Kennie on security - Part 3 (Secure Future Initiative for ERP customers)
Kennie Nybo Pontoppidan
Principal Program Manager at Microsoft. I help ERP customers in the SMB space run their business.
This post is the third in a series about security. You might ask why I care about this topic and why blog about it now? Well, I have my reasons and on the top of my head they look like this:
?
In this post, I will tell you about how I see the principles in the Secure Future Initiative (SFI) work for (Business Central) customers (if you use Acumatica, Netsuite, or Sage, or any other ERP system, it is also ok for you to read along.)
?
Secure Future Initiative (SFI) principles
In the last post, we learned that
Microsoft's Secure Future Initiative (SFI) is a multi-year commitment to enhance cybersecurity across all its products and services. Launched in November 2023, SFI focuses on three main principles:
1.????? Secure by Design,
2.????? Secure by Default, and
3.????? Secure Operations.
?
Now, SFI is a Microsoft initiative that we do (big time) to improve the security of everything inside Microsoft. This is great, all customers benefit from that. But the principles are sound and applicable to your organization.
So, lets dive into SFI principles, but with that perspective: your organization.
?
Secure by Design
The secure by design principle means that security comes first, and that you need to think security right into your internal processes and the products or services that you deliver. This work starts at the very beginning of any project or deliverable. Security is not an add-on that you slab on at the end. I would have to know more about your organization to come with concrete examples (or maybe you have some good ones for the comments below?)
?
Secure by Default
A core concept of the secure by default principle is to ensure that security features are activated and mandatory for everyone using your systems, requiring no additional actions and making them non-optional.
Think broad when defining security features. This is not only about VPN clients, firewalls, and virus scanners. No, it also features how you setup your permission systems and ways to access your networks and business systems.
But… the most important thing of all my advice in this section is.. MFA – MultiFactor Authentication. MFA is basically that you need multiple things to login: a password is not enough. Maybe an authenticator app on your phone, or a Yubi key. Or something third.
Don’t rely on SMS, just ask Copilot:
?
?
To quote the Microsoft Digital Defense Report 2023:
How effective is MFA at deterring cyberattacks? A recent study based on real-world attack data from Microsoft Entra found that MFA reduces the risk of?compromise by 99.2 percent .?
Boom. That leaves 0.8% risk on the table for the rest of the blog post advice.
Here is how you setup MFA with Business Central: https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/security/multifactor-authentication
?
As an example of something that you might not think of as security related, how do you manage your sensitivity labels to your Office files? Countless times, I have sent a document link to someone outside of Microsoft, only to learn that they could not access the document due to our default sensitivity level being too strict. Annoying, right? But think of the alternative? What if I by mistake had shared a sensitive document about a software acquisition that I was working on, and the sharing made that deal sour due to me sharing confidential information? What if it was an important contract or quote that was not quite ready to send to your client and it somehow got shared anyway?
?
Another topic is data access management. You thought that was for the DBAs (database administrators) to manage? Wrong! You own that just as much. As a system owner (no, I am not thinking about the IT department here), do you know who can access data in your ERP system? Do you monitor it? The first question can answered with proper auditing, and Business Central has several options for you in this space.
CTRL+right click here to learn more about Auditing (the third Au in the Gold standard)
Or, if you don’t trust links (you shouldn’t), search for Auditing in Business Central in our documentation.
Pro tip: did you know that as of 2024 release wave 2, we support logging to Microsoft Purview? Check out the release plan on that beauty or join the Business Central Launch ?Event on October 8th (aka.ms/BCLE ) to learn more.
领英推荐
?
For the second question (the monitoring part), I don’t know the answer. There are likely good solutions out there. Ask your Microsoft partner or ask in your local Business Central user group what others do. Remember, it is not shameful to discuss security issues, it is shameful to hide as it you have everything under control if you don’t (IMO).
?
Speaking of the Gold standard, proper access management is NOT to give everyone SUPER powers in your system. Authorization to the rescue (that’s another Au for you). With Business Central, you have plenty of features to make the access system fit your needs. Here are a few tips and tricks related to permissions, that you might not know:
?
Read more about authorization in Business Central here: https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/security/security-application#authorization
?
Secure Operations
Keep your systems and devices up to date. Again, to quote the Microsoft Digital Defense Report 2023,
Unpatched and out-of-date systems are a key reason many organizations fall victim to an attack. Ensure all systems are kept up to date including firmware, the operating system, and applications.
This also means phones and tablets. Yes, also the kiosk in the reception. And the printers.
?
If you use Business Central online, we have you covered on that part – we patch the system when you need it (not when you ask us to). For on-premises installations, you need to ensure that someone takes care of that.
Same goes for data encryption of your ERP data, see here how we have you covered in Business Central online: https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/security/security-online#data-isolation-and-encryption
For on-premises installations… Well, you need to do that yourself. And remember to encrypt your backups as well…
??
What about your business operations? Are your premises secure? Can someone walk right into the building and pass the reception? Have you heard about tailgating (look it up)? Security is not just about Cyber. When you start thinking like a hacker, a whole new way of vulnerabilities open up. Maybe you need to look into some of those as well?
?
OK, that’s it for a Friday evening security rambling while looking out over the bare field (they finished harvesting yesterday) here in sunny (sun has already set) Fargo, ND. I need to pickup my wife in the airport. And I’m already running late. Argh!
?
Signup to the newsletter (and/or spread the word)
Thanks for reading along. In the next posts I will dive more into concrete areas of security that I hope you as Business Central / ERP developers will find useful in your daily work. Maybe it is time to look into how you can use the principles from the Secure Future Initiative (SFI) programme and to harden your (ERP) installations and development practices. I also want to tell you about how I recently almost got spear-phished and something on security awareness. But that is for another time.
?
Do comment on things that resonated with you when reading the article.
?
If you are present at the Summit NA 2024 conference this October in San Antonio, TX, then you can hear the full story in one of my sessions there.
?
Stay tuned and secure until next post…
?
Previous posts in this series:
?
Kennie on security - Part 1 (my background)
?
Kennie on security - Part 2 (Secure Future Initiative)
?
PS.
If you liked the newsletter and think that others might benefit from it as well, please send them the signup link here:
Founder @ Simplanova
1 个月Love this series - would this also be covered at Directions? Alerting permission changes to set users by design could be a nice feature.
Great IT is possible. I help growing companies get there. Having fun hosting The Last I.T. Podcast In The World.
1 个月Great post Kennie. Another angle on securing BC is to leverage the Entra ID (Azure AD) features like Conditional Access that most BC customers own, but may not be using. One example is creating a Conditional Access policy so that plant / warehouse hourly workers' logins only work from the IP address of the physical location where they do their work. This blocks any fraudulent login attempts from any other location or country and falls under the category of Attack Surface Reduction. If 40% of the O365/BC accounts for a company are factory / warehouse staff, they've reduced the number of accounts that can be compromised significantly. (See you at Summit!)
Love this. So many people don’t realize how important it is to set up proper application security. Thanks for making sure people are thinking about it!
IT udvikler. Programmering, r?dgivning og en god portion alsidighed - systemer, der skaber v?rdi.
1 个月I love the phrasing "security is not an add-on that you slab on at the end." This is something I see way too often with permissions. The project is almost done, and permissions get crammed in at the end. The customer cannot define everything - nor should that be expected, the partner is the ERP expert. Then something so-so happens and the customer doesn't really understand the strategy set in place. Take that first discussion early, keep it in business terms. You can refine as the project progresses. But now you have a chance to design the system so it better supports the permission demands. For example, it is much easier to define permissions of a module-based system than a monolithic one - especially if the modules match (parts of) business roles.