Archive for August, 2018

GDPR- Relevant Certifications for Dynamics 365 for Finance and Operations

August 29th, 2018

ISO 27001(Secure) – ISO 27001 certification confirms that the service complies with the controls and specifications outlined in the information security management system (ISMS).
Achieving ISO 27001, helps to ensure that this is a secure service on which to run your business. This further helps to support efforts to certify your own business, by reassuring your auditors that you are running your business on an ISO27001 certified service.

ISO 27018 (Protects personal data) – When you use the service to manage your business, your personal and sensitive data is safe and protected in the cloud. Additionally, to gain your own ISO 27018 certification for your business, your auditors will appreciate that Finance and Operations business system already has ISO 27108 certification.

SOC-1/Type-2 and SOC-2/Type-2 – The service organization controls report (SOC) helps to confirm that a cloud service has appropriate controls in place to ensure that financial data is secure and protected. .

Dynamics AX 2012 help is now moved to Doc.microsoft.com

August 16th, 2018

The Microsoft Dynamics AX 2012 content that was previously hosted on TechNet and MSDN is now moved to doc.microsoft.com:
• Application User/IT Pro content: https://docs.microsoft.com/en-us/dynamicsax-2012/appuser-itpro/
• Developer content: https://docs.microsoft.com/en-us/dynamicsax-2012/developer/
Existing links to the content are being redirected. The content is open for comments and edits, with the exception of the reference content.

GDPR misses the mark

August 16th, 2018

GDPR took effect in May of this year, at least with regards to enforcement. A few days after the May 25 date, a German court ruled against ICANN, the company that registers domain names on the Internet and manages the global WHOIS database. The case revolves around the information collected when you register a domain. ICANN wants multiple contacts, which they’ve required for decades. However, a company in Germany that is a partner, argued that the additional technical and administrative contacts were not required for fulfilling the business that both ICANN and EPAG (the German registrar) are engaged in.
ICANN Is appealing the ruling, citing the need for clarification of what this means with regard to the law.

There is an interesting argument here to be made about what data is needed for a business purpose. I could see this being argued successfully either way, and not just in court. As a domain holder, does the registrar really need multiple different sets of personal information from me? Arguably, this is a convenience for them, that is based on tradition. However, one could argue the other way. It is a little scary that a court, with no expertise in some industry (Internet domain registration, in this case), will decide whether there is an actual business need. Can a lawyer or judge really understand what data a business needs in their daily activities?

Is it unreasonable to find technical people collecting data, not maliciously, but to anticipate what might be asked of a system, or to avoid rework. Is it wrong to collect everything that might be relevant or useful to save time on future queries?

So now we have the ridiculous situation where more and more transactions can only sensibly be done on line, but only if you agree to provide personal data as part of the terms and conditions. How does that protect anyone? I can understand that large IT companies with heavy investment in cloud data centres are happy to see legislation that makes it impossible for small companies to compete – encryption, additional training and audit costs, huge infrastructure and software protection costs to deal with hypothetical risks to data that is largely in the public domain on Face book and linked in and telephone directories. Governments have new reasons to fine companies. Auditor and lawyers have another source of income. This all drives up costs so how does that benefit the individual?

Why there is not more loud protest and outright rejection of this ridiculous legislation I don’t understand. I doubt even 20% of companies affected comply.

That does not mean that you should not take data protection seriously. The problem with GDPR is that it being applied as a sledgehammer, Companies are trying to enforce complex systems for protection of data to which there is no identified risk, or indeed where there may not even be any data stored.

If an organisation has no central documented overview of the data it holds and processes, it is highly vulnerable to fail in its stewardship of data. The will result in severe damage to that organisation. To protect anything, you have to know where it is, and who needs to use it. With data, you have to know at least its relative importance in terms of its confidentiality, integrity and accessibility. You also need to know why it is retained and how it is used within the organisation and by which role. With this information, you will then have a much clearer idea of the requirements for that data, sufficient to appropriately strengthen the organizational workflows and applications to minimize the risks to that data.

If your organisation is ever caught up in a data breach or other incident that might affect its reputation or even result in legal action, then the exercise of at least having taken information security seriously will provide mitigation for the organisation. Any organisation that takes its stewardship of data seriously and responsibly will take the next step and ensure that all data is held in an appropriate regime that will protect it from malice, disaster, conflict and human failings. They might even save on resources by reorganizing organizational data according to risk rather than by department or activity.

