Sign Iowa Permission Slip Easy

Document type sign permission slip iowa easy

there we go that looks better frank i never looked good but yeah okay we're recording hey guess what we can go ahead and start the meeting that's exciting welcome to january's uh mix it up thrilled as always to see all of you on here it is kind of funny how some of these things go it just seemed toward the end of the year a lot of questions and a lot of discussions were bubbling up around permissions and security in bc if you've fiddled with them at all you know it's just a never-ending joy trying to understand uh the architecture and your options with it they continue to make a lot of improvements with uh the the tools and the setup and we thought hey since it's coming up quite a bit let's just go ahead and share some of those tips and see what folks know and um i think we even have some uh tips outside of conventional business central dealing with office and so forth and just security in general today so it should be a very interesting discussion um quite a few presenters lined up let's go ahead and let me start cranking through the slides so we can get to our tips and uh a reminder that of course we do this on monthly basis we are recording it we post it out on the mix it up youtube channel so you can share it with friends and family and in february we're going to have a panel on and i'm going to be asking questions to them about how they prepare for audits because well that's kind of what's happening right now right so uh let's let's share some experiences with that and maybe some of the the pain and successes uh out of going through going through audits and helping everybody prepare better for that so go ahead and sign up for that if you're a member of the meetup group you get notifications automatically for that makes it a lot easier then in march if you haven't seen this yet dynamics con is a free event three days now uh covering all the dynamics products they have 450 sessions submitted for consideration and the schedule is open and available to vote on we all get to pick what sessions are going to be on the schedule which is a great approach that voting ends on friday so hop out there and submit your votes uh quickly for that if uh well since i'm talking i'm gonna go ahead and take advantage and say we've got uh from new view strategies me and my team have quite a few sessions out there if you'd like to vote for us if you get our newsletter uh it just went out today earlier today and it's got links for all our sessions out there uh you can go look for us as well we've been doing quite a bit social around that and since we're also talking about permissions and security i want to let you know there is a class in it four-hour class tomorrow uh that new view strategies is working with the focus on you still have an opportunity to register for that class if you're interested in more in-depth training as well so all right now again try to share your video camera if you'd like uh just to help with the audio and the interference you know keep yourself on mute but please take yourself on mute jump in with comments and questions and other tips as we're moving through this and uh another reminder always interested in improving i'll put a survey link in the chat towards the end of the call take the survey and the person that provides the best tip today gets one of these nifty tie-dye shirts so it's pretty important that you fill that out now we were gonna have a guest bartender uh today making uh one of my more favorite drinks when i'm in new orleans is a hurricane but uh there was a bit of an emergency and i didn't get many more details than that just came in about 10 minutes ago so steve uh hopefully he's doing okay or his family's doing okay but um we're steve's not available to make the drink for us today now uh i believe our regular bartender kim ko is scrambled and prepared something for us with a moment's notice which is incredibly impressive and i'm really interested to see what she's got going on so kim what are you making for us all right well you know since it's in honor of dry january i thought i would do a non-alcoholic tequila so you just take non-alcoholic tequila you open the bottle smells like it has alcohol in i'm not sure how that happened and you just pour it in your glass and then just enjoy it i mean it's kind of like a hurricane after you drink the whole bottle but it's hard uh no no salt just just uh just just non-alcoholic tequila she she drinks the good stuff you don't you don't need it but yeah is that my concern that she's got a bottle from fairly within arm's reach at a moment's notice i mean i can move it over here if you're concerned but i mean appropriate alcohol [Laughter] that is an impressive bit of scrambling thank you hey anytime what what brand in particular is that okay well this is one of my favorites so uh this is there's three bottles there's a one two and three or uno docent trace it's an organic tequila um this is a repesado so it's aged um i think anywhere between six months and a year so it's very good wow a little smoky it goes down really smooth you know so yeah very nice i'll put it over here it's a little bit out of form's reach then i think that is considerably less complicated to make than a hurricane so appreciate that kim yeah i didn't have half that stuff yeah i'm not even sure where to get passion fruit juice we'll find out all right fantastic okay let's go ahead and uh jump in um like i said we got a whole panel today um from from many different angles we've got partners uh traditionally in bc partners not bc uh end users and so forth here so really have an assortment and i'm looking forward to this discussion quite a bit um cynthia i chose you first because i knew you'd be ready to go and uh what do you got to share with us well you knew wrong but i can still share with you first so let me um share my screen so when it comes to security and permissions i just thought i would talk about some of the basics because what i'm finding is a lot of people are very worried about about the technology and what's in business central that i can use and how can i use it and they get so wrapped up in that they don't actually lay the groundwork to have a successful permissions rollout so let me share my screen and i want to show you everybody can you see my screen yep okay i don't know if i'm dating myself or not oh i should be in slideshow mode here but [Laughter] now i'm on the wrong screen let's see here i love it when technology doesn't work the way i want see i wasn't prepared mark how about that wow well hey first time i was on with a customer doing testing for a go live so give me a break here all right let me do it this way that's what happens when you have back to back to back to back i know i know i know and that's what i'm dealing with all right we'll do it this way okay we'll try this again now how's that super yay all right so again i'm dating myself but it's kind of like and you get super user and you get super everyone gets super user uh how many of us are either in that situation or have been trying to help a customer who's in that situation and who is that what that's oprah and that's she does these me or used to do these major giveaways and everyone in the audience got the gifts right so everyone in the company becomes super user well this is why that's really really really scary so this is from cpa practice advisor and if you are responsible for security and permissions in your organization and you're having a hard time getting someone to agree to a project that it's going to take some time and energy and they say well you know what that's just too much work we don't need to do that well guess what the numbers are pretty scary because anybody can end up being an employee who's tempted and does something that they wouldn't normally do so putting