A Guide to Security in Dynamics 365 ERP
Learn about Microsoft Dynamics 365 security concerns, challenges, and best practices. Discover how Microsoft works to keep businesses safe.
Table of Content
According to CIO’s 2021 Tech Priorities Poll, 65% of IT decision-makers say they plan to ramp up cybersecurity spending within the next year. The data also found that 21% plan to upgrade their current security stack during that same timeframe. That’s more than planned upgrades in any other category–including analytics, CX, and collaboration tools.
Investments are on the rise, in part, because of the shift toward remote and hybrid work.
But, also, in response to other challenges of our time. Think—big data, expanding threat surfaces, and increasingly sophisticated cybercriminals.
As the threat landscape becomes more complex, managing security in-house is becoming riskier–and less feasible.
In this article, we’ll discuss Dynamics 365 cloud security concerns, challenges, and best practices. We’ll also explain how Microsoft works to keep businesses safe, even in the face of massive data sets and tight regulations.
Pre-sales engineer Jeffrey Smith says, “it’s common for people to worry about cloud solutions being hacked. But, Microsoft’s Azure environment is incredibly secure, and there are countless statistics that back this up.”
Account Executive Sam Miller says, “On the F&O side, I haven’t encountered any users who were overly concerned about cloud security. But–we’re talking about a group of people already comfortable with Microsoft. If anything, it’s the cloud solutions that aren’t Microsoft that people should be worried about.”
“in my experience, it’s usually the CFO or private owners that raise concerns about the cloud. The concern revolves around the security of protecting their data. In those circumstances, we explain how MS maintains their data center and what level of physical as well as virtual security is provided.” – Sreepathy Nagarajan, Practice Director, F&O
While concerns about moving to the cloud are normal, it’s important to understand the threats you’re up against. Here’s a look at some of the big ones:
Right away, users will notice that Dynamics 365 offers way more security solutions than their on-prem system.
Here’s a look at some of the biggest changes you can expect when you move to the cloud-based D365:
Microsoft 365 offers a long list of security tools built for today’s complex digital landscape. That includes data loss prevention (DLP) for Office 365, cloud apps, and all endpoints in your D365 system. An AI/ML-powered Records Management tool, even information barriers that protect sensitive information.
There’s also Compliance Manager, which includes 150+ assessments for measuring & improving regulatory compliance.
The list goes on. The point is, there’s a security solution for just about everything. The challenge lies in identifying which ones you’ll need to meet your unique security requirements.
Microsoft 365 Defender is a suite of security tools that allows you to manage and respond to security threats in one central location. It unifies threat signals across identities, endpoints, apps, and emails and uses AI & ML to proactively respond to threats.
BC Consulting Manager, Carrie Gabris, says “users will notice that Dynamics 365 has different authentication functions than on-prem solutions like NAV or AX.”
Authentication is managed through Azure AD, a cloud-based identity and access management service that manages how users sign in and access resources. Admins can use it to control access permissions and set up multi-factor authentication. It can also automate provisioning between apps, modules, and connected ISV solutions. It’s a critical tool for establishing strong governance across the entire system.
“IT groups can leverage Azure AD in their ERP system to create a unified experience. And often, they’re relieved to find that D365 fits into their Azure AD strategy.” – Lawrence Edwards, Senior Client Sales Manager
Dynamics 365 users outsource security, updates, and server maintenance to Microsoft. Unlike on-premises systems, which rely on IT teams to schedule updates, Dynamics 365 offers real-time updates in the cloud.
Senior Consultant Nick DiAngelo says, “some people worry about the per-user subscription cost. But the total cost of ownership usually ends up lower since you don’t have to maintain your own servers for the ERP system.” Migrating to D365 will not only save you money in the long run but also unlocks opportunities to make more money.
Below, we’ve outlined some critical steps for staying safe in the cloud.
Zero trust is a security framework that operates under the principle “never trust, always verify.”
The idea is that organizations should automatically assume that every data flow, app, device, and user is a threat.
This model continuously validates users–so they’ll periodically have to re-enter credentials to log back in.
