Security in Microsoft Cloud for Financial Services
Microsoft’s approach to securing our customers' information involves a security control framework of technologies, operational procedures, and policies that meet the latest global standards and can quickly adapt to security trends and industry-specific needs. Additionally, we provide a set of customer-managed tools that adapt to the organization and its security needs.
Microsoft cloud services operate using best development and operation practices outlined in Microsoft Security Development Lifecycle (SDL) and Microsoft Operational Security Assurance (OSA). Microsoft developers are required to validate that source code, documentation, configs, and dependencies do not cause unintended side-effects. More information at Security development and operations overview.
Security & Compliance center can track user and administrator activities, malware threats, data loss incidents, and more. The Reports dashboard is used for up-to-date reports related to the security and compliance features in the organization.
Microsoft Azure Active Directory (Azure AD) reports can be used to stay informed on unusual or suspicious sign-in activities.
The data security section in Data Protection Addendum describes the security practices and policies adopted by Microsoft online services.
Logging and Microsoft Cloud for Financial Services
Microsoft provides an extensive set of logging and audit capabilities that are included in Office 365 Security and Compliance center, as well as Azure Security Center. Logging and monitoring can be enabled for each service capability:
- Power Apps Activity logging
- Power Automate Activity logging
- Data loss prevention activity logging
- Audit data for user activity Dynamics entity logging
- Microsoft Dataverse and model-driven apps activity logging
- Microsoft Teams logging
Additionally Microsoft offers Azure Sentinel, an enterprise grade, scalable, cloud-native, security information event management (SIEM), and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Encryption and Microsoft Cloud for Financial Services
Microsoft uses encryption technology to protect customer data while at rest in a Microsoft database and while it is in transit between user devices and our datacenters. Connections established between customers and Microsoft datacenters are encrypted, and all public endpoints are secured using industry-standard Transport Layer Security (TLS). TLS effectively establishes a security-enhanced browser-to-server connection to help ensure data confidentiality and integrity between desktops and datacenters. After data encryption is activated, it cannot be turned off. See more information about encryption at:
- Microsoft 365: Encryption for Office 365
- Azure: Encryption overview
- Power Platform Compliance and data privacy: Data Protection
Dynamics 365 uses standard Microsoft SQL Server cell level encryption for a set of default entity attributes that contain sensitive information, such as user names and email passwords. This feature can help organizations meet the compliance requirements associated with FIPS 140-2. Field-level data encryption is especially important in scenarios that leverage the Microsoft Dynamics CRM Email Router, which must store user names and passwords to enable integration between a Dynamics 365 instance and an email service.
User access and security in Microsoft Cloud for Financial Services
The solutions in Microsoft Cloud for Financial Services follow a security role-based approach for user access and security. For more information, see About user security in the Microsoft Power Platform.
Multifactor authentication for users of Microsoft Cloud for Financial Services
Microsoft supports multifactor authentication (MFA) as a core capability of Azure Active Directory (Azure AD). All Azure AD tenants can use security defaults to quickly enable Microsoft Authenticator for all users. Users and groups can be enabled for Azure AD Multi-Factor Authentication to prompt for additional verification during the sign-in event. Additionally Microsoft support the ability to Sign in without a username or password using an external USB, near-field communication (NFC), or other external security key that supports Fast Identity Online (FIDO) standards in place of a password.