Blog |

The shared responsibility of information security for Companial’s Self-Provisioning Platform hosting on Azure

Friday, December 4, 2020
Reading time: 7 minutes

In our previous blog post, we introduced the information security management system (ISMS) for self-provisioning for Dynamics NAV/Dynamics 365 Business Central on Azure. We explored and explained Companial’s path and approach to ensuring the security of the service and the safeguarding of customer data to our Dynamics Partners. Nevertheless, it is important to understand that the nature of cloud services means that the responsibility of information security is shared between all the parties providing the service, as well as the end customer.

The parties & responsibilities involved in the self-provisioning for Dynamics NAV/Dynamics 365 Business Central on Azure Service

Every now and then Companial receives a security questionnaire from a Dynamics partner when their customer is undergoing an information security audit. From the get-go, this gives us a count of three parties involved so far: Companial, a Dynamics Partner, and the end customer. But let’s not forget the biggest link in the chain – Microsoft! Without Microsoft Azure, our service wouldn’t exist at all. So, there are four parties involved in the service in total:

  1. Microsoft
  2. Companial
  3. Dynamics Partner
  4. End customer

Each one of these four parties has a part to play and is responsible for some aspects of information security. We will group all the security controls into eight bigger groups (as detailed in the diagram below):

As you can see in the above diagram, some of the responsibilities belong to only one or another party, and some of them are shared across multiple parties.
There are three responsibilities with very clear control ownership. As the data center provider, Microsoft is responsible for ensuring the physical security and the security of the host infrastructure on which the virtual machines run. The end-customer is responsible for the security of their devices (laptops, workstations and mobile devices), through which they’re accessing the Dynamics NAV/Dynamics 365 Business Central application.
The remaining five areas of responsibility are shared between the four parties. For every area of responsibility that needs to be covered, several organizational and/or technical controls must be implemented. How those controls are shared between different parties is dependent upon each particular cloud service.

In Companial self-provisioning service for Dynamics NAV/Dynamics 365 Business Central, for example, operating system and network controls are shared between Microsoft, Companial, and the Dynamics Partner. For the network controls, Microsoft provides the technical infrastructure to run the network services and protects it physically. Companial ensures that the network is configured securely. The Dynamics Partner also has the opportunity to manage some network controls through the self-provisioning portal and this privilege imparts some of responsibilities as well.

Security responsibilities of Dynamics Partners and how these are shared

Operating system

Most of the operating system responsibilities fall on Microsoft which must provide the proper operating system image and constantly provide the necessary updates and patches. Companial has to implement and configure the operating system and timely manage the patches and updates. Dynamics Partners’ responsibilities for the operating system arise due to their administrative privileges on the server – granted full permissions, Dynamics Partners have the privilege to change any configuration they wish. As a result, all operating system configuration changes should be managed and controlled by the Dynamics Partner with the right precautions, since these changes could impact the security of the server.

Network controls

As previously mentioned, Dynamics Partners can configure some network controls – managing internet-facing ports/services and IP whitelisting (for different ports/services) in particular. Given this, the responsibility for the port/service being open to the internet falls on the Dynamics Partner, Companial and Microsoft are responsible for the rest of the network controls.

Application-level controls

Companial provides the server with the implemented Dynamics NAV/Dynamics 365 Business Central application, monitors the resources, and provides the necessary measures to ensure secure communication between the application server and clients. The Dynamics Partners manage the application server, so they have most of the control over the Dynamics NAV/ Dynamics 365 Business Central application as well. Dynamics Partners must ensure that:

Identity & access management

There are two ways of authenticating the Dynamics NAV/Dynamics Business Central application – (1) classic, which is provided by Companial, or (2) Office 365 authentication when the customer is using his/her own Office 365 service. For the latter – all the identity and access management responsibilities fall on the customer and the Dynamics Partner. With the first authentication option, Companial provides the identity management platform where all the user accounts are stored. For this platform, Companial takes care of the service availability and security monitoring. Companial also sets the default password policy for the Dynamics NAV/ Dynamics Business Central application which can be adjusted by the Dynamics Partner if a customer has any specific requirements. The Dynamics Partner has to control their own user accounts and permissions as well as those of all of their customer accounts.

Data Protection

In common cloud service scenarios, the responsibility for data protection usually falls on the end customer. Companial Self-Provisioning service is a bit different. Companial manages the data backup process. The Dynamics Partner has access to the data backups on the portal which is also included in the backup process. Finally, the end customer has the most impact on the protection of their own data so they take on a lot of this responsibility. The end customer is responsible for managing controls like data classification and retention, data leak prevention, and data masking.
This is just an overview of the responsibilities across those eight groups of controls to provide an overall general understanding. A more detailed list of Dynamics Partner responsibilities and recommendations regarding the necessary controls will be produced and uploaded to the portal.

Streamlining the information security process in Companial’s self-provisioning for Dynamics NAV / Dynamics 365 Busines Central service

All of this might seem a bit tricky when there are four parties involved and all of them are connected in a different way. As a result, it is important to communicate to each party clearly to ensure that every party understands their role and takes full responsibility as required. It is not a question of any of these parties wanting to shirk their responsibilities and pass them on to someone else, but rather it is the only practical way to fully cover the information security risks in cloud services.

From our experience, Dynamics Partners don’t always realize that they also have some responsibilities when it comes to security or perhaps do not understand where their responsibilities begin and end. There are examples in the real world where parties involved in similar service arrangements begin to clarify everyone’s roles and responsibilities only after an incident has occurred. It is really the worst-case scenario, and we want to avoid such situations. That’s why Companial takes all the necessary steps to eliminate any possible misunderstandings in advance and strives to provide a clear, upfront picture of information security in the self-provisioning for Dynamics NAV/Dynamics 365 Business Central on Azure service.

So next time, when you get a security questionnaire from your customer and send it to Companial to fill in, don’t forget that we will answer how we are securing our infrastructure on the service being provided, but it is important that you, as the Dynamics Partner answer the questions which fall under your responsibility as well.

About Companial Self-Provisioning for NAV/Business Central on Azure Service

With Companial Self-Provisioning for Dynamics NAV/Business Central on Azure service, Microsoft Dynamics Partners can easily deploy Dynamics NAV/Business Central solutions on Microsoft Azure through our platform in 1 hour or less. It’s self-service and available 24/7 on a highly secure and readily supported environment.
Find out more about the Companial Self-Provisioning for NAV/Business Central on Azure service or contact us at service@companial.com about this topic if you are a Microsoft Dynamics Partner.

Marius Cibulskis

En savoir plus sur Business Central