them in a situation where they have access to information could create a bad person out of a good person and interestingly enough what they find is that individuals who are caught doing fraudulent activities it's not just the first time they got caught but it was the first time they did it because they're probably not really good at it but they're also they were tempted right so remove the temptation and 18 is the average number of months it takes to find that fraud so you can imagine if someone is doing something repetitively what that could mean and what that can mean in this case they've found that on average it's a hundred and forty thousand dollars i was actually involved in a project where we were trying to uncover how much was stolen by a very trusted employee and it was about two hundred thousand and interestingly enough they found it after about 18 months so it was right on the average so if you need some ammunition to convince somebody that putting permissions into your system is important this might just be the ammunition that you need the other thing that i find is really difficult is where do i even start so you look at it and you get overwhelmed so one of the things that you can do is create a spreadsheet right or a workbook and take what we call a security matrix and sit down with individuals in the enterprise it's not just an it function and say all right here in this column a here are the types of roles within my organization i have an ap manager and i have ap staff ar manager and ar staff you may not you might just have an accountant right or you have all of these positions and then what you do is you look at each functional area and you say okay if it's an atp manager of course there's going to be a lot of things in the ap functional area that they have access to but what do they need to have access to in inventory what do they need to have access to if anything in general accounting or finance so you actually need to look at each one of these roles and just plan from a user perspective don't worry as much about what's in business central and the business central permissions because that's not important at this point you're trying to figure out what your organization needs to make things work and one of the things that has really come out of this if you take this approach sometimes it's not just a matter of what permissions you're giving to someone but it could be a matter of what functionality you're having them use if you're the type of organization that you do everything from your sales orders for example you ship and somebody creates the order somebody ships and somebody invoices and everybody's working out of the sales order and you need to set up some sort of permissions where well when the person's shipping they shouldn't be able to change xyz on the sales order well we don't have field by field security out of the box in business central but what we could do is use sales order shipping so if you're managing your shipping invoice process all from the sales order maybe it's that you need to disallow the people who are doing shipping to access the sales order page and they will use sales order shipping we also have sales order invoicing so sometimes it's not just a matter of what permissions you are giving someone but it's how you're using the system so this permission project can actually help you find efficiencies or other ways to more effectively use the system and then when it's all said and done when you've got this all figured out there are tools that you can use in business central to make the process of using what you determined by filling out that matrix using what you've determined by deciding you're going to use sales order shipping and sales or invoicing and define your own permission sets to assign to your people don't try to make one of the 74 permission sets that microsoft provides us work because most of the time you can't even if you copy and you try to pare them down or add to them you're going to spend probably more time than necessary if you don't use some of the other tools that are available and if someone else doesn't bring up one of the other tools i'll add it at the end so that's what i had to share it was a little bit more about the planning and why you should go about permissions and security in business central would be interesting to know how many customers have actually taken the time to to go through it or just kind of throw up their hands up front and have never really revisited be interesting to do that kind of survey we maybe should do that yeah hey does anybody have uh tag on thoughts or questions related to all that i guess not my hand i guess um let me put my camera one of the things we did was we identified those um areas that were problematic we'll put it that way and we added columns to our user cell and we turned on and off access to things whether it be the gl approvals um any number of things right down to who can edit a sales order on the description um was we found problems that's the way we handled it um is it the right way probably not but uh it gives us such flexibility because you can just you know go in there and make changes really quickly and on the fly in on a user by user basis it's an unusual solution but it works well for us so interestingly enough i had seen that previously and i know when uh easy security came out that helped to address some of those situations but that still could be overwhelming and then with business central we kind of lost easy security because they did not move their solution to that to that world or to that platform so to address what you've addressed greg there is a product out there called advanced security by efocus and i have had the privilege of working with that a couple of times and that does allow you to do some of those things that you're describing um with an app that you can you know subscribe to um i'm just really in the infancy of those projects but i'm liking what i'm seeing so it eliminates that need to do a customization especially if you're a business central user and you're worried about your extensions and too many other things that bump up against it but greg i've seen that before and i do think it works very effectively so kudos to you for doing it that way but that uh advanced security is another way to look at that yeah we've been on on bc since 2009 and her actually start with nav in 2009 so this has been well refined and works really well for us yes we have quite a few columns there i want to say about uh two dozen columns and it's really really nice like when somebody goes on vacation and you want to switch a role for somebody um so say permission to approve the sales quota i uncheck one guy and check another guy about a bing bad boom it's all working you know um sounds like if that app had been around at the time maybe but um now we've got it i don't think we've done anything new in there for a long long time but uh we did bring it over when we went to bc and it works just worked now hey cynthia i don't know if you saw david gerstin's note in the chat he said he'd like to hear about the tools you already brought up the focus tools and then uh he also said hey he's heard that merge tool isn't um migrating over to bc can you want to comment on that yeah so again they are from what i understand they are not migrating over to bc and the timothy focus um basically um i don't know if anybody is on this call from them but my understanding is they they kind of reached out to peer and said hey you know if you're not going to do this we have an idea and that's where they came up with their advanced security and so in uh i have one customer i'm working with right now where i really want them to get it but it's not time for them and then i have another what's really great about it is you can actually filter data available so with their tool you can say that