Employee Rewards Automation: A Case Study of Exposed PII in Power Automate

Background & Context

In recent years, companies have been looking for ways to streamline their HR processes and make them more efficient. In recent years it has become practically feasible for business users such as HR professionals to create their own solutions, due to the wave of citizen development which is exploding worldwide. Huge market players perceive this as a growth area and are heavily investing in providing solutions and platforms to enable business users to build what they need, when they need it. 

In this article we discuss an example of how business users have harnessed Microsoft’s Power Platform for one of their financial processes  – and the consequences of doing so  without the right security tooling and procedures. 

Our story begins with one of our largest customers, a F500 company that wanted to automate its employee rewards funnel, a manual and complex process involving numerous departments and a tedious approval process. They embarked on a journey to replace spreadsheets and manual work with automation. They wanted to make their work easier and more efficient, by employing technology and tools that were once solely reserved for software developers. It’s a perfect example of citizen development in action.    

What was built?

The HR team needed a solution for the tedious employee rewards program, based on emails and approval forms. They knew that when it came to Low-Code Automation, the company was already using Power Platform across the business for various use cases, so the solution seemed obvious. They turned to Power Automate. 

The HR team ended up building a very complex flow using Power Automate that pulled and updated data across different data sources in the organization, including Sharepoint, Office365 and OneDrive for business. In addition, the flow also managed the approval process between the different stakeholders in the organization and, when all the approvals had been given, logged the rewards transfers for the designated employee.

The purpose was to automate employee payouts, allowing the company to quickly and efficiently reward employees for their hard work.  The idea was innovation at its best. However, as the flow was implemented, it quickly became clear that there were major flaws in the system.

What was the problem?

In the process of managing all the transactions, the flow also logged them in plain text – including highly sensitive data. PII such as bank account details was exposed to unauthorized users with access to the flow. In this case, the entire HR department, meaning dozens & dozens of users including guest users (3rd party vendors) had access to thousands of employees’ bank accounts.  

Let’s dwell for a minute on the company’s exposure, because it bears reflection. Thousands of employees’ private bank account details were exposed in plain text and were left up for grabs, by any malicious user who happened to come across them or seek them out. In addition, the company’s bank account details were also exposed. 

In the standard SDLC (Software Development Life Cycle), this type of development, which revolves around sensitive data, would have been tested inside and out for security issues using industry standard tools and technologies such as vulnerability scanners, code scanners (SAST, DAST), secret scanners and other methods. Ultimately this type of data would have either been masked or not generated at all. Professional development cycles are designed to prevent exactly the kinds of vulnerabilities we’re discussing here. 

In this new low-code/no-code paradigm, by contrast, this flow went from ideation to deployment in mere weeks without any security review. This was due to the lack of tools, technologies and processes for low-code/no-code security, and due to the lack of security awareness of business users. 

Keep in mind that the people who built the flow are completely well-intentioned employees from the HR department, who lack proper security training, sensitivity and know-how. Low-Code/No-Code puts the ‘Key to the Kingdom’ in the hands of citizen developers and organizations can’t expect them to become security-savvy on top of doing what they do best. 

It’s the responsibility of the organization to guide and steer their business professionals in the right direction with proper tooling and guardrails to make sure critical mistakes are handled properly and/or are not repeated. 

This example shows the critical importance of ensuring such tools and guardrails are in place; this was not only a security issue but a compliance one as well. It also posed a significant risk to the company’s reputation, if it had become publicly known.  

How did Zenity help?

Once integrated, Zenity quickly scanned the customer’s environments and found all instances where sensitive data, especially PII, was stored in plain text and left accessible. Now, with these new pinpoint findings the company, along with the Zenity team, quickly took steps to rectify the situation. The result was an upgraded flow that was designed to be much more secure, and now protects and encrypts sensitive information. 

In terms of visibility, through Zenity the customer found all apps and flows exposing PII. This turned out to be a powerful security boost for the organization, as there were many apps and flows built this way in production environments.. Is visibility enough to understand the scope of exposed PII in Power Automate? 

The answer is clearly ‘No.’ In addition to visibility, the security team needed context to address the real and pressing risk.    

How can application security teams get context for existing risks in PowerPlatform? 

Zenity is built to provide deep insights in these types of situations to allow customers to understand the greater picture around the risk.

What type of context helped the security team understand the scope of the issue and address it? (The below are examples of context that Zenity provides)

  • Who has access to that sensitive information? 
  • When was it exposed? For how long?
  • What data was exposed? Was it a credit card, bank account information, SSN etc

In this case, the customer was easily able to understand the scope of the risk through Zenity and engage with the AppsSec team to address the issue swiftly. 

They established a process  for the Application Security team, using Zenity, to review all instances of exposed sensitive data and, through the context Zenity provides, remediate the issues. This take place both on the flow level configuration, which involves the PowerPlatform team, and also on the business user level, to provide security education to increase risk awareness. 

The company’s rewards automation is now running smoothly, and employees can rest assured that their information is safe and secure knowing that Zenity continuously scans and identifies misuse of sensitive information. 

Zenity: A broader view into Low-Code/No-Code security

Low-Code/No-Code platforms are leading the way,  enabling business users to harness capabilities they never had before. While this is great for the business, as we see in the example explored in this article, if left unchecked it could lead to major security & compliance issues. 

Zenity is the first security governance platform for Low-Code/No-Code development, guiding Application security teams on security best practices, providing guardrails for administration, surfacing security risks and providing comprehensive knowledge both for AppSec teams and Business users.  

Zenity brings the existing application security world into the untapped world of low-code/no-code and helps AppSec teams with numerous use cases, such as exposed hard-coded secrets,  data leaks, insecure communication and many more. 

Zenity is a full-fledged platform that goes beyond visibility and risk assessment. At any given moment Zenity users can apply ad-hoc fixes through Zenity or establish automatic playbooks to act on their behalf 24/7. 

In this example we’ve explored here, the AppSec team was able to harness the remediation power Zenity provides to easily: 

  1. Stop all leaking flows 
  2. Isolate them only to authorized personnel 
  3. Encrypt all sensitive data
  4. Contact the business users and let know them what happened

What’s next?

In the upcoming months we’re going to continue sharing case studies from customer experiences of how Zenity helped huge organizations in different market segments (Finance, Healthcare etc..) understand their “new” security posture now that  Low-Code/No-Code platforms have been introduced into the mix. 

This F500 company’s experience with Power Automate serves as a valuable lesson for all companies looking at Low-Code/No-Code platforms to automate their processes. While business-led automation can bring many benefits, it’s absolutely vital to be mindful of the security implications and impact it can have – and take steps to make sure the company, its users, and its employees, are protected.

 

 

“Varonis appreciates and prioritizes security measures at all
times, in every aspect of our work,”

Subscribe to Newsletter

Keep informed of all the latest news and notes within the world of securing and governing citizen development

Thanks for registering to the Zenity newsletter.

We are sure that you will like it and are looking forward to seeing you again soon.