Back in the 1990s, the rapidly growing Internet was hit by a succession of malware attacks such as Code Red, SQL Slammer, Blaster, Nimda, MyDoom and Sasser. Responding reactively to this endless cycle of security attacks wasn’t effective.
In 2001, vulnerabilities revealed after the launch of Windows XP prompted Microsoft to devote all 8,500 Windows developers to a security overhaul that included threat modelling, code reviews and penetration testing. This extraordinary endeavour evolved into the Security Development Lifecycle (SDL) ↗, a framework for building security into code throughout the cycle of product development.
More than a decade of constant evolution and improvement to the SDL framework ensures Microsoft’s software and services are at the forefront of security and privacy. Today, governments, and major corporations such as Adobe and Cisco, have also adopted the Microsoft SDL’s tools and processes.
Microsoft Dynamics 365 security
Dynamics 365 is designed on the principles of the SDL, embedding security requirements into every phase of development. The Dynamics 365 team also follows the rigorous standards set by Microsoft Operational Security Assurance ↗ to help protect customer data.
Dynamics 365 is hosted in Microsoft datacentres. Connections established between customers and the datacentres are encrypted, and all public endpoints are secured using industry-standard Transport Layer Security (TLS). TLS effectively establishes a security-enhanced browser-to-server connection to help ensure data confidentiality and integrity between desktops and datacentres.
Unauthorised traffic is blocked to and within datacentres. The infrastructure is constantly maintained, enhanced, and verified, and regular penetration testing employed to continually validate the performance of security controls and processes.
To ensure that activities within the service are legitimate, and to detect breaches or attempted breaches, Dynamics 365 takes advantage of the cloud service infrastructure and security mechanisms. The Dynamics 365 environment deploys antimalware software that helps protect infrastructure against online threats. Microsoft also provides intrusion detection, distributed denial-of-service (DDoS) attack prevention, and regular penetration testing to help validate security controls.
Role-based security is aligned with the structure of the business. Users are assigned to security roles based on their responsibilities in the organisation and their participation in business processes, and access is granted to these security roles rather than to individual users. Additionally, the administrator grants access based on the duties the users perform in their roles, not to the program elements used by the users to fulfil their roles.
Authorisation is used to grant access to elements of the program. Data security, however, is used to deny access to tables, fields, and rows in the database.
The extensible data security framework can be used to control access to transactional data by assigning data security policies to security roles. Data security policies can restrict access to data, based on either the effective date or user data, such as the sales territory or organisation.
Record-level security – a mechanism for securing data in Dynamics AX 2012 and earlier versions – is now obsolete. Extensible data security is the recommended mechanism for securing or filtering data in the program.
Additionally, the Table Permissions Framework helps protect some data. Data security for specific tables is enforced by Application Object Server (AOS).