an individual only can see a group of gl accounts so when they go to use gl accounts on a line so maybe it's expense accounts or certain accounts so you can actually filter not just uh results but also what they're able to see on a fast tab um or access on a fast tab as well as actions up in the navigation bar in the navigation menu so again i'm in the emphasis of working with it but i'm really liking what i'm seeing and maybe i'll do a little bit of a review later on if you know in another bc uh mix it up if anyone wants to know after we've worked with it for a little while the oth r thing is easy security had that recording tool and of course uh that was a huge thing and of course microsoft said that's a great idea so we actually have a recording tool built into the system now and it's interesting how many organizations say you know what i don't want to spend the time asking people to do recordings so that they can only get to what they're supposed to do i'd rather just try to make my own permission sets i find that in my experience they spend more way more time trying to make their own permission sets than any recordings would ever take and you have way less frustration of the results with the recorder than you do if you try to manage it with permission since you're building yourself yep exactly all right i i guess no other questions comments let's move on then i had one comment about the recorder i i use it for troubleshooting but i don't use the results i don't use them as permission sets because in my opinion you just end up with something that's totally unmanageable because you've suddenly got 30 permission sets all we invite duplicate permissions in them and the way we build ours we have a permission set called basic which is what every user should have and then on top of that we have you know role specific ones and some people might have multiple roles but with permission set you know you'll end up with you know you have to be able to look up the company information in every single permission saying i think it's just it's just making a mess to manage long term troubleshoot right no and i i get that but um without going into too much detail we actually by using that matrix we actually come up with an approach where yes you do have a lot of permission sets but because you have a lot it actually becomes easier to manage because they're actually more targeted to a task and then those permission sets get assigned to the user groups but again every organization is different and we know what tools we have available and it sounds like a lot of people have different approaches and that's what's the beauty of this system right we can all look at it i kind of joke one of the things i like to say is i hope that i help customers come up with the writer way to do things because there's more than one right way to do things in business central and we all know that but it's what's the right or way for your organization and you know the other big problem we have with permission sets and i've done if it's something in bc 2020 is indirect just doesn't seem to work yeah i am permissions i have to give you know i have to give basic users like you know read write access or worse write access and insert a modified stuff they should never have access to because indirect just doesn't work yeah i've noticed that too not across the board but frequently the the balance between efficiencies to administer security and the traditional controls you need to have about who's requesting access who's the proven access and the paper trail behind it and sometimes as we build out more permission sets and we find tools make it easier to assign security we lose sight of the back end paperwork and then when you actually find a permission set that grants too much security because it was so easy to grant you have to unwind things and it becomes quite a burden task in your risk or fraud exposure speaking as an auditor is greater so it's a balancing act how easily can we maintain security with the tool at the same time capture some of the history behind it so it's not willy-nilly good to know they have what they need well who who requested it who approved it because ultimately each piece of data has to be owned by someone and they should be assigning approving access to that data so each company is different but it's a balancing act which is challenging especially for smaller companies with small rit departments that they probably weren't hired to be the security admin to begin with they want to get back their day job and security is more of a headache than anything else well said well it's all along my opinion that because the tables interact so much with each other going down the path of making all the security around tables has just been a nightmare um i wish microsoft had or that the business envisioned people had focused more on making page security because if you can't see it you can't go in there and mess with it that's my philosophy but unfortunately they chose the path and that it's just proven to and that that's kind of one of the reasons why we went with all the check boxes so my philosophy again if they can't see it they can't break it so am i am i missing something because you do yeah we hate security we have paid security so uh that may be a version thing oh we have paid security don't get me wrong what i'm saying is that the if you look at all the the out of the box security okay you look at the role centers and the permissions that come out of the box they're all work basically set up around tables they're not set up around pages generally speaking they all have give give them all the pages and then control the tables and i'm saying it should be the other way around give them all the tables and control the pages i mean i say those 74 permission sets that they provide us are basically not very helpful at all right and it's not only that they're not very helpful because they're very dangerous like there's one called sales doc edit and that gives you um right access to the general ledger setup it's like why does somebody who needs to create sales orders need access to the general religious setup and write access to it they're terrible i was going to say general ledger setups in a lot of them right so for read for read it has to be because you have to read a bunch of stuff like periods but like the the sales doc edit has um i think edit at least edit if not insert and delete in the generator set up and it's crazy they're they're terrible those sets and there's so much duplication in them as well but so i just start from scratch in the end yeah that brings up a nursing point too and i know this is being recorded mark but and this is the case across the dynamics line we see this all the time at fastpack don't assume microsoft did everything perfectly when it came to designing security inside the application business central ethanol whatever it might be the permission sets you're talking about are great examples uh if you ran stuff from a cigarette duties perspective natively permission sets in bc in roles in ethno littered with segregation duty conflicts uh so uh you have to get a baseline what your company needs but make sure that the customers and users understand it's trust and verify it's verifying you don't just trust trust trust determine what you need do your own analysis to make sure you're not actually provisioning things that have holes that you weren't aware of because you assume microsoft everything correctly there are those gaps there uh it's great for us isps you can fill that gap but more importantly the trust has to be in what you set up and not what the software manufacturer has provided to work with you're sort of baking a cake there's different ingredients but you got to put them together and get comfortable with it a really good point it begs the question how did microsoft even come