I was recently speaking with a customer who expressed a common concern. Because of COVID-19, their entire finance team was forced to work remotely and they were concerned about the risks of executing critical financial transactions. Purchasing, payroll, expenses, everything… all being done from unknown locations and on devices they couldn’t regulate.
From Convenient to Mandatory
It got me thinking, prior to COVID-19 the objectives for enabling remote access to PeopleSoft had mostly been out of a desire for productivity and convenience. For years, Appsian has been working with forward-thinking organizations who identified remote access had significant value. Post COVID-19, organizations are in ‘survival mode’ and have no choice but to open access to their most sensitive financial transactions – and hope for the best. The potential for ‘adding insult to injury’ (ie financial losses) in a remote environment is enormous, and like any rapid pivot, requires a strong strategy to be successful.
You Don’t Know What You Don’t Know
During our conversation, it became clear that their situation posed far more questions than answers. For instance, ‘confidentiality around salary has never been more important’ (I assume they’ve required some employees to take salary reductions) ‘how can I know who viewed salary information, or perhaps downloaded queries?’ ‘how can I be sure unauthorized vendors are not being created?’ ‘how can I be sure payroll is being issued correctly?’ ‘how can I be sure sensitive information isn’t downloaded to someone’s home computer?’ It became clear they were flying blind – and starting to panic.
Traditional ERP Visibility Come Up Short
None of the questions above were able to be answered in this customer’s current environment. It’s common knowledge that traditional ERP logging and analytics focus on troubleshooting errors and scanning for broad system vulnerabilities. They were not designed for understanding user behavior, data access, and usage. If the task is to ensure that data is not being accessed maliciously, exfiltrated, or business processes are not being exploited – ERP visibility comes up short.
This customer initially partnered with Appsian for Single Sign-On and Multi-Factor Authentication – both of which, they were happy to have! However, their attention had turned from intrusion prevention to incident response and risk management. While they had the capability to ensure user authentication was strong, they lacked the ability to understand what activity was taking place. And more importantly, if trends in user behavior were indicative of malicious activity.
How ERP Analytics Prevent ‘Adding Insult to Injury’
This is where ERP Analytics becomes essential. When ERP access is both remote and ubiquitous, the ability to detect and respond to malicious activity is greatly reduced.
Using the Appsian Analytics platform, customers are fully enabled to understand exactly how their ERP data is being accessed – by whom, from where, on what and why. With this information in hand, organizations are fully enabled to detect unauthorized activity and formulate a rapid response before damages become catastrophic.
Analytics Provide Peace-of-Mind
Needless to say, it feels good to provide true value to a customer. It’s not everyday that a customer comes to you, concerned that their business is in trouble (from a market perspective) and they are also concerned additional financial losses will follow (from a business process perspective.) This is where having available data and granular oversight will provide peace-of-mind. During unpredictable times, having as much information at your disposal is critical. This is especially true when sensitive financial processes are taking place outside of your office – essentially your direct control and watchful eye.
The Next Step…
If a lack of visibility is a concern, we’d love to talk. In a brief 30 minute session, we can outline how deep our Analytics can go, common use cases that are pre-configured in the platform, and how they can align to your unique business processes.
Stop me if you’ve heard this one…
“Do you want to get the most from your ERP? Then you must move to the cloud. Your bottom line will appreciate it, your users will appreciate it, and your IT security team will appreciate it.” Sounds like a pretty good deal, right?
In our upcoming blog series, we examine some of the most popular cloud adoption myths. By myths, we mean that there is a flipside to every story – and the cloud is no exception.
It’s important to note that we are not “anti-cloud.” Cloud HR functions serve an important purpose, and while there are undoubtedly benefits to moving some functions to the cloud – it’s important to not get too caught up in the hype. So, before you undergo a traumatic “rip and replace” of your core ERP and trade it in for that shiny cloud product – we invite you to stop and take a quick breath.
