It is rare to find an organization that doesn’t have any serious Dynamics 365 security problems. In the years I’ve been working with the platform, I’ve only encountered a handful of companies whose CRM and ERP were solidly configured and hard to exploit.
At most businesses, I can often quickly find major loopholes and errors in the way they’ve set Dynamics 365 up. This means it becomes easy to find vulnerabilities that lead to internal fraud. It also increases their risk of penalties for noncompliance with various regulations.
So, why is Dynamics 365 security often so weak? And what are the most common security problems?
It comes back to the ‘shared responsibility model’
When Microsoft began moving its apps to the cloud, they introduced their ‘shared responsibility model’. Essentially, they promise to protect some aspects of your data and storage. But they also require you to do some of the work too.
They explain it like this:
“As Microsoft’s customer, you must identify which controls apply to your business and understand how to implement and configure them to manage security and compliance with the legal and regulatory requirements of your nation, region, and industry”.
In principle, the shared responsibility model makes a lot of sense. You know best how you want to configure Dynamics 365, how your processes work, and what tasks your staff need to do on the platform.
But the problem is that Dynamics 365 security role design and permissions are incredibly complex. In my experience:
- Most businesses don’t fully understand how permissions and security roles in Dynamics 365 work
- Configuring Dynamics 365 to be secure is very complex and time consuming – and therefore expensive
- There are few IT consultancies around the world who really understand security in Dynamics 365
Because of these issues, I’d argue that the majority of Dynamics 365 implementations have at least some kind of security problem – but most companies aren’t aware of this.
And, even when companies are aware of the problem, designing access rights correctly still requires a significant amount of business user time.
The most common Dynamics 365 security problems
On a recent project, one of our customers told us they believed that some serious fraud was happening in their delivery network. Shipments of their products were simply disappearing into thin air, yet they couldn’t find definitive evidence of how, where, when or who was behind it.
When we looked into it, we discovered a major problem in their permissions settings. Any employee in their warehouses could create a negative value for deliveries in Dynamics 365 during arrival registration. Essentially, they could record that products hadn’t been delivered (even though they had). Those employees could then spirit the goods away and sell them on.
The good news is that we were able to fix this issue by reconfiguring their access roles. Only named employees were given the ‘right’ to create negative values on deliveries. This meant that it would be impossible for other staff to make this change. If any orders disappeared in future, the company would know who was responsible.
For me, this is a classic example of the kinds of Dynamics 365 security problems companies experience every day. Other common kinds of fraud include:
- Modification of bank account numbers to non-corporate, fraudulent ones
- Inventory counting without adequate numbers
- Inventory journals being moved to quarantine locations
- Fake ‘destroy product’ commands
Here are the main reasons these kinds of fraud happen.
Over-permissioned
As my example above shows, many businesses that use Dynamics 365 have a real problem with over-permissioned users.
Dynamics 365 is an incredibly powerful ERP, and its flexibility is a big part of its strength. But in my opinion, companies give too many staff far too much access to this power. Incorrectly configured roles and duties within the platform can give individual users access to hundreds of endpoints or applications, including many they don’t need to use.
For instance, a regular warehouse worker does not need to edit orders or record negative values on deliveries, yet many businesses give them this ability. Similarly, a junior finance team member doesn’t need to be able to create new (and fictional) vendors and pay them. But again, companies often allow this. There are endless similar examples.
Part of the problem is that businesses want to give their employees access to a tool which should make them more productive. But it’s a fine balance – giving people more access and control than they need opens the door to fraud.
Further compounding this problem is the fact that when security changes, nobody cleans up what permissions users have. This means that there is an ever growing snowball of misallocated permissions.
Under-monitoring of system usage
I am often surprised by how little organizations monitor operational interactions in the platform. Dynamics 365 audit logs are fairly basic, but they do allow you to see patterns and identify suspicious behaviour.
Yet many IT departments don’t monitor this information at all. It’s also rare for them to set up alerts for activity or usage patterns that seem risky. If no one’s checking this usage data inside your environment, it’s very difficult to identify fraud.
Over-simplification
Far too often, organizations take an oversimplified approach to Dynamics 365 data security. Assigning roles and permissions correctly takes a lot of time and effort (all too often, implementation partners leave this to their customers).
As a consequence, businesses tend to simply give employees access to different Dynamics 365 apps based on their job titles.
If it was as simple as HR only having access to staff records and Sales only having access to the CRM, then this would be fine. But often it’s more complex than that.
Employees in certain roles normally need access to a variety of systems. For example, a warehouse manager might need access to Supply Chain Management and Business Central, but also some elements of D365 Finance and D365 Sales.
Mapping all this out and making sure the right permissions are given to the right people is complex and time consuming. And so most businesses either give everyone blanket access to entire apps, or restrict access in ways that stop people from doing their jobs as easily.
Security is also a continually evolving project – it’s not just “one and done”. Organizations should ideally have employees dedicated to secure design and testing. But in too many organizations, security is viewed as a cost to minimise.
Under-compliant
Through Dynamics 365 audit logs and other features, Microsoft gives companies the tools they need to comply with most major regulations (like SOX or GDPR).
However, just having access to these tools doesn’t mean companies are using them correctly or effectively. You still need to configure settings, make sure personal data is anonymized, limit employee access to HR records, and so on.
Again, it goes back to that shared responsibility model. Businesses are sometimes complacent because they assume Microsoft makes them automatically compliant – but that’s not really true. Compliance is not only about the ERP, but is a package of behaviors, applications, and cross organizational processes that build transparency and secure vulnerabilities.
You need to spend time setting up your Dynamics 365 environment in a way that ensures it meets national and regional regulations. Failing to do so will put you at risk of penalties.
A better way to manage Dynamics 365 security
In my work, I have seen so many companies with serious Dynamics 365 data security and compliance problems. The fact is, the basic, out of the box tools Microsoft provides do work, but they require a lot of time, effort and expertise to set up correctly.
Unfortunately, most organizations don’t know how to configure permissions correctly or monitor system usage patterns. And that leaves them at a high risk of internal fraud and non-compliance.
User Security Governance by XPLUS gives you a better way to manage Dynamics 365 security. It gives you powerful tools to support full auditability. It monitors Dynamics 365 and alerts you to suspicious usage patterns. And it helps you tailor access rights to your changing needs.