up with that right that would be uh it'd be interesting to talk to the r d team about hey i want to make sure we have enough time for uh everybody that's ready to uh to share that has prepared for this so we're gonna go ahead and move on i love this discussion and uh that's what we're here for so appreciate that so let me um go ahead and get back to my uh slide here and we have uh david wheat with silvos brands david hey everybody uh unlike the uh well-prepared cynthia i don't have slides i feel a bit naked um and so mark do you mind now that we've seen everyone's picture if we just go back to video and i can just talk through a couple things awesome um you know uh gonna you guys have had some great discussion so i'm gonna chime in on a little bit i'll tell you really quickly our environment we're on bc 14 on-prem so we still have and we have easy security and we still have it so really interested to hear you know that there is now something popping up out there that's going to replace easy security um and just like cynthia said when i got to what was the nusa yogurt so sobos brands is a food brands company they own uh four delicious brands uh of food which i won't go into right now in the interest of time but um i started off at nusa yogurt here in colorado and when i got there they'd been live for about two months on nav 2015 and 100 of their live users had super user you know the the oprah winfrey giveaway yes so so here here's my here's my first here's my first piece of advice you have to bake security into your implementation project and when you do uat which you should you're also testing permissions now your uat is going to go bonk the first few days while you work through that but let me tell you why if you spend if you have one month to your implementation project to get security right as we all know once you go live nobody cares or has an appetite to fix permissions it will be one to two years before unless you're just a rocking much better team than ours which is probably fine but you're not going to get anyone's attention after it goes live so i i i'm a fan of even when you do an upgrade you know when you're doing your testing before you you know migrate that it ought to be permissions testing too or what did you really test so trust me i get that that people you know everyone's trying to do the schedule as fast as they can but i think as leaders we need to advocate for the right way so that's that's a lesson i had so it took us forever to dial back all those super users and painful anyone anyone understand what the analysis view table is and why everybody needs indirect to the analysis view i don't but it comes up all the time you know has nothing to do with accounts payable but uh so um we had to grind through that um the other thing i would tell you on your journey from super to like super dialed in high precision permissions it's better to go deep than wide so if a lot of people have to have permissions to every field on item card that's better than them being able to post a journal when they have no business posting a journal so if you're going to go from awful which is where we were you know just at least start dialing in in big chunks you know and then you know the the the uh the un popular truth is you just have to iterate through that you know and and then you keep refining and refining it and then um you know if any of your companies have thought about going public or going public you know then you're going to have to go you know matt's eyelash and really get segregation of duties done and things like that um so uh let me see what else um someone i think i can't remember who it was i think it might have been frank you know he kind of dropped the p word you've got to have processes that support security you know who can request a security change um there's a there's a there's a thing i call and i don't think i made this up self nomination hey i'd like access to whatever yeah sure you look like a nice guy you know um so you you know we can't think of securities just i t grinding through easy security or nav permissions you know what like getting a manager approval and then if you have a controller who might have an eye towards segregation of duties issues you know what's your approval process do you do it in a ticketing system so that you always have a record of it in case someone says how did this happen and and those don't have to be awful and bureaucratic they really protect the company uh you know cynthia alluded to that in her slide on fraud they protect you as as a functional rit leader that you know what you're doing [Music] what makes that hard we've learned also is permissions are sticky so you know bob changes a role from accounting to not accounting uh nobody tells us you know we give it per permissions but he's still got accounting and then they say things like this right you know like well they're going to overlap for two months so it's got to have everything you know so anyway just those are kind of things that again fall into the process bucket you know what is your process for when people request or need to change permissions um uh i i will say um you know not not not to uh not to offend our fast path friends here but you know we did write our own segregation of duties report because we have the luxury of a report developer you know with ssrs and all those permissions are in tables um but another process you need to have public or not is access review you know can you spit out your permissions in a format that regular business folks your plant your cost accountants your controllers your accounts payable supervisor can look down the list and see you know names and see if they've got the right permissions um uh but and then and then final thing i know i'm all over but we the grind that we went through we insisted so easy security gives you things called permission groups where you roll up permission sets and does does out of the box bc have that same concept i apologize for not knowing we have user groups a user group's just a way to roll up permission sets into a thing yeah and it's different from what they see on their screen when they log in it's not their profile right it's their security nope it's different yeah we we we finally just insisted on having those be job titles you know which sounds even as it comes out on my lips stunningly simple and like i might be like telling everyone in the room that's done that 10 years ago but um we used to have 18 permission groups you know which was the role of and we couldn't you know it didn't mean anything but we we try now to roll up to one permission group that says accounts payable clerk one or accounts payable supervisor or corporate controller or whatever and that gets dicey in a small company as frank alluded to because job titles are squishy but um before that we were we were trying to do the pile of permission sets our permission groups were too many and and now we you know we've kind of standardized that if you will um and all that's you know everything i've just told you has taken us you know three or four years to mature it's a maturing process from all super to kind of reusable uh job title based uh permission groups um uh sorry i should have done slides anyway that's that's my journey uh and by the way we're we're a company that's you know considering going public so we're doing a lot of prep work and you know it's it's either pay me now or pay me later everybody you know um so what kind of things are you doing to prepare to go public just curious as far as bc goes yeah it's a great question um so we're just it's i'd say we've just added a lens to look at our security more more finely you know so so now that we know someone's going to come in and say here you know an audit essentially we're asking ourselves harder questions um uh you know we've got 12 people who can make an inventory