Hybrid as a Best Practice
From Gartner in their 2016 report, “…the extreme of having nothing cloud-based will largely disappear with Hybrid being the most common usage of the cloud.” As organizations determine specific business cases that are best served by a cloud solution, the corporate “no cloud” policy will become increasingly obsolete. This approach is fully supported by GreyHeller and we contend that using specific business cases to guide your cloud migration initiatives is a best practice. With that being said, the business case for a “rip and replace” of your core HR function is rare and can come with many negative implications. This blog series serves to examine just some of those implications and discuss the negative consequences that can occur.
Stay tuned as we release additional blogs in our upcoming “Adopting Cloud: Fact or Myth” blog series, where we address the truths behind:
- Cloud as a platform for Innovation
- Improving security via the cloud
- Offloading operational costs
- Market trends towards cloud adoption
Security professionals are generally most concerned with outside hackers, malicious insiders and accidental data loss. However, if they don’t focus on internal processes around their organization’s employees’ changing roles and responsibilities, organizations are missing a key area of risk.
Manual processes within IDM could introduce mistakes and open the door to both privilege creep and account latency. Automation of new employee onboarding, promotions or transfers, administrative requests and terminations reduces risks and implements processes that alleviate these mistakes.
New employee onboarding
If done manually, the security implications of hiring a new employee can be daunting and prone to error. The provisioning process starts: computer access, id and password, network access, and application access are all just the tip of the iceberg. HR processes have to be followed; FERPA or HIPAA tests need to be passed. Automation of this process guarantees new employees base system access and allows security teams to focus on the more challenging processes below.
To accomplish this, the hiring event starts the automated process of providing least privileged access. By providing this, new employees should only have access to the initial set of self service functions such as enrolling in benefits. This allows the account provisioning to be triggered automatically from other IDM solutions that may be in use without introducing institutional risks. Granting higher privileged access is covered in the next section.
Newly hired, promoted or transferred workers
When a person starts new job functions or his/her job changes, it is imperative that the PeopleSoft privileges are accurate, made in a timely manner and can be monitored. Automating this procedure guarantees access changes don’t go unnoticed and lowers a company’s risk of data breach and privilege creep. Privilege creep occurs when employees move from job to job inside of an organization and system access no longer matches their role within the organization.
To accomplish this, job codes should be mapped to privileges so that automated processes can be built to modify privileges upon changes in job responsibilities. That way the system naturally mitigates privilege creep through job migrations.
Administrative access requests
Some administrative functions are very specialized and cannot be automatically assigned based on job codes in the HR application. Therefore, tracking the systems is absolutely critical. These high privileged users have access to the institutions most prized data or intellectual property.Organizations should establish a change control process over administrative privileges that may be project related or on going. Tracking and understanding what access a user has within each application, network device and computer is critical to managing their movement throughout the organization or out of the organization.
Terminations – there goes the data!
Termination is a critical security event. When an employee is terminated (whether involuntarily or involuntarily) the clock is ticking on restricting their access. An article from the Wall Street Journal suggests 50% of employees take data with them upon termination.
To address this concern, access must be removed from numerous systems precisely and efficiently especially for high privileged users. When an employee gives a two-week notice, data security requirements should log or remove all access besides base HR self-service functions to ensure data loss is kept to a minimum.
Automating this process involves tying the termination request to the modification of the users privileges. To accomplish this, the termination will trigger a removal of all roles and permissions other than base self service HR functions. This has to be done immediately upon the termination event and logging all access for these users is critical.
Over the past 24 hours, I’ve had lots of folks wanting to learn more about the HCM reporting examples in yesterday’s post. I decided to record a flash demo that shows how one would use the queries as well as the nVision reports (and drills).
In order to simplify the navigation in the demo, I did use the nVision Drilling Snap-on (which is separately licensable, but is not required to use the queries and nVision objects in the project). However, it does make it much easier to find and use them together.
Click here to watch the HCM Reporting in action…
Labels: Drilling, HCM, nVision, PeopleSoft, Query, Tree_Manager