By Julie Strauss, Partner Pm, Power Platform
As the pace of digital transformation continues to accelerate, the demand for more applications and automation is at the center of that change. Increasingly, more organizations are adopting low-code tooling to enable anyone to build solutions tailored to meet their business needs. However, along with the benefit of building solutions faster, the risk of accidental oversharing or misuse of business-critical information increases. Top of mind for organizations embracing this change is how to best strike the balance between increasing business productivity and exercising governance controls.
We, on the Microsoft Power Platform team, believe that trust is key to driving digital transformation at scale. Trust is not just about securing each individual service, but rather about delivering trust offering integrated security, governance, monitoring, and compliance in a unified approach across the entire platform. By merging these foundational principles of trust, organizations can confidently promote solutions using Microsoft Power Platform to transform the business while ensuring secure and compliant usage everywhere.
With that in mind, we have greatly intensified our investments across three key areas of capabilities related to security, management, and monitoring while harnessing the substantial investments Microsoft has made in the area of trust. We aim to deliver these capabilities with unmatched value as part of our customers’ existing product licenses.
I’d like to use the rest of this post to share more details about our strategy for each of the investment areas while also making some exciting announcements that will further enable you to deploy a trusted low code platform for your organization. Let’s jump in.
Microsoft Power Platform offers multiple layers of security and spans tenant, environment, and data level capabilities, taking advantage of the deep expertise Microsoft has accumulated in the area of Compliance, Identity Management, and Data Access Security to keep data safe. The goal is to lay the foundation with solid tenant and environment strategy, enabling you to define fine-grain access controls across Microsoft Power Platform with data stored in Microsoft Dataverse, as well as the unprecedented degree of controls for access to the more than 400 external data sources available for platform.
As such, security ranges from advanced encryption, tenant-level access controls where everything is identity-based with deep integration with Azure Active Directory.
The common data model offers a rich, built-in security model with concepts such as Role-Based Access Control, which allows for you to easily define access permissions and govern data access in a scalable manner. Using a variety of customizable security roles your permissions can be granted on a database, table, or even specific record level. To allow administrators to streamline the way they work with these powerful security configurations across Microsoft Power Platform, today we are announcing a new, modern user security configuration experience in the Microsoft Power Platform admin center, generally available on July 30. This update provides administrators with a centralized place to perform all user management, driving administrative efficiencies, and allowing them to scale the security management of their application users, security roles, and teams as part of the environment settings.
Not only does Microsoft Dataverse offer very powerful fine-grained security controls as outline above but it also like other Azure services, uses encryption to help organizations safeguard. Built from the ground up on the Microsoft cloud, Microsoft Power Platform uses SQL Server Transparent Data Encryption (TDE) to perform real-time encryption of data at rest, rendering the data unreadable to unauthorized individuals. This is an area where you will see continued investments in the future to extend even more control to you when needed.
When it comes to external data sources, we have invested deeply in extending our Data Loss Prevention (DLP) policies. This is an important aspect of enabling digital transformation as part of a greater app modernization effort, where you may have a substantial amount of data living in legacy systems.
First off, we completely redesigned the user interface last year but have also granted admins the ability to fully block third-party connectors as needed for various environments to allow for further control. Additionally, we are introducing several enhancements, opening up for preview in July, that will represent a level of granularity that is unmatched in the industry.
- Connector action control enables admins to safely enable business use cases using Microsoft Power Platform with the ability to control not only which connectors are allowed for usage in each environment but also which specific actions for particular connectors that can be used by the app makers. For example, an organization may have a policy that says users cannot post tweets to Twitter but reading or extracting tweets is allowed. Typically, that organization would simply block the Twitter connector. Now, however, with connector action controls, you can still choose to completely block the usage of the Twitter connector in one department, but allow for usage of that same connector in another like the marketing department, where tracking product sentiment provides is an important sales signal. You can simply choose to disable the write or post actions, but allow for read actions, safely enabling the connector as well as supporting scalable digital transformation.
Take advantage of unmatched Granular Controls
- We are adding enhanced Data Loss Prevention policies to support a more scalable approach to the governance of custom connectors. Until recently, custom connectors could only be added to environment level Data Loss Prevention policies through PowerShell. However, we are now extending the UI as well as adding support for tenant-level policies for custom connectors. While custom connectors themselves are environment-scoped resources, admin security and governance policies should apply to URL endpoints as a singular risk profile versus every single custom connector created with the same underlying URL across different environments.
- Endpoint filtering, also being added to the platform, helps to govern which specific instances of data sources users can access (such as, a specific SQL server). Endpoint filtering allows for definition of which specific instances will be allowed versus blocked for tenant or environment level policies. It supports key connectors such as HTTP, SQL, CDS, SMTP, Azure Blob Storage, and more.
Finally, coming soon, Microsoft Information Protection sensitivity labels will provide a simple way for your users to classify critical content in Microsoft Power Platform without compromising productivity or the ability to collaborate.
In the area of environment and deployment management, the team is focused on building out unique capabilities for unified administration, API automation, and DevOps experiences as well as developing best practices on governing the growth of low-code deployments.
