Managing Power Platform Risk with an Environment Strategy by Frank Shink, Senior Power Platform Design Engineer at Ameriprise Financial
Frank Shink, a seasoned professional, delves into the risks associated with Power Platform, from development risks to cost risks, and offers insights on tools and strategies to combat these risks effectively. He emphasizes the importance of environments, DLP policies, and licensing strategies in mitigating risks while providing a comprehensive overview of different environment types and their purposes.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
Presentation Transcript
MANAGING POWER PLATFORM RISK WITH AN ENVIRONMENT STRATEGY FRANK SHINK SENIOR POWER PLATFORM DESIGN ENGINEER AMERIPRISE
ABOUT ME Career Software Developer: 1992-2003 Alto Consulting, Born Consulting, Magenic Technologies SharePoint Guy: 2003-2019/2020 Magenic Technologies, MoneyGram, Ameriprise Financial Power Platform Guy: 2019/2020-Today Ameriprise Financial Personal Stuff Family: Wife, 3 kids Boating Coach: football, basketball, hockey Fitness I love to work out Getting ahold of me LinkedIn Frank Shink Twitter - @fshink Email: Frank.X.Shink@ampf.com
AGENDA Type of Risks Tools Available to Combat Risks Using the Tools
WHAT RISKS ARE ASSOCIATED WITH POWER PLATFORM Development Risks Citizen Developers/Makers - No formal training ALM CI/CD Continuous Integration/Continuous Deployment Testing Making changes to production apps real time, is that okay? External Risks Compliance, Laws, Jurisdictions (ex GDPR) Scope of audience a few people, a project team, a department, enterprise Cost Risks Standard Functionality Included in E3/E5 Premium Functionality Power Apps Per User - $20/User/Month (Assume 25,000 users at rack rate: $6,000,000) Power Automate Per User - $15/User/Month ((Assume 25,000 users at rack rate: $4,500,000) Dataverse - $40/GB/Per Month you can run up some organizational costs Data Exfiltration Power Automate bigger picture collaborative service bus Disparate systems can now exchange data is that okay?
TOOLS IN THE POWER PLATFORM ADMINS TOOLBELT Environments DLP Policies Licensing Strategy
ENVIRONMENTS OVERVIEW What are environments Containers For Resources Power Apps, Power Automate Flows, Dataverse, AI Builder Models Purpose Access Control Limiting who can create Power Platform Stuff ALM Development Process of Dev Test Prod and that continuous cycle Compliance ability to isolate data or solutions in a way that works for your enterprise Connector Risk Reduction (via DLP Policy) more to come later but you get to define what connectors get to interact with each other Types of Environments Default EVERYONE is a maker, this can be problematic Trail Environments Enterprise Controlled Non-Enterprise Controlled - be careful of Intellectual Property Issues Developer Does not take up capacity Sandbox Production
DLP POLICIES OVERVIEW What are DLP Policies? Guardrails or Definitions of what connectors can be used together Classifications Business Non-Business Blocked Handling new connectors setting the Default Group Applying to Environments All Environments Multiple Environments Exclude Environments Warning this can get complicated and confusing real fast
LICENSING STRATEGY OVERVIEW License Types For Premium Power Apps Per App - $5/User/Month for each individual app and are stackable Per User - $20/User/Month for unlimited premium apps Pay As You Go - $10 per month for only those months you use the app No good reporting on how many Per Apps or Pay As You Go, so its hard to tell what an individual user is using Power Automate Per Flow $100/Month (minimum of 5) you license you flow, everyone can use it Per User - $15/month for unlimited Premium Flows
AN ENVIRONMENT STRATEGY TO MITIGATE RISK Zones new concept (not an official Microsoft concept) An Environment or Groups of Environments segregated by DLP Policies to manage the aforementioned risk 3 Zones Personal Productivity For personal stuff No Shared Apps* Shared Space for low-risk development Typically for SharePoint backed team and department level Apps and Flows Most commonly Citizen Developers as Makers Secure Space for higher risk development Typically, high end department level and enterprise apps. Most commonly Power Users and Pro-Devs are as makers DLP Policies are used to define the boundaries between Zones more to come on that What do the zones look like?
AN ENVIRONMENT STRATEGY TO MITIGATE RISK PERSONAL PRODUCTIVITY What is it for? Low risk personal process management (SharePoint, OneDrive, Email, etc.) Environment Type: Default Every tenant has one Everyone is maker Who Are Makers? Everyone Deployments - None Managing Risk DLP Policy Strategy Few and Limited Connectors , only the tenant services Governance: No Shared App or Flows* 2 approaches to govern Proactive - Managed Environments requires premium licensing for everyone Reactive - Power Platform CoE Starter Kit does not require premium licensing for everyone
AN ENVIRONMENT STRATEGY TO MITIGATE RISK SHARED What is it for? Low risk to medium risk Team development with standard preapproved connectors 2 Flavors Direct Prod ALM Support Shared Dev QA Prod Environment Types Dev Trial, Developer, Sandbox QA Sandbox Prod - Production Who Are Makers? Direct Prod Anyone Upon Request Dev Environments AD Group of developers per project team Test/Prod Only Admins / Developers are just users Deployments Direct Prod None, just build in prod ALM Supported Shared Manual (by admins) or Azure DevOps CI/CD Pipelines for Power Platform Managing Risk DLP Policy Strategy Personal Productivity Connectors + Any other standard connectors that are approved for your organization Single policy for the whole Zone
AN ENVIRONMENT STRATEGY TO MITIGATE RISK SECURE What is it for? Higher risk, premium solutions, enterprise scale 5 Triggers Premium Functionality PII Data Globally Unapproved Connectors On Premise Data Through Data Gateways Custom Connectors Environment Types Dev Trial, Developer, Sandbox QA Sandbox Prod - Production Who Are Makers? Dev Environments AD Group of developers per project team Test/Prod Only Admins / Developers are just users Deployments ALM Supported Shared Azure DevOps CI/CD Pipelines for Power Platform / Managed Environments Deployment Pipelines Managing Risk DLP Policy Strategy Each project (Dev. QA, Prod) triad gets its own DLP Policy
AN ENVIRONMENT STRATEGY TO MITIGATE RISK DO AND DONT Do Keep track of environment owners Automate the creation of Environments and DLP Policies CoE Starter Kit or Power Automate Use AD Groups to manage environment access Involve stakeholder (Security/Privacy/Compliance) on DLP Policy approval Make barrier to entry for makers as low as possible Don t Manage user access to environments as individual users Create Environments and DLP Polices manually
A DLP POLICY STRATEGY TO SUPPORT RISK MITIGATION Hand In Hand with Environment Strategy Zones Personal Productivity Few and Limited, M365 Services Only Shared Personal Productivity Connectors + Other Globally Approved Connectors Secure Case-By-Case/Project-by-Project, each triad gets its own DLP Policy New Connector Handling set the default group whatever that is for you for new connectors
A LICENSING STRATEGY TO SUPPORT RISK MITIGATION Really Only Addresses 1 Risk, Cost How does your finance department value expenses? Unpredictability Per User, Pay As You go might save you money but its unpredictable Predictable - Per User Gives predictability but costs more Global v On-Demand Licensing Global Everyone Gets Licensed, Set and Forget, Could be Expensive On-Demand Developer get licensed, no questions asked End Users Before handing out licenses to end users, require ROI information, that conversation should happen early
