Security professionals are generally most concerned with outside hackers, malicious insiders and accidental data loss. However, if they don’t focus on internal processes around their organization’s employees’ changing roles and responsibilities, organizations are missing a key area of risk.
Manual processes within IDM could introduce mistakes and open the door to both privilege creep and account latency. Automation of new employee onboarding, promotions or transfers, administrative requests and terminations reduces risks and implements processes that alleviate these mistakes.
New employee onboarding
If done manually, the security implications of hiring a new employee can be daunting and prone to error. The provisioning process starts: computer access, id and password, network access, and application access are all just the tip of the iceberg. HR processes have to be followed; FERPA or HIPAA tests need to be passed. Automation of this process guarantees new employees base system access and allows security teams to focus on the more challenging processes below.
To accomplish this, the hiring event starts the automated process of providing least privileged access. By providing this, new employees should only have access to the initial set of self service functions such as enrolling in benefits. This allows the account provisioning to be triggered automatically from other IDM solutions that may be in use without introducing institutional risks. Granting higher privileged access is covered in the next section.
Newly hired, promoted or transferred workers
When a person starts new job functions or his/her job changes, it is imperative that the PeopleSoft privileges are accurate, made in a timely manner and can be monitored. Automating this procedure guarantees access changes don’t go unnoticed and lowers a company’s risk of data breach and privilege creep. Privilege creep occurs when employees move from job to job inside of an organization and system access no longer matches their role within the organization.
To accomplish this, job codes should be mapped to privileges so that automated processes can be built to modify privileges upon changes in job responsibilities. That way the system naturally mitigates privilege creep through job migrations.
Administrative access requests
Some administrative functions are very specialized and cannot be automatically assigned based on job codes in the HR application. Therefore, tracking the systems is absolutely critical. These high privileged users have access to the institutions most prized data or intellectual property.Organizations should establish a change control process over administrative privileges that may be project related or on going. Tracking and understanding what access a user has within each application, network device and computer is critical to managing their movement throughout the organization or out of the organization.
Terminations – there goes the data!
Termination is a critical security event. When an employee is terminated (whether involuntarily or involuntarily) the clock is ticking on restricting their access. An article from the Wall Street Journal suggests 50% of employees take data with them upon termination.
To address this concern, access must be removed from numerous systems precisely and efficiently especially for high privileged users. When an employee gives a two-week notice, data security requirements should log or remove all access besides base HR self-service functions to ensure data loss is kept to a minimum.
Automating this process involves tying the termination request to the modification of the users privileges. To accomplish this, the termination will trigger a removal of all roles and permissions other than base self service HR functions. This has to be done immediately upon the termination event and logging all access for these users is critical.
A layered approach is critical to protect your PeopleSoft system against multiple threat vectors. Deploying a series of security barriers requires the bad guys to defeat all of them to breach the PeopleSoft system. A layered approached significantly reduces an organization’s daily risk, and their possible breach costs.
At minimum, a layered approach to protecting PeopleSoft should include:
- Multi-factor authentication
- Data Masking
- Location Based Security
The first tier of any secure system is the userid and password. When a user successfully passes a challenge on his/her credentials, the system provides access to functionality based on his/her identity.
Although adopting best practices in password management is critical, it is not sufficient to prevent breaches.
- Social engineering in the form of spear-phishing and phishing campaigns can be utilized to gain access to your credentials.
- Encryption keys that protect credentials can be cracked, allowing access to password databases or generation of authentication tokens.
- Key loggers and other techniques can be utilized to capture traffic from the browser to the server
In today’s environment, trusting a simple userid and password will not keep your systems safe by themselves. Other security layers must be implemented.
Multi-factor authentication (sometimes called Two-factor authentication) is a secondary challenge that users must pass to confirm their identity. In most circumstances, the additional factor is something that the end-user must have in his/her possession so that compromised data such as a password or security question is insufficient to gain access to sensitive data and functions.
Although Multi-factor solutions are not impervious to attack (such as the process for provisioning the end-user), requiring a match of the identity of the userid/password and the second factor dramatically reduces the risk that a users’ session is compromised.
PeopleSoft contains extremely sensitive data and processes: social security numbers, bank accounts, addresses as well as confidential corporate data. Masking sensitive data by default provides an additional layer of security, protecting organizations from data loss (or data leakage).
