Serg Nvns - Fotolia


How to safeguard Microsoft Dynamics CRM security

Microsoft Dynamics CRM security can be onerous if you try and lock things down too much. Here is a rundown of features that can help you make Dynamics CRM 'usably secure.'

What do eBay, the U.S. Voter Database, LinkedIn and Home Depot have in common? Over the past 24 months, all have suffered from significant data breaches of more than 500 million user records. And, sadly, they are not alone.

Thousands of organizations have fallen victim to the ever-increasing threat of data breaches, with billions of lines of personal information being exposed. Understandably, the public is worried and angry.

To be clear, we can safely assume that most of the organizations listed took customer information security seriously. Someone, somewhere would have been paid a significant amount to ensure that the companies' data was securely behind enterprise-level firewalls with a host of other technological security measures in place behind them. So are they to blame for leaks of customer data? Not always.

Data security breaches aren't just from hackers

I say, "Data breach," and you may assume the breach has been perpetrated by hackers. But the reality is often very different.

While nefarious individuals are responsible for many of these data breaches, there are other, more troubling, reasons they can occur.

The 191 million records lost late in 2015 from the U.S. Voter Database was the result of a simple configuration error in their software. In 2014, Facebook exposed 6 million customer profiles by accident. In 2005, a former AOL employee stole 92 million email addresses and screen names, selling them to spammers who sent out an estimated 7 billion email messages using the data. In the cases of just those three companies, 289 million records were exposed because of the human element. In modern data security, one of the greatest threats is the role of those tasked with using the data.

Preventing lockdown; promoting Dynamics CRM security

So what's the answer? This is where it gets tricky. With hacking breaches, advances in modern technology can help; however, with the "human threat," it's not so easy.

In response, some organizations have exerted tight control over data and business systems. Multifactor authentication, biosecurity devices and data access policies that allow access to only the most basic of information are all employed with gusto. However, if access to systems and data is so tightly controlled, the business systems you rely upon can become almost unusable.

Accessing customer information can be a slow and arduous process. Entering the details of a potential sale can take so long that employees may not bother. User engagement with systems will drop dramatically as people revert to using their own systems to record the customer information they need to access quickly, which can create various security issues. Senior executives will sleep soundly knowing that customer data is secure in a system no one can use.

In modern data security, one of the greatest threats is the role of those tasked with using the data.

So what's the solution? Make your system "usably secure;" that is, secure enough to protect your data while maintaining the functionality that prompted you to implement it in the first place. This is not always easy, but getting the balance between data security and access to the productivity enhancing functionality of your business system is essential. To this end, selecting the correct business system is crucial.

Microsoft Dynamics 365 is one example of a CRM system that has tools that can help to make your data secure, but, at the same time, ensure your staff members have access to the functionality they need. Some of those tools include the following.

Business units. A business unit is a group of users within Dynamics 365. Business units allow you to build your business structure within the system. In many businesses, data needs to be kept separate from different organizations within the group, but, at the same time, allow for collaboration between teams. Business units give you the ability to do this.

Role-based security. Dynamics 365 security enables companies to capture clusters of roles within an organization and set permissions access accordingly. These can be as generic or detailed as you wish, from a single role for all users, to rules for each individual user. This can give you ultimate control over what each user can and cannot do or access.

You may be satisfied, for example, to allow front-line sales reps to access data that relates to leads; however, you may not wish them to have access to the existing customer data. Or you may want staff to access only the data that relates to their customers. Security roles enable you to do this. Each Dynamics 365 user must have a security role of some kind to access the system

In addition, security roles are cumulative. This means that, if a user fulfills more than one role within your company, you can assign multiple roles to them to give them combined access to all the privileges they need.

Teams. Teams are an effective way of grouping users together. You may have users in an IT department grouped into development and support teams. But what if you have a project that requires collaboration between individuals from different areas of the business who all have access to different data and privileges based on their security roles? That's where teams become really useful.

Teams contain combinations of users from any business unit, making it easy to group employees together. Not only that, but privilege and access levels are shared between members of teams. So Bob in accounts, who is working on a customer finance project with Helen from sales, will have access to the same data Helen does while they are both on a team together.

Record-based security. Record-based security takes information protection and sharing to an even more granular level. Record-based security allows you to share privileges you have individually with users who lack those privileges.

Consider a scenario where you want to grant access to two teams: front-line sales and platinum account management. Dave, in front-line sales, has no access to the records owned by the platinum account management team. But when Dave is instrumental in winning business that relates to a platinum account customer, Sam from the platinum account management team can share an individual customer's record with him. This means that Dave can have access (read or write, as appropriate) to see the outcome of their hard work without having access to all platinum account customers.

This individual record-level security can be invaluable, especially in environments where access to information must be tightly controlled.

Hierarchy security. Hierarchy security is a new feature that came to the fore in Dynamics CRM security in 2015, and it can be crucial in organizations where the hierarchical structure is constantly changing. How so?

Imagine an employee structure within a business. You have directors, area managers, store managers and employees. Directors may oversee different area managers on a changeable basis. This is where hierarchical security comes in.

By configuring Dynamics 365 for hierarchical security, any time a director is assigned an area manager as a subordinate, that director has immediate access to all the information that the area manager and his subordinates do. In addition, if an area manager covers for a colleague in overseeing a store manager who is not in his area, by simply assigning the store manager as his subordinate, the area manager will have access to all the information he needs.

This may sound complex, but it provides a simple, quick and flexible approach to managing access to the right data at the right time.

Field-level security. The final level of security is the ultimate in granular control, field-level security. In short, this does exactly what it says on the box; allows the read or write access of individual fields to be tightly controlled. For example, you may be okay with all employees being able to access the customer account records, but only users in the finance department should be able to see the fields containing the customers' bank details. This is where field-level security comes in.

There is an array of tools available within Dynamics 365 to ensure that data and the privileges associated with it are kept secure. Not only that, but by applying a blend of the above and working with an experienced CRM security consultant, you can make sure that data is not only secure, but is also available to those who need it, when they need it.

Next Steps

The Dynamics CRM roadmap

Small companies combat security concerns

Data security gets pricey

Dig Deeper on Marketing and sales

Content Management
Unified Communications
Data Management
Enterprise AI