Today, organizations can utilize a single, consistent admin experience to manage all aspects of a Microsoft Power Platform deployment. From provisioning and managing environments, solutions, users, licenses, and database capacity admins can perform all administrative operations from a single portal experience. Additionally, administrative operations are fully automatable, providing the option to either call the API, that operates the Microsoft Power Platform admin center or use the available PowerShell cmdlets, which enable admins to complete admin tasks using script commands.
Global manufacturing leader, Unilever, maker of iconic brands such as Dove, Vaseline, and Ben & Jerry’s, has fostered a more data-driven culture while securing data and users. “We’ve been excited to see how the Power Platform can automate manual processes, help us to manage COVID-19, but it’s not just about building the apps,” said Julie Mercer, Collaboration Services Director. “The new Power Platform governance features enable us to build them with a strong foundation of governance, security, and stability.”
Microsoft Power Platform also offers deep integration with Azure DevOps as well as GitHub Actions allowing both administrators and pro developers to fully automate common build and deployment tasks. Not only will this allow for hands-off deployment processes but will also allow you to seamlessly plug your low code CI/CD pipelines into your existing enterprise-wide Software Development Lifecycle processes, which in turn allows for better scale of your team and your operations.
When it comes to developing best practices, the team is committed to helping organizations be successful by regularly sharing experiences, strategies, and tools like the Microsoft Power Platform Center of Excellence Starter Kit. This enables organizations to scale up their use of Microsoft Power Platform using tools and proven strategies from our experience working with a network of customers and partners worldwide.
In the area of monitoring and analytics, the team is focusing on delivering an extended range of capabilities that will allow administrators to continuously monitor the resource creation, the resource usage, and utilization as well as the maker activities.
The out-of-the-box analytics gives organizations access to popular insights such as usage and creation of apps and automations, active users, license usage, Dataverse consumption, and much more. To date, our analytics have been available for each environment, providing the ideal level of granularity for environment admins. This level of detail, however, can be a time-consuming challenge for organizations with accelerated adoption, requiring admins to monitor hundreds or even thousands of environments. This is where our new tenant-wide analytics, which released to preview on June 25, 2021, will make monitoring a breeze. These out-of-the-box analytical views will provide visibility into the full inventory as well as all maker activities across all of your environments in a single view.
You may already be aware that the Microsoft Power Platform Center of Excellence Starter Kit provides templates to set up in Power BI backed by Dataverse.
Additionally, audit logging is available, enabling activities and actions taken by users to be recorded for audits and inspections. Moreover, organizations using Microsoft Cloud App Security today administrators can monitor Power BI reports for suspicious access patterns and alerts to take timely actions.
Building on that, we are introducing the ability to export usage telemetry to Azure Data Lake. Now in preview, organizations can build custom inventory reports and analytics using data hosted in their own instance of Azure Data Lake. Organizations can leverage Power BI to building custom reports and dashboards over the data hosted in Azure Data Lake. Having the data in their own lake also means that organizations can store data for durations supporting historic trend analysis supporting uniquely defined archiving strategies as required by your organization’s data retention policies.
We are also introducing performance and diagnostics monitoring using Azure Application Insights. Available in preview on June 25, 2021, organizations using Microsoft Dataverse and model-driven apps will have the ability to directly interact with Microsoft Power Platform telemetry data for monitoring user activity, diagnosing performance issues, and potentially troubleshoot errors that may occur. Application Insights offers modern tooling to create custom reports as well as alerts enabling an organization to respond quickly to any potential issues that may occur.
Application Insights will allow users to seamlessly track usage across apps and environments, and automatically detect patterns and anomalies in the telemetry data. This, in turn, can help developers improve the user experience through better monitoring and resolution of production issues that are out-of-the-box. Custom views are supported to gain deeper insights into errors and performance issues.
In a world where accidental and unlawful data breaches are on the rise, we are committed to maintaining customer trust by protecting their data and taking considerable measures to prevent data protection incidents from occurring. As the requirements for protecting data increase, it is essential for organizations to choose a cloud service provider that makes every effort to protect customer data.
Microsoft is committed to the highest levels of trust, transparency, standards conformance, and regulatory compliance. Microsoft Power Platform, built on top of Microsoft Azure, inherits the compliance investments we are making in Azure. Trusted around the world across jurisdictions and industries, Microsoft ensures we’re meeting all security and compliance advancements and requirements through regular audits and submits self-assessments to third-party auditors. These capabilities, combined with a comprehensive portfolio of compliance certifications in both public and private sectors, enable Chief Information Security Officers to protect the entire Microsoft Power Platform deployment at scale, even as more people build apps, automation, and analytics across the organization.
Microsoft’s centralized governance, risk, and compliance tool support the implementation of a quarterly scorecard to communicate compliance, capability, and risk posture to drive readiness and minimize adverse impacts to Microsoft and our customers.
A sample of compliance and regulatory coverage:
As Pierre Maroye, Strategic Project Manager of Groupe Mutuel, explains, “Thanks to Microsoft Cloud’s local data storage in Switzerland, we are now able to use cloud technology that is modern and future-proof but also fully complies with our strict data protection, security, and privacy requirements. Security and privacy protection are among our ironclad principles, where we will not compromise.”