Kennie on security - Part 4 (Secure Future Initiative for ERP customers - Summit NA reflections)
Kennie Nybo Pontoppidan
Principal Program Manager at Microsoft. I help ERP customers in the SMB space run their business.
This post is the fourth in a series about security. You might ask why I care about this topic and why blog about it now? Well, I have my reasons and on the top of my head they look like this:
In this post, I will tell you about highlights from my 90-minute (!) security session at the Summit NA 2024 conference. Together with part 3 (see link above), this concludes posts on security for ERP customers (for now).
Social engineering
Social engineering, also known as "people hacking", is the easiest way to hack a company or a person (you). No need to find technical vulnerabilities in your ERP system or the surrounding infrastructure. Just call someone and get access. Sounds too good to be true? It is not. In my security sessions, I always play these two short videos (CTRL+right click, watch, and get back here)
Start by watching how people tell their passwords on camera on the Jimmy Kimmel show: https://www.youtube.com/watch?v=opRMrEfAIiI
Are the victims of these hacks stupid? When watching the second video, you might be inclined to think so. The thing is, they are not. As human beings, we are raised to help others. And it requires training to not feel that you are being impolite by declining to do so.
Now watch how master social engineer Jessica Clark completely owns an account in a few minutes: https://www.youtube.com/watch?v=fHhNWAKw0bY (go to 1:19 to skip the intro and go directly to the meat)
Would you or your organization be able to withstand that? Maybe you would dear reader. But a person as skilled as her will very likely succeed getting access eventually.
The only thing that works against social engineering (and Phishing, its cousin) is training. If you search for "security awareness training", I'm sure you can find courses on the topic. Does your organization offer or require such training to employees?
Security tips and tricks for Business Central
The next part of my presentation was a section called "Security tips and tricks for Business Central". Below, I will mention each tip, maybe with links to learn more. You might know some of this already, but I hope that every one of you can take at least one security gold nugget with you and apply that in your organization. Here goes...
Did you know that you can restrict network access to/from Business Central online?
An Azure service tag represents a group of IP addresses from/to which traffic from a specific service may come, which allows you to set up firewalls for a specific service to allow only traffic from certain services. The Dynamics365BusinessCentral service tag enables administrators to restrict access from/to Business Central using firewall and network security group rules.
For more information, see https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/security/security-service-tags
Did you know that you can restrict login to Business Central online to only certain IP addresses?
Another angle on securing Business Central is to leverage the Entra ID (Azure AD) features such as Conditional Access that most Business Central customers have available to them but may not be using. One example is creating a Conditional Access policy so that plant / warehouse hourly workers' logins only work from the IP address of the physical location where they do their work. This blocks any fraudulent login attempts from any other location or country and falls under the category of Attack Surface Reduction. If 40% of the O365/Business Central accounts for a company are factory / warehouse staff, they've reduced the number of accounts that can be compromised significantly.
Thanks to David Wheat for sharing this example. He allowed me to use it in the newsletter.
Did you know that you can see failed login attempts to Business Central in telemetry?
Authorization (after successful authentication to Microsoft Entra) to Business Central is a two-step process:
Each of these events are logged to telemetry, both when they are successful and when they fail. Our documentation states that the telemetry user id is also logged (I did not check the server source code, so you might need to test this) which allows you to monitor suspicious login attempts by user (is John from the sales department repeatably trying to access companies that he does not have access to?).
With the Power BI app on telemetry data, you even get a nice (?) report that shows you the overview of failed login attempts.
For more information, see https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/telemetry-authorization-trace
Did you know that you have (kind of) row level audit on all tables?
Business Central has four system fields on all tables:
Though this is not a change log, it does provide you with a quick overview of who created a record and who did the latest change.
For more information, see https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-table-system-fields
Things that you might not know about the Change log
The change log feature in Business Central allows you to track field level data changes + who did it and when.
Instead of using the list page view on the change log, consider taking the page into analysis mode. This allows you to create analysis tabs showing "Who changed what data, and when," or "Data changes by table/field".
For more information, see https://learn.microsoft.com/en-gb/dynamics365/business-central/across-log-changes#analyze-data-in-the-change-log
Oh, and you also get telemetry on who made changes to the change log configuration:
领英推荐
For more information, see https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/telemetry-changelog-configuration-trace
Do you monitor changes to sensitive fields?
Sensitive field monitoring is change log on steroids. Turn it on for your most sensitive fields, such as bank account information. Then you can setup to get an email for each time that field is changes.
But sensitive field monitoring also emits each change event to telemetry. And now you can use Power BI to get an overview across all change events:
For more information, see https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/telemetry-field-monitoring-trace
“Change log” of system changes
Speaking of telemetry, did you know that the Power BI app gives you a “Change log” of system changes report:
Each type of change event also has its own report, such as permission set changes:
New security features in 2024 release wave 2
We have added three large security features in 2024 release wave 2 that you need to know about:
Customer-managed encryption key allows you to provide your own encryption key from your own Azure Key Vault to encrypt the Business Central environment database. This way, Microsoft will not be able to read your data. You can then use the Lockbox feature to temporarily give a Microsoft engineer access to the data if they need to work on a support case.
For more information, see https://www.youtube.com/watch?v=DnZJ2iOgIjI&list=PL1FESh9FqyhRj4fjUlWvghJ3rPFyz2Foz&index=39
With the Environment-level access control per partner feature, you can control environment access and administration by Microsoft partner. This is useful if you have different Microsoft partners handling environments in different regions or for different types of operations.
For more information, see https://www.youtube.com/watch?v=TBBlYpwbAFk&list=PL1FESh9FqyhRj4fjUlWvghJ3rPFyz2Foz&index=28
Microsoft Purview integration allows administrators to monitor and audit privileged operations executed on Business Central environments along with events executed in other Microsoft products.
For more information, see https://www.youtube.com/watch?v=lk1YJKOmHyI&list=PL1FESh9FqyhRj4fjUlWvghJ3rPFyz2Foz&index=38
Signup to the newsletter (and/or spread the word)
Thanks for reading along. In the next posts I will dive more into concrete areas of security that I hope you as Business Central / ERP developers will find useful in your daily work. Maybe it is time to look into how you can use the principles from the Secure Future Initiative (SFI) programme and to harden your (ERP) installations and development practices. I also want to tell you about how I recently almost got spear-phished and something on security awareness. But that is for another time.
Do comment on things that resonated with you when reading the article.
Stay tuned and secure until next post…
Previous posts in this series:
Kennie on security - Part 1 (my background)
Kennie on security - Part 2 (Secure Future Initiative)
Kennie on security - Part 3 (Secure Future Initiative for ERP customers)
PS.
If you liked the newsletter and think that others might benefit from it as well, please send them the signup link here:
Dynamics 365 BC | M365 | Azure | PhD, MBA
4 周Another great post Kennie. Do you know where I need to tell clients to look in their Azure portal to see user login activity from partner side consultants using GDAP to get in?? It's something I've been asked in the past!
Founder and owner of NaviLogic ApS
4 周Great post, good job Kennie !