When implementing a new technology, you always ask yourself the following question: will this platform meet the specific needs of my organization? In the case of IT security, the answer is not always obvious, especially since the requirements can differ significantly depending on the sector, process structure or internal rules. Additionally, there are legal regulations and guidelines from supervisory authorities that also impact the security requirements and the manner in which data is processed.

To answer this question, you first need to consider the precise security requirements in this scenario. In large organizations, IT security is treated as a priority and questions such as “will the application process personal data?”, “will the data be stored locally or in the cloud?”, “what access control mechanisms are available?”, or “does the application allow the use of 2FA or MFA?” are asked constantly. 

However, it is worth separating two issues here: application security (i.e., how a given application was designed and what type of data it processes) and the security of the Mendix platform as a development environment (i.e., mechanisms built into the platform itself, independent of a specific application). 

The Mendix platform was designed with the needs of both small companies and large, international organizations in mind. Therefore, the built-in security mechanisms align with industry best practices. In this article, I’ll take a closer look at what the Mendix platform has to offer in this regard.

Managing access to applications in an organization

In the case of large organizations, one of the first challenges is scale – or more precisely, a large number of potential users operating within a project team. A project team can comprise individuals from various departments, including both technical and business users. Many people, but will everyone play the same role? Obviously not. 

In this case, Mendix Portal comes to our aid, offering functionalities that enable effective management of teams and roles within applications. It includes a built-in module that allows easy team collaboration on applications. Each user has access to the list of applications in which they are assigned as a team member.

Each team has assigned members and specific roles they play in the application. This allows you to easily define who is in the team and what they can do within the app. To become a member of a team working on a specific application, it is necessary to receive an invitation from another user with the appropriate permissions – usually an administrator or a person to whom the administrator has granted the ability to manage the team. Invitations are visible in the Mendix Portal, at the top of the interface, and can be accepted or rejected.

Team and role management in Mendix is designed for large organizations where collaboration, security, and access control are key considerations. With the Mendix Portal, each user can easily navigate the team structure and perform their tasks within the application effectively.

Team Permissions

Who is a team member? Any person, whether inside or outside the organization, who has been assigned permissions to a specific application. The role of a team member is not limited to technical functions – it includes developers, analysts, Scrum Masters, testers, business users, and people responsible for operations.

This wide scope enables the flexible formation of project teams that meet both the business and technical needs of the project.

User roles are assigned by the administrator or another user who has the permissions to do so. The end user can have one or more user roles. These are predefined, but this does not mean that a user cannot be assigned another role. Predefined roles take into account several important factors, including who can edit the current Sprint and backlog, who can edit the application version, and who can change application settings, among others.

The administrator manages all permissions from the Mendix Portal > Control Center screen, where they can add existing roles or create new ones. Only users assigned to the team and with the appropriate roles have access to the application.

Interestingly, a team member can only invite another person with the same or lower permissions than themselves. Only the administrator has the right to invite and assign any role. A team member in Mendix is ​​any user with assigned roles in the application, regardless of their specialization. Thanks to precisely defined roles and a flexible management system, Mendix enables you to build teams that meet the project’s real requirements. Proper management of user roles is the key to security, transparency and effective work in the Mendix ecosystem.

Technical contact

In every application implemented on the Mendix platform, the technical contact plays a crucial role. It is a designated person responsible for technical support and communication on matters related to a given application, both with users and with teams responsible for the infrastructure. Their task is to answer users’ questions about the application’s operation, cooperate with the development and operations teams, and represent the application in interactions with Mendix Support or the platform’s administration.

It is recommended that such a person has Scrum Master permissions, because they are the contact for all users and must be able to operate on the application on behalf of all Scrum Masters. The technical contact often becomes the main point of contact for all users, both internal and external.

The technical contact is set in the Mendix Portal, under the Environments section, in the Permissions tab. Their responsibilities include not only application support but also monitoring the stability of the application and infrastructure, such as Mendix Cloud or another implementation platform.

In the case where the organization uses Mendix Cloud, the technical contact will receive notifications about planned work on the application. They will also have access to the alert and monitoring configuration from the cloud platform and will be able to receive notifications and alerts in the event of high CPU load, running out of disk space, and many other parameters. This person will also be able to scale environments according to the organization’s needs, add new ones, or modify existing ones. Sounds practical?

Password policy and authentication (2FA/MFA)

Mendix offers a range of custom settings and configurations tailored to your specific needs. The same applies to password policy. It supports all the latest security guidelines regarding password length and complexity. The platform allows you to control the length of the password, the requirement for letters, numbers, or special characters contained in the password, and the use of upper- and lowercase letters. These settings cover most of the requirements for password policies in organizations.

However, these days, using only a login and password is not enough due to the multitude of threats lurking on the Internet. Here, Mendix also meets expectations by offering Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA). The primary advantage of this type of authentication is that it increases the security of access to applications or systems by requiring additional steps to verify identity. The use of 2FA raises security to a high level, while MFA to a very high level.

