Kennie on security - Part 2 (Secure Future Initiative)
Kennie Nybo Pontoppidan
Supporting Ukraine | Principal Program Manager at Microsoft. | Helping small and medium sized companies run their business with ERP and analytics |
This post is the second in a series about security. You might ask why I care about this topic and why blog about it now? Well, I have my reasons and on the top of my head they look like this:
?
In this post, I will tell you about Secure Future Initiative (SFI), what it means for us in the Business Central product team, and what the impact is for our Business Central partners and customers.
?
What is Secure Future Initiative (SFI)?
In a world of Copilots here and there, why should I waste my time (and yours) summarizing that? So, I asked copilot.microsoft.com:
Summarize Microsofts secure future initiative
and it told me that…
Microsoft's Secure Future Initiative (SFI) is a multi-year commitment to enhance cybersecurity across all its products and services. Launched in November 2023, SFI focuses on three main principles: Secure by Design, Secure by Default, and Secure Operations. The initiative aims to address the increasing scale, speed, and sophistication of cyberattacks by continuously improving security measures and practices.
I couldn’t have done it better. An added benefit for me using a public copilot is that I don’t have to worry about oversharing sensitive information as the basis of the summary (hey, we are discussing security here, no need to not be paranoid.)
If you are more interested in SFI, we just released a September 2024 status update on SFI, see
for more information.
?
One quote from the report shows how big a deal this project is:
Our engineering teams quickly dedicated the equivalent of 34,000 full-time engineers to address the highest priority security tasks—the largest cybersecurity engineering project in history.
?34,000 full-time engineers... Think about that for a minute.
Why should you care about SFI at Microsoft?
You shouldn’t. That is the whole idea of us spending 34k engineering years on security hardening: so that you don’t have to.
Or maybe you should care about SFI at Microsoft. Meaning that this hopefully helps you and your customers sleep a little better at night, knowing that your cloud services are in good hands. I recently had a discussion with a partner about how the story of having your ERP (and other) workloads running securely in our cloud is understated and undertold. I cannot speak to how security protocol and practices are at other cloud providers, including private cloud providers, but having seen and experienced our security muscle from within, I do think that we do a pretty good job.
?
But hey, we should Copilot about that (continuing the prompt from above):
give some perspectives for an ERP customer?
Copilots thinks for a few milliseconds and spits out the following wall of text:
From an ERP customer's perspective, SFI offers several benefits:
Overall, Microsoft's Secure Future Initiative strengthens the security posture of ERP systems, providing customers with a more secure and reliable platform for their business needs.
?
Let’s dive a little bit into each of these statements...
Enhanced Data Security
With SFI, ERP systems are designed to protect sensitive business data from cyber threats, ensuring that financial and operational information remains secure.
Spot on. We even documented this in our product documentation:
and I quote (because you guys don’t just blindly trust random links, right?)
Data belonging to a single tenant is stored in an isolated database and is never mixed with data from other tenants. This ensures complete isolation of data in day-to-day use and in backup/restore scenarios.
Furthermore, Business Central uses encryption to help protect tenant data in the following ways:
?
We do more than this, but for me to tell you that, I would have to hire you…
If you read about Assume Breach in my last post, all of this encryption at rest, in transit, and in-memory helps us protect the service and your data, even if an attacker were to penetrate part of our infrastructure. If they were to succeed stealing an information artifact, they would not be able to extract information from it.
?
Compliance Assurance
SFI helps ensure that ERP systems comply with industry regulations and standards, reducing the risk of data breaches and associated penalties.
Yup! You have no idea about the engineering time we spend on compliance. But hey, when your service can boast being compliant with standards such as ISO 27001, ISO 27017, ISO 27018, SOC 1 (SSAE 18) Type 2, and SOC 2 Type 2, then I think it is totally worth it (shout out to my wonderful colleague who I cannot name here! You rock! You are my compliance hero.)
?
But don’t take my word for this. Why don’t you check out how we discuss compliance in our product documentation: https://learn.microsoft.com/en-us/dynamics365/business-central/compliance/compliance-service-compliance
?
领英推荐
Might also be handy next time a prospective customer asks about this (hint hint, dear Microsoft partners.)
?
Improved Trust
Knowing that Microsoft prioritizes security can build trust among ERP customers, reassuring them that their data is in safe hands.