adjustment um you know is is that right you know so like literally it's like internal like reflection on roles and who's doing what and then people say no that's not right only these roles should be able to do you know a a a an an item journal entry and then we just iteratively go through that those kinds of things very much obviously belinda segregation of duties you know uh we weren't too squishy about who could make a creative vendor and make a payment before i mean it was kind of the same group but now we're saying you know so there's a lot of role redefinition only the supervisor can approve payments and only another disconnected from that group can make vendors we're centralizing master data a lot a lot of that's going to come to where i t you thought a form an it does the creation after some approval instead of having so many people have create capability especially things like vendor that would be a really dicey one if you could create a vendor in a payment so just it's it's kind of everything you guys have all done all the time but with just extra um just knowing someone's gonna udit you really changes your focus for sure one more question and this is non-vc related what are you um where what tool are you using to document all of these things i mean word or what what are you using yeah uh microsoft word we're writing so so i should have answered starting by this way like a lot of medium-sized companies we had pretty good processes poorly documented we were doing right-ish things every day but couldn't point to a thing and say we're doing it like that so we've had to convert a lot in the writing and we're just you know we're just using word and vizio and swim lane diagrams and things like that it's not rocket science to get that stuff down on paper great questions a great story as always david thank you anything else before we move on to the next suite the great point about very good security planning in your implementation because you won't get the time to go back and do it later you know it gets pushed back in to begin with and you get crunched and doesn't get tested right and you're always swimming upstream or you're down 20 000 wings at the bottom trying to get back up yeah and i appreciate that frank let me say one more thing we have a strategy when we do roll out a new kind of revision to our permissions first of all we don't do the whole company at once we do them kind of in in functional groups and then you know don't be afraid to give someone back super for the day while you're trouble you did i know i just violated everything i said but like like we can we can enable super for for the day and we've got our change log turned on for things like you know and we don't tell them this but then we fix it but like we've got a limit of like one business day on that because you have to you know if the shipping department can't shift give them super don't forget you gave them super uh that's the tricky part but i mean that's kind of a shortcut um but you have to sometimes to keep operational because you're not going to get it perfect even in uat yeah right yeah you're not getting the security perfect unless you have unlimited resources and even if you do that's not taking the risk-based approach that from that not the right use of those resources and that limiting super and tracking the assignment of it temporarily david that's a good example of things from a sox perspective when you go public you're gonna have to show controls you have around that yeah so exactly that that'll that'll be a documented decision great point frank so with that i certainly want to introduce nate belcher and frank vukovitz security and segregation of duties might be their favoritest topics in the world and i i bet they're excited to share with us today is that is that true state frank well i think and from a work perspective i think nate would tell you iowa hawkeye's athletics might be his favorite topic in the world but uh yes yeah yeah so let me uh pull up my deck here and share it out real quick if you have the slides in the oh you're getting better well let me know all right roll with it brother yeah so uh i think everyone knows who fast pack is if you don't there's we provide solutions to do a lot of things we've already been talking about today for bc uh you see our url there but i i think cynthia and david i think you covered a lot of the topics i wanted to talk about on the next slide if you roll with that mark a lot of what we see out there working with clients and again fast path isv around security uh we we're not a var we don't implement all we do is sell really good software we see a lot of these trends with our customers from a bc nav perspective and quite honestly for other dynamics products as well and it's an approach and a lot of this has been talked about already but i heard cynthia start with the word planning when she talked about it and talked about our matrix you got to plan security out david talked about getting into the project plan companies make the mistake whether you're moving to business central let's say it's an upgrade project or maybe you're implementing business central for the first time you got a plan correctly and i can tell you too many companies just repeat what they did in the old system whether it's saying oh you know what jane doe had this access the old system she needs to have this access new system and you don't take any regard planning wise to what she will be doing in the new system what functionality is there it might not be an apples-to-apple situation so you gotta plan out your security and put things in place time-wise resource-wise education-wise if you don't you're gonna run into these these roadblocks it's going to get squishy uh and you're ultimately end up something that's a little bit of a mismatch so don't just duplicate the security behind the pass people think about moving to bc in the cloud can we just run a migration tool yeah you can run migration tools all you want but if you don't look at the output and make business decisions and tweak that before you actually use that in production including security you're running a risk there that you're probably creating gaps or holes that ultimately could lead to problems from your perspective so that would be the first thing we would share the second when it comes to security again this is tougher in a smaller shop try to have some concepts and methodologies behind how you design security there's concepts like like least privileged access uh latest one microsoft's talking about is zero trust and that's more on the network infrastructure side but try to build some of these security framework guidelines that are out there that are industry accepted at least at least tax lease privilege access is going to say only give someone the access i need at the smallest level no one ever complains if they have too much security provision to them the only complaint they don't have enough to do their job so if you start small give them what you think is the bare minimum and the right permissions that's not like and then you move up and maybe you can add to it but if you give them everything up front or give a bunch of people elevated privileges up front it's very difficult to take that away so so try to design with some of those security concepts around least privileged access and the like i think that'll that'll be helpful in what you're doing and then uh test test tests that's already been talked about but again when you're talking about conf room pilot third things way too often and this is a business application problem across any software you might be talking about sap oracle dynamics what have you people don't test security enough it gets crunched in the project plan and ultimately you suffer because of that so uh test test test build in your project plan like david said you can never test it