When implementing a business system within an enterprise organisation, there are typically several hoops that you have to jump through to assure stakeholders that the system meets all relevant Information Security (InfoSec) requirements. While this process can be often tortuous (I have many battle scars to prove this!), it is a necessary and worthwhile exercise to complete. By ensuring that any new system is developed using best practice approaches and has been configured prudently from a security standpoint will, ultimately, reduce business risk in the long-term. The critical battle around this is ensuring that security does not become an impediment to implementing a new, better business system; instead, you should ensure that all security concerns are addressed up-front as part of any architecture or design.
While all of this sounds good for a bespoke developed system, challenges can emerge when implementing a public cloud system, such as Dynamics 365 Sales, Service etc. or its on-premise equivalent, Dynamics 365 Customer Engagement. When deploying these systems, we will have very little control and capability to put in place required security controls or to meet requirements such as performing an in-depth penetration test. Without the ability to meet these requirements or provide any relevant evidence, projects of this nature may fail to get through “the front door” initially and obtain formal sign-off as part of any change management procedure.
Microsoft, as a vendor, has typically been very proactive in ensuring that the platforms and business systems they offer via the public cloud can address some of the challenges raised so far. Perhaps less well-known is just where these resources can be found and precisely what resources are available to help validate that a system like Dynamics 365 is secure and compliant with various standards. As I discovered recently, the Service Trust Portal is the place to go for all of this, providing a cornucopia of documentation, certificates and reports to make any InfoSec professional squeal with joy. As part of this week’s blog post, I wanted to dive in and highlight some of the documents and resources available on this that may prove useful if you are trying to get a Dynamics 365 project off the ground.
I Take No Credit for Finding This
A few weeks ago, Rob Nightingale, a superstar Dynamics 365 community ninja, asked me whether I knew of any resources relating to penetration testing for Dynamics 365 Online. In typical CRM Chap fashion, I was utterly unable to advise. Rob pushed on and was able to find the Service Trust Portal and a lot of the links highlighted below. So all due credit goes to him for finding these resources – thanks, Rob!
Diving Deeper into the Service Trust Portal…Or Not
My original intention with this post was to dive deep into some of the available documents on the portal, extrapolating some useful bite-size chunks to bat away any general InfoSec questions you may face around Dynamics 365. Unfortunately, though, access to any of the documents listed on this website is subject to accepting a Non-Disclosure Agreement (NDA). Anyone can browse the list of available materials on the site without agreeing to this, however. Therefore, to avoid any potential NDA entanglements, this post will provide a summarised list of the most pertinent documents that Dynamics 365 Customer Engagement professionals may be most interested in grabbing a copy of. All information and associated links are correct at the time of writing this post:
- D365 Security and Compliance Guide – This general guide provides an overview of how Dynamics 365 meets various security and compliance standards. This guide is perhaps your best first destination, before diving deeper into anything else.
- Dynamics 365 ISO 27001 Certificate – Validates that the product is compliant with the ISO 27001 Information Security Management standard.
- Dynamics 365 ISO 27018 Certificate – This certificate confirms that the product is compliant with the ISO 27018:2014 code of practice for protection of personally identifiable (PII) information types within a public cloud product.
- Dynamics 365 for Customer Engagement PCI DSS AoC – This Attestation of Compliance (AoC) document confirms that the product meets all the requirements concerning the Payment Card Industry Data Security Standard (PCI DSS), version 3.2.1
- Dynamics 365 for Customer Engagement – Penetration Testing and Security Assessment 2019 – This document contains the results of Microsoft’s 2019 external penetration and security testing assessment for Dynamics 365 for Customer Engagement.
- Microsoft Azure and Dynamics ISO 22301 Certificate – Demonstrates that the product is compliant with the ISO 22301:2012 standard for business continuity management.
Dynamics and, specifically, Microsoft Azure, also complies with various governmental security standards. Below is a sample list; I would urge you to check the website in closer detail if you are looking for something more catered to your locality or requirements:
- Cyber Essentials + Certificate: This validates that Microsoft Azure has implemented the required cybersecurity controls to meet the needs of the UK governments Cyber Essentials + scheme. You can find out more about this scheme in my blog post on the subject.
- Microsoft Dynamics 365 CRM – ENS Certificate – This certificate confirms that the product is adequate when meeting the measures and controls defined within the Spanish National Security Framework (Esquema Nacional de Seguridad).
- Dynamics 365 (CRM Online) – IRAP Report on Compliance – This document confirms that the product is compliant with Australia’s Information Security Registered Assessors Program (IRAP)
Plain English Translation: What does this all mean?
With a lot of acronyms, numbers and complex terminology thrown about in this post, it can be difficult to translate all of this into something more understandable. At the risk of failing miserably, I will now try and provide some brief bullet points that summarise the security and compliance benefits of Dynamics 365 Online and Dynamics 365 Customer Engagement:
- Adequate controls and procedures are put in place to ensure the system appropriately protects PII types and sensitive cardholder details, with a range of features available in support of this objective, such as field security profiles.
- The system provides adequate safeguards and security, backed up by documented procedures that are subject to annual audits.
- As a system that is penetration tested annually, organisations can satisfy any InfoSec related concerns, as there is visible proof the system is routinely tested andy any underlying vulnerabilities addressed accordingly.
- The platform for Dynamics 365 Online (i.e. Azure) has the appropriate controls and procedures in place to ensure business continuity in the event of a disaster recovery scenario or similar.
- Regardless of the region or country where your Dynamics 365 online system resides, there is a high probability that Microsoft has adopted or implemented accreditations in line with any legislation or cybersecurity schemes within your locality. These steps, therefore, provides the necessary assurance that the system can be utilised the world over.
- All of the previous points can be validated and continually evaluated via an openly accessible platform, namely, the Service Trust Portal.