Low-code, high security: Implementing robust security in Microsoft Power Platform

Low-code, high security: Implementing robust security in Microsoft Power Platform

In the digital age, security is a major concern for all organisations. According to a recent government survey, half of businesses (50%) and around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months.  

While the concerns of security apply universally, the Public Sector faces a unique set of challenges. Budget constraints, limited Power Platform expertise, and recruitment difficulties do not need compromise your Power Platform security strategy This article discusses: 

  • Power Platform security 
  • Practical advice for testing your current security strategy 
  • Practical advice on how to implement a security strategy with limited resources. 

Is Power Platform Secure? 

Power Platform’s infrastructure is built upon Microsoft Azure’s infrastructure, sharing the same robust security as other Microsoft services, as well as taking advantage of Azure security and compliance services such as Entra ID. These are already trusted on a global scale by governments and enterprises alike. Power Platform adds additional layers of security by adhering to a zero-trust security approach, ensuring data security through a wide range of tailorable security features including, but not limited to; role-based access control, data loss prevention policies, security roles, conditional access, managed environments and multi-factor authentication. 

Thanks to its stringent security framework and architecture, Power Platform is compliant with global standards such as GDPR, HIPAA and ISO 27001, outlining its suitability for handling sensitive data in regulated industries. More information on Power Platform’s adherence to these standards can be found in Microsoft’s Compliance and data privacy documentation and Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HITECH) Act documentation. 

Practical Tips to Test your Security Strategy 

Before implementing a security model, it’s important to understand your organisations existing security strategy. Here are some of our practical tips on how to assess your current, and future, security strategies. 

Conduct an Environment Audit 

Review all your existing Power Platform environments to ensure they adhere to your organisation’s current security policies. You should identify and remove any unused or outdated environments that may pose a security risk. We recommend using the Microsoft Purview Compliance Portal, a Microsoft service that provides access to the data and tools required for accessing and managing compliance within your organisation. Purview enables you to run assessments on your Power Platform environments, checking for compliance with internal and external regulations. 

Review Security Groups 

To ensure that only authorised personnel have access to relevant environments, roles and apps, organisations should audit security groups and role assignments. During the auditing process, keep in mind the zero-trust principles of least privilege and assume breach and only provide user’s access to groups and roles that they require. 

Test Data Loss Prevention (DLP) Policies 

Evaluate your current DLP policies to ensure they effectively prevent the sharing of sensitive data across connectors. It’s a good idea to simulate data transfer scenarios to check if the DLP policies trigger appropriately. Power Automate is a good tool to test these scenarios. 

Monitor User Activity 

Utilise Power Platform’s range of activity logging features to review user activities. Some examples of these logs are Power Apps activity logs, Power Platform connector activity logs and Power Automate audit logs. Analyse these logs for any unusual or unauthorised actions that may indicate security issues. 

Run Conditional Access Policy Checks 

Verify that Entra ID conditional access policies are correctly configured to restrict access based on user roles, device compliance, and location. You can test these policies by attempting to access resources from various conditions to ensure they work as intended. 

Validate Multi-Factor Authentication (MFA) 

Ensure that MFA is enforced for all users accessing Power Platform resources. We’d recommend testing the MFA process to confirm that it effectively prevents unauthorised access. 

Implementing Security Strategy with Limited Resources 

Leveraging Existing Knowledge 

Organisations can benefit from looking to internal skill pools before looking outward. It is important to first consider that because Power Platform’s security model is built upon Microsoft’s existing infrastructure and services, you likely already have IT professionals within your team with the necessary skills to begin building out your security strategy.  

Upskilling your Workforce 

A crucial yet cost-effective approach can be to upskill your existing workforce. Microsoft offers a wide variety of security learning paths enabling organisations to enhance their internal capabilities, without significant financial outlay.  

Use Built-in Security Features 

Power Platform builds upon the existing Microsoft security framework with a range of out-of-the-box features that your organisation can leverage. Notable security features include; 

Centre of Excellence (CoE) 

Establishing a CoE to provide a centralised governance framework and oversight within your Power Platform is essential and advised by Microsoft. A CoE helps to enforce policies and robust security measures across an organisation. Microsoft provide a CoE Starter Kit which includes tools such as the CoE Power BI Dashboard, with the intention of helping organisations start their own Centres of Excellence by providing out-of-the-box tools to support a CoE. It is important to note that the CoE Starter Kit provided by Microsoft is not, in itself, a Centre of Excellence. Rather, it is a set of tools designed to help organisations begin their CoE journey.  We would recommend using these tools alongside an experienced partner to set-up a high-quality CoE that can work and scale with your organisation. 

Ensuring Security in low-code Solutions 

Security is a fundamental aspect of Power Platform’s design, integrated throughout its infrastructure from the outset, designed around administration, creators, and users. There are a variety of ways to extend your security strategy and integrate with both Microsoft and external services. By leveraging existing knowledge, upskilling your workforce and taking advantage of out-of-the-box security features, Public Sector organisations can effectively plan, implement, test and improve a comprehensive security strategy. 

Where Marra Comes In

At Marra, security is considered early on in any development discussion. It has a prominent role throughout the planning, design, build and delivery of any solution. Our human centred approach means that the security aligns with the needs of the users. We ensure data is secure by understanding a client’s existing architecture, working with stakeholders to outline and digest their requirements, then adhering to zero-trust principles throughout the delivery. 

Establishing a Centre of Excellence (CoE) is an effective approach to creating a more robust security framework. Our experienced team can help you identify the most sustainable and cost-effective solutions for your business by leveraging available resources and tools. We can also assist in the development of the necessary culture and processes. By integrating business culture, processes, and technology, these efforts will result in a CoE tailored to your organisation’s unique needs. 

If you’re interested in knowing more about Marra and our services, book a meeting with one of our team here. 

Written by Harvey Hamilton, Consultant App Maker

Share

LinkedInX

Ready To Move Forward?

Speak with a member of the team today