2FA requires the use of exactly two factors or steps of authentication, e.g., something the user knows, such as a password, and something that will be received, like an SMS or email code. MFA requires the use of at least two authentication factors, but also offers the option to add more of them (aside from codes and passwords, it can also employ Touch ID or Face ID biometrics). MFA also allows the use of factors such as location, providing greater flexibility.

The Mendix platform supports all modern and popular methods of authentication, including SMS and email codes, as well as authenticator applications. This includes the popular Google Authenticator and Microsoft Authenticator apps, but implementing them may require additional configuration: 

• Google Authenticator can be supported by Mendix through the Multi-factor Authentication For Mendix (MFA/2FA) module available in the Mendix Marketplace. You can configure the generation of QR codes that the user scans in the Google Authenticator application, and the Mendix application verifies TOTP (Time-based One-Time Password). 
• Microsoft Authenticator works similarly to Google’s TOTP solution but can also be used with Azure AD, which enables more advanced integration with Azure Active Directory (SSO and MFA). Mendix supports SSO with Azure AD, which can include MFA configured on the Microsoft side. In this case, SAML or OpenID Connect (OIDC) is used for logging in. Additionally, Mendix supports Single Sign-On (SSO) via OpenID Connect (OIDC) and older solutions, such as SAML or OAuth 2.0. You can also integrate it with Active Directory (AD), and it supports the Role-Based Access Control (RBAC) access control mechanism. 

It’s worth noting that OpenID Connect is an officially supported authorization mechanism in Mendix and can be used to integrate with popular identity providers, such as Azure Active Directory, Auth0, Okta, Google Identity Platform, and others that comply with OIDC. The OpenID Connect module is, of course, available in the Mendix Marketplace.

Audit, monitoring and event log

One of the key issues that organizations focus on is the ability to monitor what is happening in the application. This is especially useful when diagnosing problems or handling customer requests. In Mendix, information about events and logs can be stored in various locations and formats, depending on the type of event, the current environment configuration, and whether our platform integrates with additional modules or tools. The most commonly used place to store logs is the Mendix Cloud, specifically the Logs tab within the Mendix Portal. Logs are stored there in the form of packages. Additionally, from Studio Pro, you can connect to the application running on the server to display logs in real-time.

If you want to check the operation of a specific element of the application in more detail, you can set a breakpoint at the selected location and debug step by step to see what is happening for a given user at a particular moment.

In the case of using local environments (on-premises), logs are stored in the application log file.

Events are logged in text form in accordance with market standards and with an appropriately set logging level (INFO, DEBUG, ERROR), timestamp, component name, and content.

It is also possible to add the JamAuditLog and AuditTrail audit modules, allowing the application to track user events, such as data changes or logins. The data will then be stored in the Mendix database as objects that can be accessed via the application interface (Mendix Panel) or through SQL queries.

If the application utilizes integration, such as a REST API, it is also possible to collect technical logs from both REST and SAP or web services. Such logs are stored in runtime logs, as in the case of regular application operation. They can be searched for using the appropriate prefix.

These are just a few of the ready-made solutions that Mendix offers for starters, but there is nothing to prevent you from expanding logging according to the organization’s needs. In the Mendix Marketplace, a logging module (Logging Module) is available that enables you to save runtime logs in the database as Mendix entities. You can also configure remote export of logs to the most popular security applications, such as Splunk, Logstash, or Azure Monitor, thanks to which you can actively monitor specific types of events through rules or dashboards implemented in these tools. Additionally, it supports security alerts and enables the tracking of user activities.

Finally, if what Mendix offers is not enough, you can implement your own events and save them as entities.

Log management and data anonymization

Application logs in Mendix Cloud are stored and transmitted in an encrypted form, ensuring data security both at rest and during transfer. Additionally, they are stored for a specified time, usually 7-30 days. The platform also allows you to configure masking or pseudonymization of logged data, which is particularly important in the context of sensitive data protection and compliance with regulations such as GDPR. The Mendix platform itself does not offer a built-in mechanism for anonymizing application logs. However, you can find external modules that support data anonymization in Mendix applications (including logs) in the Mendix Marketplace.

• The first module is Data Protection for Mendix (Appronto), which supports data anonymization by removing personal data from datasets. It also allows for pseudonymization, i.e., replacing sensitive data with pseudonyms. It is also possible to hide specific information, such as part of an email address, through data masking, or, if necessary, to rearrange characters in the data (also known as data movement). If this is not enough, you can replace sensitive data with constant values. Using this module allows you to safely test and debug applications without the risk of disclosing sensitive information.
• The second available module is Data Protection Compliance (Nagarro), which allows you to anonymize user data or manage compliance documents by creating, updating and managing data protection policy documents. This lets you ensure compliance with personal data protection regulations in the context of user data management.
• An additional module related to logging is JamAuditLog, which enables you to log all activities within the Mendix application. This enables you to track user activity, analyze and resolve issues. 
• There’s also the Logging Module, which stores all application log messages as objects in the database, allowing you to browse and search them via the Mendix Portal.

