FPS Security Overview

This document provides an overview of the high-level security components of Microsoft® Cloud and Financial Performance Suite (FPS).

Microsoft® Cloud

Microsoft® Cloud offers the industry's highest level of security and certification, going beyond what any internal data center would offer. All Microsoft® Cloud's organization certifications are listed here by their logos. More information can be found at the site referenced after the logos. You are encouraged to examine this information and compare the offering with what an internal data center or private cloud would have to offer.


Microsoft Cloud's Organization Certifications.

https://www.microsoft.com/en-us/trustcenter/Compliance

Inside Microsoft® Cloud

A complement of layered defense and security in-depth strategies is architected into the overall FPS solution to ensure that your data is secure inside the data center. FPS uses the Microsoft® Cloud Geo Region boundaries to ensure that your sensitive data only resides on U.S. data centers. At each tier of the solution (Network, Database, and Application), multiple security measures are deployed to harden security. Monitoring and Alerting are integrated into the security solution.

Traffic Isolation

The Microsoft® Cloud creates a virtual network around the FPS application. The isolation boundary prevents virtual machines used by the FPS application from communicating with virtual machines in any other virtual network. This isolation allows us to ensure that communication remains private within the application.

Security Groups

FPS uses security groups within our application to list the servers that are allowed to talk to other servers and the ports that they are allowed to use. This security practice means that the web server inside the data center is only able to talk to the database over a single port and is not allowed to communicate with any other machine.

SSL

All communication within the data center is done over SSL, meaning your data is always encrypted during transport. There are no exceptions to this rule.

IP Address Filtering

Microsoft® Cloud enables allowlisting of IP addresses at two levels, and FPS adds a third:

  1. Microsoft® Cloud enables allowlisting IP addresses that can connect to the website. If the IP address is not identified, then it is unable to connect. This IP address listing acts as a firewall, preventing any traffic that arrives from an unknown IP address from proceeding.
  2. Microsoft® Cloud allows us to allowlist IP addresses that can potentially connect to a database. By default, there is no access to any database servers even if you are the administrator and have a valid user name and password.
  3. FPS provides the ability to restrict IP addresses based on a specific customer. By restricting IP addresses, FPS can limit which ones a user is allowed to connect to your site from. Microsoft® Cloud allows us to prevent IP addresses that can connect to the site as a whole. This IP address restriction adds another layer of protection for your data.

Database Security

FPS uses Transparent Data Encryption to encrypt the entire database at rest. The keys for this encryption are rotated every 90 days. FPS uses auditing and altering features to log every action that is performed on the database. This data is mined to look for anomalous actions.

Application Security

FPS has undergone both internal and external security audit testing focusing on a wide array of potential vulnerabilities. This testing is part of the standard secure software development lifecycle for FPS. The FPS application explicitly protects against these vulnerabilities:

  • Injection
  • Broken Authentication and Session Management
  • Cross-Site Scripting (XSS)
  • Insecure Direct Object References
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Missing Function Level Access Control
  • Cross-Site Request Forgery (CSRF)
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards

Monitoring and Alerting

FPS does extension auditing of SQL operations, which allows for the examination of events such as:

  • Login
  • Data Access
  • Data Changes

FPS also can provide alerts on this auditing information by sending emails to administrators when certain events are triggered.

User Monitoring

FPS uses Microsoft® Cloud's B2C offering. This offering allows us to report on various aspects of users in the system. The reports are segmented into several distinct categories:

  • Anomaly reports - Contains sign-in events that are found to be anomalous. The goal is to make you aware of such activity and enable you to decide whether an event is suspicious.
  • Integrated Application reports - Provides insights into how cloud applications are being used in your organization. Azure Active Directory® offers integration with thousands of cloud applications.
  • Error reports - Indicates errors that may occur when provisioning accounts to external applications.
  • User-specific reports - Provides device/sign-in activity data for a specific user.
  • Activity logs - Contains a record of all audited events within the last 24 hours, last seven days, or last 30 days, as well as group activity changes, and password reset and registration activity.

More Questions?

Security focus is at the forefront of the architectural design, application development, systems management, and implementation of this product. You are encouraged to contact your sales representative with any follow-up questions or concerns that you have with Microsoft® Cloud or FPS relating to the security of your data.

Parent topic: Financial Performance Suite