For most organizations across the world, regardless of their size or the industry they are in, the cloud has granted immense opportunities to explore technologies and services that have been out of reach in the past, especially for SMBs – such as taking advantage of advanced data analysis, intelligence, and automation.
Today, in 2021, especially after the drastic shift that the COVID-19 pandemic brought with itself and the challenges that organizations had to overcome, most businesses are dependent on cloud providers that offer a wide range of services including servers, storage, compute power, AI, and more.
While most organizations have made the first step towards their digital transformation by migrating their CRM, ERP, and other business management applications and tools to the cloud – most companies are still skeptical about the security of data in the cloud.
If you have considered, have already migrated, or are just starting your migration to the cloud with Microsoft Dynamics 365 business applications, you might be wondering – how does Microsoft and Dynamics 365 grant compliance and security for my critical business data?
How does Microsoft manage the security of Microsoft Dynamics 365 in the cloud?
With Microsoft building Dynamics 365 cloud applications and Power Platform on Microsoft Azure, one of the world’s largest cloud providers it guarantees a level of security and compliance used by 95% of Fortune 500 companies to organizations of all sizes that cannot be achieved on an internal level.
Azure operates from hundreds of data centers worldwide with each data center being secured with multi-layered protection. Microsoft has a dedicated workforce that is focused on building and operating physical data centers including protection of the building entrances, the inside of these buildings, and the data center floors.
Microsoft Dataverse, which is the underlying data platform for all Dynamics 365 apps and Power Platform manages security and compliance through multiple layers:
- Authentication by Azure Active Directory that restricts access by users with conditional access policies,
- Environments that act as security boundaries – with each environment having different security requirements implemented
- The use of connectors is restricted with Data Loss Prevention policies
- Creating Power Apps, using Power Automate, and creating custom applications & workflows is controlled by security roles determined by the environment they exist in
All Dynamics 365 users can adjust these security levels and restrictions to their own unique governance policies of data and services. Every business solution has a built-in security system that helps protect databases from unauthorized access and each security system allows D365 users to specify which users can read or modify the data.
Microsoft ensures data is encrypted during its transit between users and data centers with industry-standard Transport Layer Security (TLS) which ensures data stays confidential between desktops and datacenters, as well as protects API access from the user to the server.
Dynamics 365 uses encryption at rest, which prevents hackers from accessing unencrypted data written on the disk using SQL Server Transparent Data Encryption. This type of encryption is highly recommended for organizations, as these attacks can be complex and exhaust resources.
Microsoft manages the encryption keys for Dataverse instances – through the Dynamics 365 Administration Center, administrators can manage encryption keys that are associated with Dynamics 365 instances, for very specific business needs that need to be maintained by the organization itself.
All Dynamics 365 Cloud users need to have a valid Azure AD account to access Dynamics 365, as D365 cloud apps use Microsoft Azure Active Directory to identify users. With Single sign-on (SSO), Azure AD accounts can be used to access other Microsoft business applications, which makes it simple for users to switch between different applications in the Microsoft online ecosystem.
There are additional authentication processes that make the security of your Dynamics 365 data stronger, as users can be subject to other policies that limit access by real-time risk, user location, application, or devices used.
Those organizations that use hybrid cloud systems can use one of three authentication methods: password hash synchronization pass-through authentication, or federation.
With Multi-Factor Authentication (MFA) options, users are prompted to use additional forms of authentication beyond usernames and passwords to complete the login, such as unique code sent to the user’s phone or approaching a sign-in notification on the Microsoft Authenticator app. MFA options protect users from 99.9% of identity attacks.
Data Loss Prevention Policy
With the Data Loss Prevention policy, Dynamics 365 administrators can:
- Identify sensitive information across many D365 apps, OneDrive or Microsoft Teams
- Prevent accidental sharing of sensitive information
- Monitor and protect sensitive information in desktop versions of productivity apps such as Word, Excel or PowerPoint
- Help users stay compliant without interrupting the business workflow
Security in Dynamics 365 model-driven cloud applications (CRM)
Once users have gone under the encryption and Azure AD authentication policies, each Dynamics 365 app handles security on an application level. By understanding the security architecture within Dynamics 365, you can set up D365 to adjust to the unique security and compliance requirements of your business.
There are two main ways in which security is enforced within the D365 model-driven apps: security roles and privileges.
Based on the unique business role, business unit, and teams that the user is assigned to within the organization, each user must have a security role to sign in to, before they can log in.
- Business units – Dynamics 365 uses business units to identify the various departments of your company that may have different security names. The core business unit applies to the entire organization and this business unit represents the root business unit, which for smaller organizations may be all that is needed.
For larger or global organizations, separate business units can be created by function or geography, but creating business units that are necessary to meet the core organization security needs is recommended.
- Role-based security: Based on the user’s role, a user may have read-only access or have access to change, update or delete records within an entity (table). Roles are granular and can be assigned to one or more entities(tables). Role-based security can be used to grant access to a user to create custom entities or option sets. Users can be associated with more than one role if needed.
- Teams: Teams-based security can be used to grant users from different business units to work with the same entity, as it is a security role that crosses business units.
- Hierarchy security: The hierarchy security model can be used for granting users access to certain functionalities based on their position in the company hierarchy.
- Record-based security: This type of security model is used to control users’ and teams’ access to perform actions on individual records. The owner of a record can either share or grant access to a record to another user or team. For example, the owner of an account record can grant access to the information contained within the account, but not grant access to the user to write or edit within that record.
Privileges are used to grant permissions assigned to different security roles. Each security role consists of record-level privileges and task-based privileges and can be assigned at a user or team level.
Record-level privileges include: create, read, write, delete, append, append to, assign and share.
In addition to record-level privileges, security roles have different task-based privileges that users can get access to. These privileges are not based on business unit, team, hierarchy, or other considerations.
With these privileges, you can share common records such as customer contacts or accounts. You can define these user roles and which roles can access any given application. For example, in Dynamics 365 Sales, you will have security roles to secure opportunities and can allow customer service representatives and other sales staff to access the needed records in that application. Both sets of users can complete the necessary tasks within their apps, while also accessing the common customer records shared by the applications.
Solutionade can help…
Consult with Solutionade to define your cloud strategy as you are moving your CRM in the cloud, or if you need help adjusting or optimizing your current cloud applications.