Friday, December 4, 2020
In my previous blog post, we introduced the information security management system (ISMS) for self-provisioning for Dynamics NAV/Dynamics 365 Business Central on Azure. We explored and explained 1ClickFactory’s path and approach to ensuring the security of the service and the safeguarding of customer data to our Dynamics Partners. Nevertheless, it is important to understand that the nature of cloud services means that the responsibility of information security is shared between all of the parties providing the service, as well as the end customer.
The parties & responsibilities involved in the self-provisioning for Dynamics NAV/Dynamics 365 Business Central on Azure Service
Every now and then 1ClickFactory receives a security questionnaire from a Dynamics partner when their customer is undergoing an information security audit. From the get-go, this gives us a count of three parties involved so far: 1ClickFactory, a Dynamics Partner and the end customer. But let’s not forget the biggest link in the chain – Microsoft! Without Microsoft Azure, our service wouldn’t exist at all. So, there are actually four parties involved in the service in total:
- Dynamics Partner
- End customer
Each one of these four parties has a part to play and is responsible for some aspects of information security. We will group all of the security controls into eight bigger groups (as detailed in the diagram below):
As you can see in the above diagram, some of the responsibilities belong to only one or another party and some of them are shared across multiple parties.
There are three responsibilities with very clear control ownership. As the data center provider, Microsoft is responsible for ensuring the physical security and the security of the host infrastructure on which the virtual machines run. The end-customer is responsible for the security of their devices (laptops, workstations and mobile devices), through which they’re accessing the Dynamics NAV/Dynamics 365 Business Central application.
The remaining five areas of responsibility are shared between the four parties. For every area of responsibility that needs to be covered, several organizational and/or technical controls must be implemented. How those controls are shared between different parties is dependent upon each particular cloud service.
In 1ClickFactory’s self-provisioning service for Dynamics NAV/Dynamics 365 Business Central for example, operating system and network controls are shared between Microsoft, 1ClickFactory and the Dynamics Partner. For the network controls, Microsoft provides the technical infrastructure to run the network services and also protects it physically. 1ClickFactory ensures that the network is configured securely. The Dynamics Partner also has the opportunity to manage some network controls through the self-provisioning portal and this privilege imparts some of the responsibilities as well.
Security responsibilities of Dynamics Partners and how these are shared
Most of the operating system responsibilities fall on Microsoft which has to provide the proper operating system image and also to constantly provide the necessary updates and patches. 1ClickFactory has to implement and configure the operating system and timely manage the patches and updates. Dynamics Partner responsibilities for the operating system arise due to their administrative privileges on the server – granted full permissions, Dynamics Partners have the privilege to change any configuration they wish. As a result, all of the operating system configuration changes should be managed and controlled by the Dynamics Partner with the right precautions, since these changes could impact the security of the server.
As previously mentioned, Dynamics Partners can configure some network controls – managing of internet facing ports/services and IP whitelisting (for different ports/services) in particular. Given this, the responsibility for the port/service being open to the internet falls on the Dynamics Partner, 1ClickFactory and Microsoft are responsible for the rest of the network controls.
Application level controls
1ClickFactory provides the server with the implemented Dynamics NAV/Dynamics 365 Business Central application, monitors the resources and also provides the necessary measures to ensure the secure communication between the application server and clients. The Dynamics Partners manage the application server so they have most of the control over the Dynamics NAV/ Dynamics 365 Business Central application as well. Dynamics Partners must ensure that:
- Any activities performed on the server (e.g. development tasks, configuration changes etc.) do not impact the Dynamics NAV/Dynamics Business Central service.
- Changes made on the Dynamics Business Central/Dynamics NAV application during the development are properly managed and implemented.
Identity & access management
There are two ways of authenticating the Dynamics NAV/Dynamics Business Central application – (1) classic, which is provided by 1ClickFactory, or (2) Office 365 authentication, when the customer is using his/her own Office 365 service. For the latter – all the identity and access management responsibilities fall on the customer and the Dynamics Partner. With the first authentication option, 1ClickFactory provides the identity management platform where all the user accounts are stored. For this platform, 1ClickFactory takes care of the service availability and security monitoring. 1ClickFactory also sets the default password policy for the Dynamics NAV/ Dynamics Business Central application which can be adjusted by the Dynamics Partner if a customer has any specific requirements. The Dynamics Partner has to control their own user accounts and permissions as well as those of all of their customer accounts.
In the common cloud service scenarios, the responsibility for data protection usually falls on the end customer. 1ClickFactory’s Self-Provisioning service is a bit different. 1ClickFactory manages the data backup process. The Dynamics Partner has access to the data backups on the portal which is also included in the backup process. Finally, the end customer has the most impact over the protection of their own data so they take on a lot of this responsibility. The end customer is responsible for managing controls like data classification and retention, data leak prevention and data masking.
This is just an overview of the responsibilities across those eight groups of controls to provide an overall general understanding. A more detailed list of Dynamics Partner responsibilities and recommendations regarding the necessary controls will be produced and uploaded to the portal.
Streamlining the information security process in 1ClickFactory’s self-provisioning for Dynamics NAV / Dynamics 365 Busines Central service
All of this might seem a bit tricky when there are four parties involved and all of them are connected in a different way. As a result, it is really important to communicate to each party clearly to ensure that every party understands their role and takes full responsibility as required. It is not a question of any of these parties wanting to shirk their responsibilities and pass it on to someone else, but rather it is the only practical way to fully cover the information security risks in cloud services.
From our experience, Dynamics Partners don’t always realize that they also have some responsibilities when it comes to security or perhaps don’t understand where their responsibilities begin and end. There are examples in the real world where parties involved in similar service arrangements begin to clarify everyone’s roles and responsibilities only after an incident has occurred. It is really the worst-case scenario and we definitely want to avoid such situations. That’s why 1ClickFactory takes all the necessary steps to eliminate any possible misunderstandings in advance and strives to provide a clear, upfront picture of information security in the self-provisioning for Dynamics NAV/Dynamics 365 Business Central on Azure service.
So next time when you get a security questionnaire from your customer and send it to 1ClickFactory to fill in, don’t forget that we will answer how we are securing our infrastructure on the service being provided, but it is important that you, as the Dynamics Partner answer the questions which fall under your responsibility as well.
About 1ClickFactory Self-Provisioning for NAV/Business Central on Azure Service
With 1ClickFactory Self-Provisioning for Dynamics NAV/Business Central on Azure service, Microsoft Dynamics Partners can easily deploy Dynamics NAV/Business Central solutions on Microsoft Azure through our platform in 1 hour or less. It’s self-service and available 24/7 on a highly secure and readily supported environment.
Find out more about the 1ClickFactory Self-Provisioning for NAV/Business Central on Azure service or contact us at firstname.lastname@example.org about this topic if you are a Microsoft Dynamics Partner.