Power Pages Security: A Deep Dive into Defense-in-Depth Techniques
The objective of defense-in-depth is to protect information and prevent unauthorized access or theft. This strategy employs a series of mechanisms to slow down an attack aimed at acquiring unauthorized data access. Power Pages leverages Microsoft’s and Power Platform’s security stack to offer multi-layered protection against various security threats. This comprehensive security stack enhances the overall security of Power Pages applications by reducing the likelihood of breaches. The Power Pages platform provides makers and administrators with the necessary controls to strengthen security and governance for their sites and data.
Physical Security:
- Hosted on Azure App Service with rigorous security and compliance standards.
- Managed physical security with restricted access to data centers.
Identity and Access:
- Allows both anonymous and authenticated access to business data.
- Uses secure Authentication mechanisms and Authorization (RBAC).
- Supports multiple identity providers like Microsoft, LinkedIn, Google, and enterprise providers like Azure AD, Okta.
- Configurable Web Roles, Table Permissions, and Page Permissions for access control.
Perimeter Security:
- Leverages Azure's DDoS basic protection and optional standard tier for enhanced protection.
- Web Application Firewall (WAF) integration for protection against common exploits and vulnerabilities.
Network Security:
- Configurable WAF for centralized protection and control access based on geography, VPN, or specific networks.
- IP Address Restriction to filter network traffic and limit access.
Compute Security:
- Native protection from Azure App Service.
- Microsoft Defender for Cloud monitors threats and ensures compliance.
Application Security:
- Authentication and Authorization controls for secure access.
- HTTPS enforced with digital certificates.
- Managed Application Identity for secure integration.
- Configurable HTTP Security headers for advanced protection.
- Cookie Security with Secure and Http-Only attributes.
- Cross-Site Request Forgery (XSRF/CSRF) protection using anti-forgery tokens.
Data Security:
- Data stored in Microsoft Dataverse, encrypted at-rest and in transit.
These components collectively provide a robust defense in depth strategy for securing Power Pages applications.
Published on:
Learn moreRelated posts
Power Pages | Strange issue with HTML controls
In my previous article, I explained how to trigger a cloud flow from a Power Page, using a ‘Contact Us’ form as an example. Below ...
Power Pages | Integrate Cloud flow with a Power Pages site
In this post, we’ll walk through the step-by-step process of integrating a Cloud flow with a Power Pages site. We’ll use a ‘...
Power Pages: Auto-Populate ‘Contact’ Lookup with Logged-In Portal User
In this beginner’s guide to Power Pages, let’s learn how to automatically populate a Contact lookup field with the currently logge...
Power Pages | Data workspace | How to set Solution
Did you know that you can select a Dataverse solution from the Data workspace ? The tables, columns, and forms you create will be added to the...
No-Code Payments for Power Pages Portal with Stripe Integration
Using the design studio’s Setup workspace, you can quickly add payment options to your Power Pages site. This tool lets you add a paymen...
How to Optimize Microsoft Power Pages for SEO
Introduction Do you want to enhance the SEO performance of your Power Pages Portal to improve search engine results? Effective… The post...