enough you're gonna test your comfort zone pilots the new system the upgraded system how the user experience is security is part of that because when you go live how they're sitting down and where they're clicking they need to have the right security to do their job function if you haven't tested that with the users during your conference and pilot unit test system test whatever terms you use you're probably going to run into problems after you go live and then this last one david just touched up on this one as well security is such much more than a technical exercise i've spoken about this a lot at user conferences over the years a lot of executives even think of security is just an i.t problem i would argue good strong security can be a strategic enabler for your company and actually not a problem but an asset but it involves a communication buy-in from the top down from your executives understanding why it's important to mitigate the external threats on the outside and the internal thruster inside we talk about fraud segregation duties user access reviews things you need to do internally mitigate those risks a lot of those things are business process changes you might have a technical tool that helps you with that but it's not all about securities being a technical exercise both in the people you engage into provision security correctly which includes uh the business process owners executives who own the data and defining who should be signed off in their groups to give access to the data to the technical tools you use yes it's it's much broader than a technical exercise the way i i talked about drawing analogy when you implemented bc hopefully that was not just an i.t project i was executive steering committee functional owners you had accounting you had finance you had sales marketing warehouse whoever involved the project same holds true when you implement security successfully it's more than exercise you get that involvement from all these other groups as well to ultimately give you the best chance for success across the board so there's a couple of approaches we've seen that seem to work doesn't mean it's easy uh and and securities like implementing software it's like eating an elephant in an elephant one bite at a time genie ingles told me 20 years ago when i was implementing an adapter for the first time so security you got to crawl walk run eat that elephant one bite at a time put some of these approaches in place do them slowly at first i think you're gonna set yourself up long term to be a better place uh when it comes to managing security and maintaining it because as david said once you implement it's very difficult to go backwards the toothpaste is out of the tube so to speak nate would you have anything to add on any of those no i don't think so frank i think you touched on it and i think a lot of the discussion that's already been had today so far really touches on a lot of the stuff we talk about on a day-to-day basis um with our customers so um no i think you're good what would world be like if we uh if we didn't have the opportunity to talk about uh implementation shortcutting testing and training huh where would we be if we didn't have that gosh yeah and it's more secure you could drop anywhere in front of there yes yes reporting yeah it's it's unfortunate nature of the beast i'm speaking yeah okay excellent excellent thanks very much guys yes indeed um and i i'll just put a quick plug i've known frank for a long time boy if you want to if you want to get serious about uh security in general segregation and duties and so forth um talk to fast path go watch a frank presentation these guys know what they're talking about they've been doing it for a long time it's very very impressive um i i did one or two internal audit projects back uh before when i was consulting before and um god bless anybody that can do that because it's people all right and jason sent home from groupo another longtime user group member a pretty decent sized company uh out iowa way as well we got a little iowa theme going and jason i've got your slides loaded in here as well if you're ready okay sounds good yeah yeah so um quick topics to cover i know so far the conversation has been once we get in bc and and how to audit bc and actually within the application so my my my turn is to take a step back and say before you can even get into the application what are some security things can apply so office 365 the main benefit of tool obviously is that the high availability and accessing it from everywhere but it's also much more easier now a bad guy doesn't need to get in from the outside or vpn they can just reach out once they have your credentials so a couple things that i wanted to briefly talk about was multi-factor authentication for um for office 365. how you can potentially limit or restrict access to office 365 even for the users who are legitimate but you still want to put some type of restrictions in place um there's some basic security alerts that can be configured that most people might not know to do immediately or out of the box and just a couple uh exchange tips in case you're using exchange online so you hit this next slide actually sorry i think i was looking at the okay sorry i had my slide deck up and it wasn't going anywhere no problem all right um so yeah i always want to throw out there because it can get people's heads multi-factor is a huge very very important tool and a lot of you probably have applications already or your organization has some form of multi-factor and for sure that's 100 going forward it's a really nice standard but mfa can still be gotten around it can be there can just be out and out exploits or or maybe the mfa imitation isn't working quite like what you want you know i know some mfa limitations that it really is just mfa for an rdp access but you can still connect to the server through other means so just x you know just a disclaimer it's not the the uh the golden key there so um but mfa for office 365 is is just the the free mfa that they offer um now that's kind of referred to legacy mfa i find it's tricky i don't know if anybody else has seen this but officer 65 changes so frequently and and so drastically i just realized they changed that name as i'm i was gathering information for this slide deck so that's how often it seems to happen so um personally i've had hit or miss um experiences with the legacy mfa and generally if the organizations have it or could afford it i think using conditional access rules are the way to go which is the next way you can enforce mfa in the organization so that does require an additional license of azure ad premium for each user um which gives you some additional benefits as well but i won't go into um but uh you know that's that's even how um today i i have our organization kind of set up through conditional access rules and it really does work very well and we'll talk more about conditional access rules in the next slide deck um uh some other things you can do too so whenever i implement mfa i i'm a very user-conscious security guy i like to say so i get that people don't want to use mfa if they don't have to and a lot of the times too you can just disable that based on your company so if your company has a corporate location or a warehouse location and it's got a public ip that never changes you know if you're in that building do you need to mfa is that one less thing that now your your end users can do and they need to authenticate uh and i'd argue yeah i'd argue that if you're at a warehouse building that is owned and you basically have a key code to get into it you know everyone in there is employee they probably don't need to provide mfa so i would throw that out there as you know however you can make it easier for the users while still being relatively safe and protecting your your accounts out there