A layered approach is critical to protect your PeopleSoft system against multiple threat vectors. Deploying a series of security barriers requires the bad guys to defeat all of them to breach the PeopleSoft system. A layered approached significantly reduces an organization’s daily risk, and their possible breach costs.
At minimum, a layered approach to protecting PeopleSoft should include:
The first tier of any secure system is the userid and password. When a user successfully passes a challenge on his/her credentials, the system provides access to functionality based on his/her identity.
Although adopting best practices in password management is critical, it is not sufficient to prevent breaches.
In today’s environment, trusting a simple userid and password will not keep your systems safe by themselves. Other security layers must be implemented.
Multi-factor authentication (sometimes called Two-factor authentication) is a secondary challenge that users must pass to confirm their identity. In most circumstances, the additional factor is something that the end-user must have in his/her possession so that compromised data such as a password or security question is insufficient to gain access to sensitive data and functions.
Although Multi-factor solutions are not impervious to attack (such as the process for provisioning the end-user), requiring a match of the identity of the userid/password and the second factor dramatically reduces the risk that a users’ session is compromised.
PeopleSoft contains extremely sensitive data and processes: social security numbers, bank accounts, addresses as well as confidential corporate data. Masking sensitive data by default provides an additional layer of security, protecting organizations from data loss (or data leakage).
When cybercriminals gain access to an account, their top priority is accessing private sensitive data and bank account information. Data masking puts additional control over how this information is disclosed or maintained. When utilized in combination with multi-factor authentication, an organization can still provide access to that data when needed by an end-user in a secure manner.
External threats, by definition, originate from outside the organization’s network. Many attack vectors like spear phishing or PS_TOKEN leverage Internet access to gain access to compromised systems. However, as organizations provide remote access to their PeopleSoft systems for applicants, integration with cloud products, working at home, and supplier self service, Internet access is increasingly required.
Should high privileged users really have the same access in untrusted locations as sitting in their office chair? Of course not! Restricting certain functions based on location requires the access to occur from a known location in combination with all other protections.
All the security layers or measures mean very little without knowing what actions users perform within your system. Incident response requires knowing who did what, when they did it and from where, and what data did they access. Malicious insiders, accidental errors and outside hacktivists require detailed logging of system access. Logging must be designed into the security solution from the beginning; there are no recreating events without this valuable data trail.
Layering security approaches provides essential protection from the attacks of today and tomorrow. A Layered approach including all of the steps above greatly increases your chances of thwarting cybercriminals. For your most sensitive processes, a cybercriminal would have to defeat all layers. For example:
Finally, the cybercriminal would not be able to prevent logging from occurring, which means that they would have a limited window in which to exploit the breach as an organization’s incident response processes kick in.
There is no magic “silver bullet” when it comes to cybersecurity, only well thought-out and implemented pro-active plans will set your organization up for success. Layered security measures are instrumental to your organizations future.
For additional information or to setup a private demo please visit www.greyheller.com or check out additional blog entries and past webinars on securing PeopleSoft access.