Below are the Main Security Features available Dynamic 365 (CRM) Online .
Security concepts for Microsoft Dynamics 365
Further Details visit: https://technet.microsoft.com/en-us/library/hh699698.aspx
Encryption keys
Manage the encryption keys for your Dynamics 365 (online) instance - has been launched.
The manage keys feature in the Dynamics 365 Administration Center gives administrators the ability to self-manage the database encryption keys that are associated with instances of Dynamics 365 (online).
Support: 8.2 Dynamics 365 organization only.
For further details visit: https://technet.microsoft.com/en-us/library/mt492471.aspx
Azure Secure Vault (HSM)
Dynamics 365 (online) currently uses a Microsoft managed key to protect customer databases at-rest using SQL Transparent Data Encryption (TDE) to encrypt and decrypt data and log files in real time. A common ask from customers is the ability to have control over the encryption keys used. This capability enables you to rollover your key or revoke access on demand in a completely self-service manner. In this model, you can generate an encryption key and upload it to an Azure Key Vault controlled by Microsoft using the Dynamics 365 Admin Center.
Microsoft recommended securing the encryption keys on the Azure Secure Vault (HSM) which will be released in 2017 December (https://roadmap.dynamics.com/#application=614252f0-2992-e611-80dc-c4346bac0910)
“Always Encrypted” feature not available for CRM Dynamic 365.
Always Encrypted details visit: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine
Multi-Factor Authentication (MFA) or Two-factor authentication (2FA)
2FA or MFA is an increasingly common and more secure method of protecting access to sensitive information or services by requiring an additional method of verifying your identity.
For further details visit: https://chamarairesh.blogspot.sg/2017/04/two-factor-authentication-2fa-for.html
Default CRM provides Basic ,You would need Azure AD Premium ( https://azure.microsoft.com/en-us/pricing/details/active-directory/) which required top-up licenses for that.
Penetration test
Server level penetration test done by Microsoft only
For further details visit: https://security-forms.azure.com/penetration-testing/terms
For more Information please refer below links.
Microsoft Dynamics 365 security : https://www.microsoft.com/en-us/trustcenter/security/dynamics365-security#secure_apps_and_data
The security model of Microsoft Dynamics 365 : https://msdn.microsoft.com/en-us/library/gg309524.aspx