I hope that this message receives you well… Because Microsoft runs on Trust as we say (I even have it printed on a T-shirt we got for an internal running event). Some software vendors have a philosophy of not discussing security at all (even when they are breached). I think that they believe that being open about security and security vulnerabilities is making customers scared and making them trust the company less. I think that the result is the opposite: not being open is generating less trust.
?
Continuous Updates
SFI's focus on continuous improvement means ERP systems will receive regular security updates, keeping them protected against the latest threats.
Well, can’t agree more there. We hotfix our service as often as needed and when we discover security vulnerabilities, we hotfix even more aggressively. Does that disrupt operations of the service. Absolutely. When we hotfix, there is downtime involved. But not more than we still can withhold a 99.9% uptime SLA month over month.
?
What you might not read directly from the Continuous Updates sentence above is that “how do you get informed about which components to update and when?” Without spilling too much tea here, the secret sauce is systematic component governance. To quote the recent September 2024 SFI report (see link above)
To drive the standards across our entire estate, we build and maintain comprehensive inventory systems with clear component ownership within the organization and ways to facilitate assignment of work Microsoft SFI report, September 2024 10 Standards and paved paths items at scale.
??
Peace of Mind
With robust security measures in place, ERP customers can focus on their core business operations without worrying about potential cyber threats.
Apart from being one of my absolute favourite albums with Iron Maiden (I mean, all songs on that album are EPIC. My mom thought she had lost me to the satanists when I got into Iron Maiden as a teenager, but everything turned out all right…), I agree again with Copilot here. I hope that you reading this post also gives you a little more warm and fuzzy feeling that your data is pretty good and safe in our service.
?
To conclude (says Copilot)…
Overall, Microsoft's Secure Future Initiative strengthens the security posture of ERP systems, providing customers with a more secure and reliable platform for their business needs.
Couldn’t agree more. And notice how Copilot also with this snippet “a more secure and reliable platform” sneaked in a sister topic to security: reliability.
In the Business Central team, we both develop the product and run the service. Sometime called DevOps (or what we sometimes internally call “you build it, you run it. You break it, you fix it.” ??
?
Kennie, this is very interesting. Will you write a post where you go into all details about how you run the Business Central service?
No.
Absolutely not.
Never.
?
Why should I do that when you can just go directly to our documentation and read all about it (recognize a pattern here???).
Just CTRL+click here to open in a new tab
(or for the paranoid who never trusts a link, just search for “Service overview for Business Central online” to find the article. I am so proud of you not trusting anything posted online. This could have been written by someone that just Pwned my LinkedIn account. Assume Breach, right?)
?
?
OK, that’s it for a Friday afternoon security rambling while looking out over the golden fields here in sunny Fargo, ND.
?
Signup to the newsletter (and/or spread the word)
Thanks for reading along. In the next posts I will dive more into concrete areas of security that I hope you as Business Central / ERP professionals will find useful in your daily work. Probably also dive more into how you can use the principles from the Secure Future Initiative (SFI) programme and to harden your (ERP) installations and development practices. I also want to tell you about how I recently almost got spear-phished and something on security awareness.
?
Do comment on things that resonated with you when reading the article.
?
If you are present at the Summit NA 2024 conference this October in San Antonio, TX, then you can hear the full story in one of my sessions there.
?
Stay tuned and secure until next post…
?
Previous posts in this series:
?
Kennie on security - Part 1 (my background)
?
PS. If you liked the newsletter and think that others might benefit from it as well, please send them the signup link here:
Microsoft Dynamics 365 Business Central | Help You Build Expertise & Drive Operational Excellence With the Dynamics 365 Platform
4 个月I must disagree. Powerslave is their best album.
Partner / IT-auditor at 2-Control B.V.
5 个月Hi Kennie, great blog series and very good that Microsoft takes security this seriously. However, as an IT auditor I do not completely agree with the statement that customers (and partners) shouldn't have to care about SFI. Microsoft can only secure things up to a certain level, but partners and ISV's still have a huge responsibility in the security and quality of the extensions they create on Business Central. A few years ago we tried to kickstart awareness about this matter with a Raise Maturity Program (with a colleguea of yours, Jonathan Davis) but back then it didn't get enough traction. Perhaps we can catch up if you are in Vienna next week, might be a good time to share some thoughts! Thanks for your blogs!
Microsoft MVP | D365 BC | M365 | Azure | PhD, MBA
6 个月Great read Kennie thanks… as for Iron Maiden - that’s a great album - I was thinking it might have been maybe Number of the Beast or Fear of the Dark for the security tie in… ??