so another real quick tip is at the moment anyway you can still use legacy authentication so even if you did today right now your security your organization turns on officer 65 mfa or legacy nfa if you don't disallow legacy authentication that can just be bypassed and and that's going away later this year it was supposed to have gone away last month but um but i'll throw that out there that there are a couple ways you can disable legacy authentication and if you don't do it mfa and officer 65 you know can be bypassed um this is right this is to me what a really cool slide deck mfa is is good and fine but once you kind of get mfa set up you kind of wipe your hands it's done and it's set up but restricting access to officer 65 there's so many different scenarios and and conditions and and policies you can apply so again if we're we're talking about using this with conditional access and that p1 licensing and honestly if you've got like an e3 license or whatever you well not e3 alone i think there's a bundle but you may even already have people in licensing um but it's but it's it is it's really interesting especially if you've got warehouse workers that they only access bc from within your location so maybe they should never be accessing bc from home you know but but maybe your managers your directors or it can and you can throw them in a security group and say that you deny access to bc or office 365 while they're not coming from a trusted location um that that's a that's a really cool thing that that people are doing and especially that's an hr thing i know more than anything they don't want e en the ability for people to work from home that shouldn't be working from home so that's kind of a neat one you can take it a step further if your company actually hands out if it's got an on-prem ad solution or even an azure id solution with your own laptops you can even require that the device authenticating to office 365 is a hybrid join machine which it's that's azure's way of just saying that it's it's it's a company machine um and it's joined from ad so if you if you want to say that only people on only laptops that have you know that we set it up and it meets our standards we've got av on it um especially if you use something like intune you can basically say that you know these are the requirements to access um office 365 and if you don't meet it you know again you can deny it or you could even just apply something like require multi-factor or or something along those lines really just a lot of different scenarios honestly based on what your your um your kind of user the case is that you're trying to to accomplish so um i will say is one kind of disheartening note that i would really have liked and it's something i looked at and i just assumed it would come with it but there's no time based restrictions because i thought you know from a security perspective perfect like 99 of our employees aren't going to be working after a certain period of time like they're definitely not going to be logging in at 2am we should definitely just disable their accounts you know but but as far as i can tell at this moment in time you can't do that so that's unfortunate um yeah we can real real quick talk about this there there is a very very cheap license that can be purchased that just needs to be assigned to one person as far as i can ever tell um i've done this in a couple organizations so uh once you have the cloud up security license you can create some canned alerts that are i can't tell you how important they are if you don't have mfa on today this is something that that saved me quite a few times um that especially so if somebody does fall does fall victim to a phishing email and their account and their their password is out there for anybody to see you'll usually you'll get a lot of times they log in from nigeria norway all these other countries and so a lot of times it hits these alerts you know boom log in from the frequent country you go log in and you see that you got kim ko luggian from iowa and then you've got kimko logging in from you know botswana or something like that okay she was probably compromised at that point and not saying that ever happened to kimco but that's an example um it was it was france it was france and jason's like are you in france and i'm like yes i forgot to tell you um in fact in my organization you know and and i just have it where if it's the logins coming from a country that we don't operate in the the rules just set the block it right off the bat anyway um but before we did that before you know before we saw the light that login that alert helped us quite a bit there's also the the impossible travel so you log in from washington and then you log in from uh uh florida within 30 minutes it's gonna trigger as like there's no way you travel that far um that's a really good one to know and there's a couple other ones obviously you can see on the screen that would be really handy to know suspicious inbox forwarding is really good one if your account's been compromised and if they're just slowly trying to exfiltrate data they can just set up a forwarding rule that's kind of an old old trick so if you don't have this today honestly i don't think there's any reason why any company shouldn't get this today because the the cost for the license is so cheap and if you do nothing else you can get some really good alerts based off of some of the stuff i mean because i think the license is only like i don't know like seven bucks or something like that yeah jason we uh we bought the ems e5 that's the high it's the bundle so it's azure 80 pre it's azure 80 premium which includes conditional access also identity protection plus in tune so you get them all it's not i i'd say don't i'm with you like these slides are like hitting every note of projects we're working on currently i don't know if anyone else is but we have a similar thing but we do have travelers who vacation overseas so we just changed the um let me just say this real quickly nobody wants to get mfa prompt every day and you shouldn't because you'll go snowblind to mfa prompts um so so we actually try to we we have hybrid hybrid azure 80 join devices jason so that's our that's our 2fa via conditional access exactly most people don't realize that because i think it's all about phones it's like having the equipment and knowing the password is two things that's good enough yep so anyway just uh i'm just jiving on this so hard and i'll let everyone else ask you questions we do things like if it's a foreign country if it's not north america we just prompt you for mfa every day you just you're just gonna if you're in the bahamas vacationing your punishment is mfa every day um but but also we do the same thing we have plant workers they come to the plant that their role does not need to work outside of the physical building declared a trusted location with the ip addresses as you alluded and we set a block to if they try to access outside of that physical location because their job isn't a sales rep who travels it's a plant worker who turns a wrench so anyway and and i can't believe you mentioned always on vpn because that's the one that most people don't think about um but anyway uh and then you can add other apps in so that you know jason i don't mean to steal your thunder but there are other apps that are that are supported that are cloud apps um like we use afs exedra for trade promotion management when you go look in the enterprise app store in azure there it is you can say conditional access only allow this from hybrid azure ad join devices so jason and i will stop geeking out now that's amazing so with 85 you yes and frank is right you get all the toys with e5 i think you even get defender um was it defender atp yeah and we use identity protection like you said we get identity protection alerts to our help desk