Power Pages Security: A Deep Dive into Defense-in-Depth Techniques

The objective of defense-in-depth is to protect information and prevent unauthorized access or theft. This strategy employs a series of mechanisms to slow down an attack aimed at acquiring unauthorized data access. Power Pages leverages Microsoft’s and Power Platform’s security stack to offer multi-layered protection against various security threats. This comprehensive security stack enhances the overall security of Power Pages applications by reducing the likelihood of breaches. The Power Pages platform provides makers and administrators with the necessary controls to strengthen security and governance for their sites and data.

 Physical Security:

•    Hosted on Azure App Service with rigorous security and compliance standards.
•    Managed physical security with restricted access to data centers.

 Identity and Access:

•    Allows both anonymous and authenticated access to business data.
•    Uses secure Authentication mechanisms and Authorization (RBAC).
•    Supports multiple identity providers like Microsoft, LinkedIn, Google, and enterprise providers like Azure AD, Okta.
•    Configurable Web Roles, Table Permissions, and Page Permissions for access control.

 Perimeter Security:

•   Leverages Azure's DDoS basic protection and optional standard tier for enhanced protection.
•  Web Application Firewall (WAF) integration for protection against common exploits and vulnerabilities.

 Network Security:

•    Configurable WAF for centralized protection and control access based on geography, VPN, or specific networks.
•    IP Address Restriction to filter network traffic and limit access.

 Compute Security:

•    Native protection from Azure App Service.
•    Microsoft Defender for Cloud monitors threats and ensures compliance.

 Application Security:

•    Authentication and Authorization controls for secure access.
•    HTTPS enforced with digital certificates.
•    Managed Application Identity for secure integration.
•    Configurable HTTP Security headers for advanced protection.
•    Cookie Security with Secure and Http-Only attributes.
•    Cross-Site Request Forgery (XSRF/CSRF) protection using anti-forgery tokens.

 Data Security:

•    Data stored in Microsoft Dataverse, encrypted at-rest and in transit.

These components collectively provide a robust defense in depth strategy for securing Power Pages applications.