"Power Pages – a Microsoft website design service"
Well there's your problem . . .
Private businesses and public-sector organizations are unwittingly exposing millions of people's sensitive information to the public internet because they misconfigure Microsoft’s Power Pages website creation program. So says Aaron Costello, chief of SaaS security research at security-for- SaaS vendor AppOmni, who uncovered …
The Power platform is a whole data protection nightmare. Microsoft's default is to make configured Power components (including database connectors!) available to all users in a tenancy to use.
Icon: 'Cause that's what's going to happen when someone leaks the entire HR database. (that's a "when" not an "if")
Unfortunately, most of the complexity is in analysing the data, determining who should have access to what parts of it and then subsequently testing to see the access controls are correct.
Regardless of how the controls are implemented, it seems in these cases that none of the above was actually done. And that, ultimately, is the problem - giving the ability to publish potentially private date to people who haven't got the slightest clue about the possible consequences. If the default configuration was for all the data to be inaccessible to everyone, it wouldn't help - it would rapidly be altered to the simplest setting that appeared to "work", probably giving access to everything to everyone.
Sane parents don't let their babies play with bottles of crystalized picric acid (hint: it's shock-sensitive and explosive), but organisations give any Joe or Jill Fingerblotz -- people who know MS Word, Excel, Powerpoint, and maybe even Access -- control over sensitive personal information.
The executives doing this are clueless ("Anything I don't know how to do is easy.") and/or uncaring and/or unwilling to pay IT pros to manage their databases/websites.
The Reg article's link to security roles "Security roles and privileges", https://learn.microsoft.com/en-us/power-platform/admin/security-roles-privileges , doesn't have any information on the Power Pages roles discussed, "anonymous users" and "authenticated users". That link is for Power Platform, and Power Platform is apparently not the same as Power Pages.
From The Reg article: `The problem is that many companies treat the "authenticated user" role as belonging to someone inside the organization and grant permissions accordingly – even for outsiders who register for their websites.`
I wonder where they got that idea? I found a link for Dynamics 365 "Secure your Power Pages", which does discuss those two roles, https://learn.microsoft.com/en-us/dynamics365/guidance/implementation-guide/security-strategy-product-portals , wherein we can read the next gem of a first paragraph. It doesn't explicitly state that authenticated users are internal, but mightily implies it.
From Microsoft: `Power Pages let internal and external users access Dataverse data through external-facing websites. You can expose your data to anyone—that is, to anonymous users—or only to authenticated users. For example, you can create a landing page or a home page that anyone can see, or a page that's only for users in your organization. To secure your Power Pages sites, you need to use authentication and authorization.`
Maybe that's not the link most low code users would find? I found a link for Power Pages "Power Pages security",
https://learn.microsoft.com/en-us/power-pages/security/power-pages-security ,
From Microsoft: `Authenticated users **can be** (emphasis added) assigned web roles that provide specific access to information on the site. ... Web roles allow users to perform special actions or access protected content and data on the site. Web roles link to users, table permissions, and page permissions. Because users can be assigned multiple web roles, they can get cumulative access to site resources.`
In the unix www, "anonymous users" and "authenticated users" means roughly the same as how Microsoft intends it. "Authenticated users" doesn't mean all records, it means access is controlled by work **already done**, by a different admin, when the account was previously created. That's a missing step in Microsoft's implementation, and expecting low code users and managers to understand the implications of umask 000 is a bit much (pun intended), when their primary goal is simply to "make it work".
Anyhow, I didn't see any mention of Web roles in The Reg article? A quick scan of "Power Pages security" with the "what will my users think of this" cap on and I conclude: They will run away screaming! From bitter experience with SharePoint, business users and access controls don't mix. This is where I set up a meeting with my boss and they "decide" to let me set perms on the default Web role, assign the employees to a new team Web role, and create a process for my boss to switch people between the roles. Or would do, but wiser heads have prevailed and there are specially trained (thus oxymoronic) low code teams who implement all the details on behalf of the business teams.