A Guide to Security in Dynamics 365 ERP

According to CIO’s 2021 Tech Priorities Poll, 65% of IT decision-makers say they plan to ramp up cybersecurity spending within the next year. The data also found that 21% plan to upgrade their current security stack during that same timeframe. That’s more than planned upgrades in any other category–including analytics, CX, and collaboration tools.

Investments are on the rise, in part, because of the shift toward remote and hybrid work.

But, also, in response to other challenges of our time. Think—big data, expanding threat surfaces, and increasingly sophisticated cybercriminals.

As the threat landscape becomes more complex, managing security in-house is becoming riskier–and less feasible.

In this article, we’ll discuss Dynamics 365 cloud security concerns, challenges, and best practices. We’ll also explain how Microsoft works to keep businesses safe, even in the face of massive data sets and tight regulations.

Dynamics 365 Cloud Security Concerns & Risk Factors

Pre-sales engineer Jeffrey Smith says, “it’s common for people to worry about cloud solutions being hacked. But, Microsoft’s Azure environment is incredibly secure, and there are countless statistics that back this up.”

Account Executive Sam Miller says, “On the F&O side, I haven’t encountered any users who were overly concerned about cloud security. But–we’re talking about a group of people already comfortable with Microsoft. If anything, it’s the cloud solutions that aren’t Microsoft that people should be worried about.”

“in my experience, it’s usually the CFO or private owners that raise concerns about the cloud. The concern revolves around the security of protecting their data. In those circumstances, we explain how MS maintains their data center and what level of physical as well as virtual security is provided.” – Sreepathy Nagarajan, Practice Director, F&O

While concerns about moving to the cloud are normal, it’s important to understand the threats you’re up against. Here’s a look at some of the big ones:

• Cybercrime. Cybercrime is on the rise–and evolving. Just look at the recent high-profile attacks of the COVID era. Think–fileless attacks, stalkerware, video-conferencing attacks, and the SolarWinds supply chain attack. Cybercrime also applies to internal threats–manipulating financial reports, IP theft, insider fraud.
• Compliance. Compliance represents another risk. Non-compliance with HIPAA, SOX, CCPA, GDPR, etc. can have devastating consequences. We’re talking reputational damage, fines that can cost thousands of dollars per compromised record. Additionally, auditors are adapting their approach to the new, cloud-based environment. That means so you’re less likely to fly under the radar if you’re not meeting requirements.
• Big data. Big data is a big security risk. Hackers see it as a chance to cash in by selling customer data and IP or demanding a ransom. Expansive data ecosystems make it hard to understand what’s happening inside your organization. Which then makes it impossible to catch every vulnerability, hack, or instance of non-compliance.
• Remote work. Remote workers are harder to secure. Attacks are on the rise, according to Splunk’s 2021 State of Security report. Another report found that 92% of orgs invested in new security solutions to support remote work. Over 30% said they’re attacked at least once a day. It’s worth noting that hackers are adapting. Video-conferencing, DDoS, and phishing attacks are on the rise.
• Skills shortage. The Splunk report acknowledges that “hard jobs are getting harder.” 49% of respondents say it’s gotten harder to keep up with security requirements within the last two years. Teams face difficulties moving workloads to the cloud and hiring skilled workers. And, they’re having trouble keeping up with the complex threat landscape.
• Shadow IT. Shadow IT refers to IT solutions that bypass the official approval process. Think–personal accounts, workflows, and SaaS tools employees adopt to make their jobs easier. Unauthorized tools threaten the environment because, often, IT doesn’t know they exist and thereby can’t secure them. According to CrowdStrike, you need a unified DevOps and CI/CD strategy to detect & respond to shadow threats as they emerge.

What Differences Will New Users Notice When it Comes to Security?

Right away, users will notice that Dynamics 365 offers way more security solutions than their on-prem system.

Here’s a look at some of the biggest changes you can expect when you move to the cloud-based D365:

Security Tools That Span the Entire Microsoft Ecosystem

Microsoft 365 offers a long list of security tools built for today’s complex digital landscape. That includes data loss prevention (DLP) for Office 365, cloud apps, and all endpoints in your D365 system. An AI/ML-powered Records Management tool, even information barriers that protect sensitive information.

There’s also Compliance Manager, which includes 150+ assessments for measuring & improving regulatory compliance.

The list goes on. The point is, there’s a security solution for just about everything. The challenge lies in identifying which ones you’ll need to meet your unique security requirements.

Centralized Security Management

Microsoft 365 Defender is a suite of security tools that allows you to manage and respond to security threats in one central location. It unifies threat signals across identities, endpoints, apps, and emails and uses AI & ML to proactively respond to threats.

New Authentication Functionality

BC Consulting Manager, Carrie Gabris, says “users will notice that Dynamics 365 has different authentication functions than on-prem solutions like NAV or AX.”

Authentication is managed through Azure AD, a cloud-based identity and access management service that manages how users sign in and access resources. Admins can use it to control access permissions and set up multi-factor authentication. It can also automate provisioning between apps, modules, and connected ISV solutions. It’s a critical tool for establishing strong governance across the entire system.

“IT groups can leverage Azure AD in their ERP system to create a unified experience. And often, they’re relieved to find that D365 fits into their Azure AD strategy.” – Lawrence Edwards, Senior Client Sales Manager

Automatic Updates & Maintenance

Dynamics 365 users outsource security, updates, and server maintenance to Microsoft. Unlike on-premises systems, which rely on IT teams to schedule updates, Dynamics 365 offers real-time updates in the cloud.