The abovementioned modules are available on the marketplace.mendix.com website. The selection of the appropriate module depends on the specific needs and requirements of the organization, both in the context of security and compliance with personal data protection regulations.

Flexibility of implementation and Disaster Recovery (DR)

Mendix bases its operation on cloud solutions, but it is not limited to just one technology. By default, the apps you build are based on Mendix Cloud, but the platform supports a wide range of cloud environments, including AWS, Azure and GCP. It can also operate locally or in the organization’s private cloud. Thanks to this, it is possible to adjust the implementation to the internal security policies and operational requirements of a given company.

Mendix also offers Disaster Recovery (DR) functionality, which involves restoring the environment in the event of a failure. The scope and method of DR operation depend on the type of solution implemented. Mendix supports applications hosted in Mendix Cloud and in corporate environments (AWS, Azure, IBM Cloud).

Mendix Cloud (public cloud) offers several mechanisms to protect against failures and downtime. It is available in two levels – Premium and Premium Plus. Both options provide high availability (HA) and automatic failover within an availability zone. The Plus variant additionally offers data replication to another availability zone, allowing the application to be switched over in the event of a failure of the entire zone. Both options provide daily backups of databases or files as standard, which are performed automatically. Such a backup can usually be stored for 7 days, but this value can be increased in higher license plans. Both variants of the cloud also offer automatic recovery in the event of an application instance failure. In such a situation, other instances take over the traffic, and the damaged instance is automatically replaced.

The second option is Mendix Cloud Dedicated, which, as the name suggests, is a dedicated cloud environment for a single organization. As part of this solution, Mendix offers high availability because applications are operated in multiple availability zones. Additionally, you get data replication (files are stored within at least one availability zone) and failure switchover. It’s a highly flexible solution, ideal for organizations that require full control over the cloud environment, and it can be tailored to meet the specific needs of the company.

The last option is DR in on-premise environments or a private cloud, known as Mendix for Private Cloud. In the case of local or private cloud implementations, the organization bears full responsibility for DR mechanisms. You must perform a database and file backup, configure the failover mechanism, and create and maintain a backup application environment. Organizations can utilize ready-made disaster recovery (DR) strategies offered by cloud providers such as AWS, Azure, or GCP, depending on their hosting location.

Security standards and certifications

Security requirements in large organizations vary depending on the industry, nature of the business, and the specifics of the data being processed. Compliance with international standards and best practices is crucial to ensure a high level of information protection.

As an enterprise-class platform, Mendix declares compliance with many key and most popular security standards: 

• ISO/ICE 27001 – an international standard for information security management
• SOC1 and SOC 2 Type II – reports confirming the effectiveness of organizational and operational controls
• GDPR – the European regulation on the protection of personal data
• HIPAA – a standard for the protection of medical data in the healthcare sector in the USA 
• OWASP top 10 – security measures that counteract the most common threats in web applications
• Data encryption – ensuring confidentiality during transfer and at rest.

By complying with these standards, Mendix can be successfully used in environments requiring the highest level of security, both in the financial, public and healthcare sectors.

Summary

Apart from the obvious business advantages of the Mendix platform (and there are many), Mendix also helps large organizations ensure an appropriate level of security. The primary features used for this purpose include multi-level authentication, access control based on roles and permissions, compliance with relevant standards and certifications, data encryption, and built-in monitoring, logging, and audit mechanisms.

However, a lot depends on the security standards adopted by the organization and the good practices implemented within it. It has been known for a long time that the weakest link in security is the human factor. It is essential to remember that the security of applications largely depends on developers. Although the platform significantly shortens the time needed for development, it won’t remedy incorrect architectural decisions that can create security gaps.

Therefore, when deciding to implement Mendix, it is worth not only examining the technical capabilities of the platform but also properly planning the application architecture, access policies, and data management method. It is also essential to remember that the organization is responsible for implementing good practices such as code review, penetration tests, or DevSecOps policies. Using appropriate software versions and configurations, applying good software development practices throughout the application life cycle (e.g., CI/CD), and conducting regular audits and tests are also paramount.

Mendix meets expectations in the context of security and minimizes threats through various mechanisms, including the implemented and supported security mechanisms mentioned in the article. The platform provides several advanced security mechanisms that can be tailored to meet individual needs and specific legal requirements. It’s a solid foundation, and there’s not much more you can ask for.

If you’re interested in using Mendix and want to maximize its security features, please reach out to us at hello@pretius.com. We’re a certified Mendix partner with proven expertise in the low-code field and over a decade of experience utilizing these platforms in various scenarios. We’ll analyze your inquiry and get back to you within 48 hours (such preliminary consultations are always free).

And if you need more information on Mendix, check out some of the other articles on our blog:

1. Mendix tutorial: Start making apps using a powerful low-code platform
2. Mendix React Client: Introduction and main changes compared to Dojo
3. Build custom CRM using just Mendix and Excel spreadsheets 
4. eCommerce automation: A modern approach based on the Mendix low-code platform