In a recent case not considered under GDPR the potential problems surfaced. In claimants v WM Morrisons Supermarket the High Court found that Morrisons was vicariously liable for deliberate and criminal disclosure by a rogue employee of personal data belonging to his co-workers.

The employee was an internal auditor for Morrisons. In that role he had access to personal data about other employees. However, he felt he had been unfairly disciplined over a conduct issue and as a result became disaffected. A couple of months later Morrisons’ external auditor asked for payroll data for audit purposes and the employee was asked to handle the request. The data at Morrisons’ request was downloaded onto the employee’s work computer. He passed the data to the external auditor but he didn’t delete it from his computer. Some weeks later he uploaded the data onto the internet, under the name of another employee. The individuals whose personal data was wrongly disclosed then sued Morrisons, arguing that Morrison’s was the data controller and so was responsible for the breach. Alternatively, if it was not the data controller that it was vicariously liable for the wrongful actions of the rogue employee.

The High Court accepted that Morrisons was not the data controller at the point at which the individual was loading the data onto the website. Similarly, although the Court accepted that Morrisons should have been more proactive in ensuring that the data on the employee’s computer was deleted as soon as it was no longer needed, this did not actually cause the damage. The Court’s view was that the employee would have sought to circumvent any precaution put in place, given that this was a deliberate breach designed to cause problems for Morrisons.

That left the claim for vicarious liability. Whether an employer is vicariously liable depends on there being a sufficiently close connection between what the employee was employed to do and their wrongful actions. Here, the Court accepted there was a sufficient connection and so Morrisons was vicariously liable. The employee was given access to the data through his work and was deliberately entrusted with the confidential information. Even though he had acted improperly and also used another employee’s name to post the information on the Web, his motive was irrelevant in deciding whether there was vicarious liability.

Given that around 100,000 employees were affected by this data breach, compensation could be significant. Importantly, it is not necessary for the affected employees to show that they have suffered financial loss. Individuals can claim for distress merely from the disclosure of their data. This case has worrying implications for employers. Here the employee’s actions were entirely deliberate, and even though none of the employer’s actions led to the data breach it was still held liable.

Given the employee’s actions were designed to cause problems for Morrisons, by passing liability to the supermarket, the Court’s ruling has in many ways furthered the employee’s wrongful aims.

Unsurprisingly, Morrisons intends to appeal so all employers will be watching carefully to see what happens next.

While not decided under the principles of the GDPR, this case is representative of a new data privacy environment in the workplace, with greater accountability for employers and increased employee rights. More data breach claims may follow, particularly given that it is not necessary for an individual to show loss to claim compensation.

What is clear from the case is that employers will be responsible for the employee data they hold and must apply the strictest possible controls to try to mitigate the risks presented by rogue individuals. Such controls could include: limiting the number of people who have access to personal data for work purposes, ensuring individuals who have such access only have it for a limited period, and that data security measures are in place to flag misuse of the data. Further, the personal consequences of data breaches should be outlined to those who need to have access to colleagues’ personal data for their job.

This is becoming farcical – how should a company reply to for example a request for a reference, or a credit check.
If one employee volunteer’s another’s phone number is that really something for which an employer should have liability to pay compensation?
As with other misguided legilslation this will accelerate adoption of Ai and elimination of human workers.

If ever you want proof of the law of unintended consequences this legislation is going to be high on the list.

SQL updates August 2018

August 16th, 2018

Microsoft has released a series of updates to SQL Server 2016 and 2017 to fix CVE-2018-8273:

– Executing a specially crafted query involving calculating difference between values of different date types and aggregation of the results, could lead to stack corruption, if the query runs in batch mode. Depending on particular values processed by such query, this could lead to terminating the SQL Server process, or a possibility of remote code execution.

- A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could execute code in the context of the SQL Server Database Engine service account…. The security update addresses the vulnerability by modifying how the Microsoft SQL Server Database Engine handles objects in memory.

The updates include:
•2017 CU9 GDR – 14.0.3035.2 – install this if you’re on the latest 2017, CU9
•2017 RTM GDR – 14.0.2000.63 – install this if you’re still on RTM
•2017 on Linux – 14.0.3035.2-1 and 14.0.2002.14 depending on your branch
•2016 SP2 CU2 GDR – 13.0.5161.0 – install this if you’re on the latest 2016, SP2 CU2
•2016 SP2 GDR – 13.0.5081.1 – install this if you’re still on SP2
•2016 SP1 CU10 GDR – 13.0.4522.0 – install this if you’re still on SP1 CU10
•2016 SP1 GDR – 13.0.4223.10 – install this if you’re still on SP1 with no CUs

Microsoft Ignite agenda insights to the future road map

August 14th, 2018

Microsoft recently published the session list for its annual Ignite IT Pro conference happening at the end of the September. Alook at the topcis gives a clue to its roadmap. There sessionson on the next version of SQL Server. Surface Hub 2 and Surface Go with LTE, Intune and Windows Autopilot, Windows Server 2019. New Remote Desktop services.