Microsoft’s 365 Security suite offers several tools that enable Zero Trust across the following areas:
Kim Bateson, “we tend to assign existing permission sets and try to restrict rights as much as possible and then we try to open things up if the user cannot do their job.”
Instead, you should set access permissions based on which apps and data sets employees use on the job.
Nick DiAngelo advises users to “leverage the permission recordings tool in BC to define permission sets. This ensures that users are unable to do more than what they need to do their job. This is helpful for SOX compliant environments.”
A bit of background: permission sets are assigned to users based on the tasks they perform on the job. They’re stored in your database, but don’t always reflect what your employees actually do day-to-day.
You can create new permission sets manually by adding new tables to the database. But recording actual user activity is faster and more accurate.
“The main thing is that we need to define what they want each user to do. Then with security, we can define the type of transactions and reports users can get to. Using roles can streamline the user experience.” – Jeff Smith, Solutions Architect
Sreepathy Nagarajan, Practice Director, F&O advises companies to spend time “getting to know the Cyber Defense Matrix context with their workspace configurations and strategy.”
The Cyber Defense Matrix is a 5×5 grid that breaks into the following two dimensions:
Operational functions:
Asset classes:
At the bottom of the grid, there’s a continuum for indicating the degree of dependency on technology and people. You’re more dependent on technology during the “identify” and “protect” stages. Later, you’ll rely more on people to make decisions about how to respond and recover from an incident.
Processes should remain consistent across the board, providing step-by-step guidance for both humans and machines.
Note: This video series explains how to use the matrix to map the threat landscape, ID risks, and cover all blindspots before migration begins.
Microsoft users can also use its built-in threat modeling tool to get ahead of cyber threats.
It provides guidance for building and analyzing threat models, allowing users (technical or not) to better prepare for future threats.
Inside, you’ll find a standard notation for visualizing boundaries, data flows, and system components.
You’ll also find a set of tools for classifying and analyzing threats based on infrastructure design–making it easier to ID and rank issues.
Threat modeling can also be used to incorporate security into the entire design and development process–and in planning and implementing a cloud ERP. That way, security objectives align with strategic objectives and reduce risk.
A DLP policy keeps sensitive data from leaving your organization. Data loss prevention tools monitor confidential information and use business rules to block users from sharing data with recipients outside of the organization.
For example, DLP solutions might be used to block an employee from forwarding a file to an external email address or uploading it to a service like Google Drive or Dropbox.
You can use one of Microsoft’s templates (for meeting requirements for policies like HIPAA or GDPR) or customize your own.
That way, security objectives align with strategic objectives and reduce risk.
A recent Microsoft survey points out that most cybersecurity are preventable and come from a failure to implement basic best practices like strong passwords and multi-factor authentication.
Microsoft data revealed that only 20% of users have strong authentication measures in place and found over 20M instances of hacked IoT devices using the password, “admin.”
Those findings point toward problems with culture and strategy–both of which need to be in place before adding any algorithms to the mix.
Cybersecurity is not just about investing in better technology, it’s about people and processes.
t’s about developing a culture of awareness and making sure security is baked into daily operations at all levels.
Keep in mind, your biggest cyberthreat comes from human error. Failing to install a patch or secure an endpoint opens the door to hackers. But so does a lack of knowledge surrounding phishing attacks, password protections, and other cyber-schemes targeting end-users.
“You’ll want to start setting up users really early in the process. Make security tight at first and see what walls they hit. Don’t start by giving a user security to everything and then try to back it off.” – Sam Miller, Western Region Sales Director
Sam also points out that it takes some time to get to know the new security features. For example, “the roles in F&O are really hard to figure out, and we need to do a better job of preparing user profiles before go-live.”
Cloud-based technology has become a standard for doing business in the digital age. Microsoft offers a wealth of tools that make it easier to lock down your system–but you’ll need to take some time to assess your security needs and evaluate the available solutions before you start the implementation process.
Velosio can help you identify and implement the right security solutions to keep you safe in the cloud long-term. To learn more about our services and where security fits into the big-picture, click here
Talk to us about how Velosio can help you realize business value faster with end-to-end solutions and cloud services.
"*" indicates required fields