Rencore offers built-in automations that enable organizations to handle policy violations in a scalable way. By involving the end-users and integrating with other systems, most issues are resolved with minimal manual interaction.

Over to you

This latest Microsoft Power Apps data leak clearly shows that governance for Microsoft 365 services is still mostly an afterthought. However, Power Apps is just one service in Microsoft’s steadily growing suite of cloud collaboration tools that empowers end users. With adoption increasing, governance becomes even more complex – and critical at the same time.

Incidents like these can (and probably will) happen again anytime, anywhere. It is high time to bring a governance plan in place which is not just existing on paper and that acknowledges this fact. And it does not stop with Microsoft 365 either. The best governance plans cover all services and technology and seamlessly integrate into the broader organizational Governance, Risk management, and Compliance (GRC) approach.

 – – – – –