Last year, Microsoft used Ignite to highlight AI, intelligent edge and its futuristic quantum-computing technologies but overall the listed sessions, look more down to earth. There are two mixed-reality sessions — including “Visio Immersive,” Almost 100 listed sessions touch on AI . At Inspire Microsoft told partners the “AI Accelerate Kit”would be coming in October and include AI use cases, best practices and “Ethical AI” guidance so that seems lilley to be included.

At Ignite Microsoft will again focus on Microsoft 365,- the bundle of Windows 10, Office 365 and Intune security/management technologies.

Expect to a lot of Dynamics 365 CRM and ERP content — because October is when the next feature update will arrive for the suite of Dynamics products.

There seems to be more developer content: . ASP.NET, Visual Studio Code and Visual Studio 2017, Node.js, and sessions on linux and Docket containers, Progressive Web Apps and MSIX, the new Windows 10 application-packaging technology Microsoft is rolling out.

There are 115 sessions listed for SQL Server /Azure SQL. Mayeb we will get an insight into the successor to SQL Server 2017 — codenamed “Aris,” which is currently in private Community Technology Preview testing.

Microsoft wil lalso show the new the Surface Hub 2 and Surface Go.

Expect Windows Server 2019, Microsoft’s next major release of Windows Server, to be a hot topic -it’s due to start roll out before year end.

https://www.microsoft.com/en-us/ignite

https://www.microsoft.com/en-us/ignite/faq

September 24–28, 2018 | Orlando, Florida

Dynamics 365 October 2018 release – many new features

August 4th, 2018

What to expect from the Dynamics 365 October 2018 release is set out in a 250 plus page document. The coming October update includes more than a hundred incremental updates to: the core Dynamics, Sales, Marketing, Customer Service, Portals, Omni-channel Engagement Hub, Field Service, Project Service, Social Engagement, Finance and Operations, Talent, Retail, and Business Central products and services.

The new Dynamics 365 AI for Sales app, will help sales teams to use technologies, such as call sentiment analysis and warnings about deals being at risk, to take proactive actions. This app will be in public preview as of October 2018.

Expect to see a more tightly integrated Dynamics 365 with Microsoft Teams, SharePoint, LinkedIn, Microsoft Stream video platform, Azure, Azure IoT Central, Outlook together with relationship analytics and predictive lead scoring also in public preview as of October.

Finance and Operations (Dynamics AX, ERP) each feature listed below will be released with general availability
Financial
• Dual currency
• View settlement transactions
• Global number sequences
• Vendor and customer approvals for specific fields
• Data entry dimension values
• Consistent validation actions
• IBAN number validation
• Change cash discounts
• Automatic ledger settlements
• Reverse journal posting
• On-hand inventory report performance
• Simplification through configurable templates
• Enterprise credit management
• Revenue recognition

Operations
• Master planning performance improvements
• Consolidation of planned orders during parallel firming
• Sealed bidding
• Unit of measure
• Public sector enhancements

Globalization
• Russian localization
• Globalization – enhanced configurability
• Regulatory Services, Configuration service
Platform Updates
• Usability and productivity updates
• Personalization improvements
• Additional demo data
• Data resident subscriptions
• Supportability rules
• Test automation support
• Troubleshooting for the document routing agent
• Upgrade automation
• On-premises deployment
• Manage batch jobs

Integration
• Integration with Field Service: Inventory and Projects
• Extend analytical workspaces by mashing up external data with Power BI

Analytics
• BYOD (Public Preview)
• Edit analytical workspaces
• Pin Power BI dashboards to workspaces
• Real-time embedded Power BI Reports

Lifecycle Services
• Dynamics Translation Services API (Public Preview)

Microsoft continues to emphasize the applicability of its HoloLens augmented reality goggles with the company’s business applications. The October 2018 update will feautre integration with Remote Assist, Microsoft’s new hands-free video calling, and Microsoft Layout, which allows space planners to design their spaces.

The Common Data Service, which is part of its “Power Platform,” will also be updated with the October 2018 release.