When cybercriminals gain access to an account, their top priority is accessing private sensitive data and bank account information. Data masking puts additional control over how this information is disclosed or maintained. When utilized in combination with multi-factor authentication, an organization can still provide access to that data when needed by an end-user in a secure manner.
Location Based Security / Least Privileged Access
External threats, by definition, originate from outside the organization’s network. Many attack vectors like spear phishing or PS_TOKEN leverage Internet access to gain access to compromised systems. However, as organizations provide remote access to their PeopleSoft systems for applicants, integration with cloud products, working at home, and supplier self service, Internet access is increasingly required.
Should high privileged users really have the same access in untrusted locations as sitting in their office chair? Of course not! Restricting certain functions based on location requires the access to occur from a known location in combination with all other protections.
All the security layers or measures mean very little without knowing what actions users perform within your system. Incident response requires knowing who did what, when they did it and from where, and what data did they access. Malicious insiders, accidental errors and outside hacktivists require detailed logging of system access. Logging must be designed into the security solution from the beginning; there are no recreating events without this valuable data trail.
Layering security approaches provides essential protection from the attacks of today and tomorrow. A Layered approach including all of the steps above greatly increases your chances of thwarting cybercriminals. For your most sensitive processes, a cybercriminal would have to defeat all layers. For example:
- He/she would need to gain the end-user’s userid and password
- He/she would need to gain physical possession of the end-user’s multi-factor token
- He/she would need to unmask sensitive data
- He/she would need to connect from a trusted location
Finally, the cybercriminal would not be able to prevent logging from occurring, which means that they would have a limited window in which to exploit the breach as an organization’s incident response processes kick in.
There is no magic “silver bullet” when it comes to cybersecurity, only well thought-out and implemented pro-active plans will set your organization up for success. Layered security measures are instrumental to your organizations future.
- 9/30 UNC Chapel Hill Thwarts Cybercrime with ERP Firewall
- 10/13 Verizon Makes PeopleSoft HCM Responsive with PeopleMobile®
Check out the details below!
9/30 UNC Chapel Hill Thwarts Cybercrime with ERP Firewall Presenter: Sharron Bouquin, Auxiliary Applications Manager, Enterprise Applications 11am PST / 2pm EST
The University of North Carolina at Chapel Hill utilizes the GreyHeller Application Firewall to enhance application security and protect valuable data assets. The intelligence provided by the GreyHeller Application Firewall enabled an invaluable shift in mindset from being reactive to proactively planning security measures.
This webinar will focus on the steps the university took to:
- Stop administrative users from insecurely accessing sensitive data
- Protect against specific browser flaws like cross-site scripting and URL spoofing
- Protect high profile departments
- Increase actionable intelligence about end users behavior allowing knowledgeable business decisions
- Lower their risk profile by implementing critical data protection rules across all development and production systems
- Increase ROI by enabling increased end user satisfaction by securely delivering self-service and mobile access
MOBILE / USER EXPERIENCE
10/13 Verizon Makes PeopleSoft HCM Responsive with PeopleMobile® Presenter: David Kelly, Director Systems Architecture at Verizon 11am PST / 2pm EST
This session will discuss how Verizon was able to provide mobile / responsive self service access to its 170,000+ workforce within a 4 month implementation timeframe. This presentation will cover:
- Overview of Verizon’s highly customized environment
- Key Use Cases
- Types of mobile access
- UI standards and requirements
- Implementation methodology
- Lessons learned
For more information or to schedule a private demo, please contact us.
Want to sort cybercrime fact from fiction? Do you think you know the difference? Test your knowledge. In this OHUG sponsored webinar, GreyHeller will set the record straight about cybersecurity myths using data from its Annual Cybersecurity Survey, the Sans Survey and live audience polling.
This engaging and interactive webinar session will test your internal and external threat knowledge and give you the tools necessary to assess your organizations’ PeopleSoft security. All participants will be given a copy of GreyHeller’s Confidential Threat Assessment Matrix which identifies the internal, external and data threat vectors the bad guys have used to compromise HCM data.
The session will include information on:
- Data Masking
- Data Leakage
- Multi-Factor Authentication
- Location Based Security
- Self Service Use
- High Privilege Access
- Logging/Analysis & Forensic Investigation
We will conclude with real world case studies of how PeopleSoft customers are protecting their HCM data from cybercrime.