Cost Savings

Senior Consultant Nick DiAngelo says, “some people worry about the per-user subscription cost. But the total cost of ownership usually ends up lower since you don’t have to maintain your own servers for the ERP system.” Migrating to D365 will not only save you money in the long run but also unlocks opportunities to make more money.

Dynamics 365 Security Best Practices

Below, we’ve outlined some critical steps for staying safe in the cloud.

Embrace Zero Trust

Zero trust is a security framework that operates under the principle “never trust, always verify.”

The idea is that organizations should automatically assume that every data flow, app, device, and user is a threat.

This model continuously validates users–so they’ll periodically have to re-enter credentials to log back in.

Microsoft’s 365 Security suite offers several tools that enable Zero Trust across the following areas:

• Identities. Azure AD, which allows admins to follow strict ID verification measures without adding additional friction to end-users’ day-to-day work.
• Endpoints. Microsoft’s Endpoint Manager solutions allow you to manage and monitor mobile devices, computers, VMs, and servers using a series of tools that protect data, provide secure access, and manage risk–critical in a remote or hybrid work environment.
• Apps. With apps, there are several things you can do for protection. For starters, you can use the Endpoint Manager to configure & enforce policies across devices and locations, and Azure AD allows you to set up authenticated sign-ins.

Define Permissions by User Role & Activity

Kim Bateson, “we tend to assign existing permission sets and try to restrict rights as much as possible and then we try to open things up if the user cannot do their job.”

Instead, you should set access permissions based on which apps and data sets employees use on the job.

Nick DiAngelo advises users to “leverage the permission recordings tool in BC to define permission sets. This ensures that users are unable to do more than what they need to do their job. This is helpful for SOX compliant environments.”

A bit of background: permission sets are assigned to users based on the tasks they perform on the job. They’re stored in your database, but don’t always reflect what your employees actually do day-to-day.

You can create new permission sets manually by adding new tables to the database. But recording actual user activity is faster and more accurate.

“The main thing is that we need to define what they want each user to do. Then with security, we can define the type of transactions and reports users can get to. Using roles can streamline the user experience.” – Jeff Smith, Solutions Architect

Make Risk Assessment a Priority

Sreepathy Nagarajan, Practice Director, F&O advises companies to spend time “getting to know the Cyber Defense Matrix context with their workspace configurations and strategy.”

The Cyber Defense Matrix is a 5×5 grid that breaks into the following two dimensions:

Operational functions:

• Identify
• Protect
• Detect
• Respond
• Recover

Asset classes:

• Devices
• Applications
• Networks
• Data
• Users

At the bottom of the grid, there’s a continuum for indicating the degree of dependency on technology and people. You’re more dependent on technology during the “identify” and “protect” stages. Later, you’ll rely more on people to make decisions about how to respond and recover from an incident.

Processes should remain consistent across the board, providing step-by-step guidance for both humans and machines.

Note: This video series explains how to use the matrix to map the threat landscape, ID risks, and cover all blindspots before migration begins.

Microsoft users can also use its built-in threat modeling tool to get ahead of cyber threats.

It provides guidance for building and analyzing threat models, allowing users (technical or not) to better prepare for future threats.

Inside, you’ll find a standard notation for visualizing boundaries, data flows, and system components.

You’ll also find a set of tools for classifying and analyzing threats based on infrastructure design–making it easier to ID and rank issues.

Threat modeling can also be used to incorporate security into the entire design and development process–and in planning and implementing a cloud ERP. That way, security objectives align with strategic objectives and reduce risk.

Develop a Data Loss Prevention Policy

A DLP policy keeps sensitive data from leaving your organization. Data loss prevention tools monitor confidential information and use business rules to block users from sharing data with recipients outside of the organization.

For example, DLP solutions might be used to block an employee from forwarding a file to an external email address or uploading it to a service like Google Drive or Dropbox.

You can use one of Microsoft’s templates (for meeting requirements for policies like HIPAA or GDPR) or customize your own.

That way, security objectives align with strategic objectives and reduce risk.

Prepare Users Early in the Game

A recent Microsoft survey points out that most cybersecurity are preventable and come from a failure to implement basic best practices like strong passwords and multi-factor authentication.

Microsoft data revealed that only 20% of users have strong authentication measures in place and found over 20M instances of hacked IoT devices using the password, “admin.”

Those findings point toward problems with culture and strategy–both of which need to be in place before adding any algorithms to the mix.

Cybersecurity is not just about investing in better technology, it’s about people and processes.

t’s about developing a culture of awareness and making sure security is baked into daily operations at all levels.

Keep in mind, your biggest cyberthreat comes from human error. Failing to install a patch or secure an endpoint opens the door to hackers. But so does a lack of knowledge surrounding phishing attacks, password protections, and other cyber-schemes targeting end-users.

“You’ll want to start setting up users really early in the process. Make security tight at first and see what walls they hit. Don’t start by giving a user security to everything and then try to back it off.” – Sam Miller, Western Region Sales Director

Sam also points out that it takes some time to get to know the new security features. For example, “the roles in F&O are really hard to figure out, and we need to do a better job of preparing user profiles before go-live.”

Final Thoughts

Cloud-based technology has become a standard for doing business in the digital age. Microsoft offers a wealth of tools that make it easier to lock down your system–but you’ll need to take some time to assess your security needs and evaluate the available solutions before you start the implementation process.

Velosio can help you identify and implement the right security solutions to keep you safe in the cloud long-term. To learn more about our services and where security fits into the big-picture, click here