and that's when someone got phished and we jump right on it so anyway good stuff um yeah the always-on uh vpn is a good solution and just by the fact that it will allow you to apply conditional and in tune conditional rules and in tune so yeah that that's a really good one yeah but yeah if you take away nothing um you know if you if you don't have the ribose set up that david certainly has it sounds like they're using all the features um if just to be aware more than anything that's what i've been trained anyway is that um prevention is awesome if you can do it but detection is is king so you can skip to the next slide oh sorry i had to flip over for one second there you go uh last slide deck um talks just a little bit about exchange because in my world anyway uh it's it's the gateway drug of viruses and fishing and stuff like that so um uh what you can do if you want to be proactive you can actually restrict inbound and outbound at the people who really need it especially if your organization deals with some people that deal with sensitive information and you you need to place some type of restriction on them let's say for example you have a call center and none of those people should ever email outbound why not have a rule that they can't do that then um or even on an inbound email if it contains a zip and and not to say that zip should be blocked but if you if you're really it's like no these people they'll never get a zip file they don't receive large files then you'll never have to get a zip file you know that says here's the password open me and then have a you know something malicious installed i've had that happen when any user they get an email they do as they're told they'll you know they open the compressed file and ask for a passcode they enter it and they double click and they install virus so lots lots of cool things you can do some of the stuff too you learn the hard way like i learned that i should do that the hard way after it already happened um which is why i just mentioned now and here uh there's also some some capabilities office 365 for dlp so the social security stuff i can already tell you right off the bat um it's a false positive magnet um but if you if you deal with it and you have to and you have to you know uh meet the the audit requirements um for the pci auto requirement not pci sorry for the whatever the audit is that you're doing i'm not a big audit person but i'm in a lot of them but anyway we we do have to show that we've got um tight restrictions on on social security numbers so um really good to get those alerts credit cards that's much easier for office 365 to detect and block if you are in a pci environment so i was going with that one last couple things um you know as far as emails go most emails that are malicious have links in them nowadays they don't bother attaching a malicious file because it's so easy for those things to be blocked and detected so they just get you to click on a link um to try to get you to to go to michigan malicious website um office 365 does have url scanning and rewriting so even if at the at the very beginning of it if it doesn't recognize it's a malicious url but enough people report on it and it's detected later on then as that email is sitting in your inbox that url will no longer work when you click on it there are other solutions that can do this proof point is also a really good one i mentioned proof point because i don't think anybody here is in the pockets of microsoft and you know when i've tested them proof point it is not a foolproof solution but but did seem to work better so i felt like i had to throw it out there and lastly if if somebody did click on a malicious email or or somebody um you know i i get that whole time hey i clicked on this link and the link uh is to a very effective phishing campaign or contains a virus i want to find out all the people who got that email and so you can do a really quick mail flow search to see you know who who always the people who got this email from so and so and you can do some investigations on that instead of emailing the whole company because again i can email the whole company but like you said they just get numb it's another security thing i'm not gonna pay attention it's probably not to me anyway so that's the end of my slide deck sorry i ran a bit long but there's there's so much i couldn't figure out what to cut so let me add that jason that's all great great stuff uh let me add one thing which we i try to wrap all this together look at security like a donut yeah i know there's square donuts out there now and there's donuts let's talk about a regular yeast doughnut that has a hole in the middle that donut all the stuff jason has talked about is on the outside external threats external threats external threats extremely important you got to handle that your cios your cisos require that where those same folks maybe struggle but is inside the donut the middle where there's a hole in your business applications like business central like now what are you doing to have the right security technologies business processes procedures deployed to fill that doughnut hole and make sure your security then is all encompassing with mitigating the threats from the outside and they're stretching the inside a lot of the stuff we talked about today the first couple of us was about the inside jason's covering the outside you want to you don't want to eat the security donut you want to plug that hole in the middle and if you're struggling with business central getting executives other to buy into the need of improving your security ask them what they're doing on the outside and they'll probably go through this list of what jason's talking about and then explain to them well 70 percent of the threats are still from a fraud perspective start internally what about that hole we have in the middle and we found a lot of success when people look at it that way oh my gosh yeah we need to do it holistically not just outside in but inside out as well of course it gets you hungry we talk about donuts makes everybody happy he's talking about donuts jason bottom line uh all these emails over the years from the nigerian prince they that that's all been that's all been garbage so the one we didn't say that yeah those are valid now is that correct that's my retirement plan you never said that yeah you've not been shipping them you know a percentage of your paycheck every month and i think that's through you contact now mark to get the covid vaccine right yeah sure all right hey you know i'm an optimist i they range they they range so much the the ones that i found are the most fun there that the phishing emails are actually called sexploitation and that's where they they email you saying that they hacked your camera and they saw all the things you've done and it's completely bogus but it's just it was entertaining to read i i get that one a lot and i my response to that is i know it's not true because i don't watch porn on machines with cameras that's right a is smarter than that yeah [Laughter] fantastic wow uh folks that was absolutely tremendous he way above and beyond the call on that one thank you to all our presenters uh it was cynthia david nate frank and jason [Music] i posted the survey link in the chat here if you're running off of course we've got this recording we'll post it out there because i know you're going to want to go back and and capture uh some of these tools and the thoughts that were shared there that was very very impressive so folks thank you um ran a little long well worth it we've got the february event just join meet up and then you won't have to worry about tracking these going forward and i think we got it thank you very much everybody for joining and uh sticking through it today and thanks again for putting this together stay safe everybody take care you