Power CAT Tools - Risk Assessment
Introducing another tool found in the Power CAT Tools Toolkit - The Risk Assessment Tool! Let's talk about what it is and why you should care.
The Risk Assessment Tool allows administrators to create risk profiles that can be used to assess existing security roles to in order to determine levels of risk and compliance. These assessments allow administrators to be proactive rather than reactive when it comes to security roles within the platform and how they fit the organizations appetite for security.
The tool allows us to:
- Scan security roles on-demand
- Automate scanning of security roles - continuous scanning of security roles to receive insights
- Identify risk of scanned security roles based on an organization's policy
- Create risk profiles to better fit an organization's security policies
Maybe your organization has a desire to establish good security practices on an already existing Power Platform instance. Maybe your organization wants to evaluate new security roles being developed as part of an enhancement. This tool will help the organization wrap their arms around those efforts. Let's take a look how.
We can open up the Risk Assessment Tool by clicking the Risk Assessment tile or selecting the "Assess Risk" menu item on the left hand menu.
If this is the first time an organization is leveraging this tool, they will need to establish their risk profile if it differs from the Default Risk Profile. We can do that by selecting the Settings tab.
A couple items to note here:
- Set up your assessment settings - allows the Administrator to review the default risk profile settings
- Allows the Administrator to view all existing risk profiles as well as create new risk profiles
- Allows the Administrator to select which assessment profile is used in the event that continuous scanning is enabled
Just to get familiar with how things are setup, here is what the default risk profile looks like:
What we can see here is what type of access is granted to each privilege and how our organization views that in terms of risk. As an example, any security role that grants Organization level access for the Create privilege is considered a Critical risk. We can see that the risk drops as the access level is decreased. Keep in mind, this is just the default risk profile that is installed with the Power CAT toolkit. Your organization may view risk differently and this tool allows administrators to configure the settings according to their respective security policies.
So let's assume I have setup a risk profile for my organization and have chosen to scan one of my custom security roles. Let's take a look at the output. We can do this by viewing the Dashboard or by selecting the Assessments tab.
My custom role used for this example is an exact copy of the Sales Manager role. The output of the scan is shown below:
We can view all of the privileges granted to the security role, how severe the risk is based on our risk profile settings, what the current access level is, and what the recommended access level is.
If a row is selected, a form is shown to allow us to modify the particular privilege level right from this screen.
Once changes are made, we can choose to manually re-scan this particular role once more by clicking the Scan Role button.
This will kick off the scanning process once more. We can see from the Assessments tab that we now have an In Progress scan.
Once the scan is completed, we can see it still has a Severity grade of Critical and the Status shows that this particular assessment needs to be reviewed and addressed.
This is a pretty slick tool to help Administrators understand where their security roles stand within their organization's risk profile. With the continuous effort of scanning and reviewing we can pare down our security roles to better align with our organization's risk management policies.
How does your organization view security within Power Platform solutions? Are you being proactive or reactive? Does your organization leverage other tools to assess risk? Drop a comment and let me know!