Establishing security best practices for your PeopleSoft applications is always a work in progress. As newer, more advanced threats come to light, staying current can feel like a daunting task. While PeopleSoft systems are inherently robust and secure, a constantly evolving threat landscape, PLUS new data regulations have paved the way for several necessary security enhancements. As the end of 2018 draws near, now more than ever, organizations must be aware of the myriad of threats that are well-aware that “year-end” bonus season is coming… and are preparing their tactics to redirect your employees hard-earned payroll/bonuses.
What is the weakest link in your ERP security chain?
Threats today have become increasingly user-centric. The targets for malicious hackers have shifted from entire networks to applications. By leveraging phishing and social engineering attacks, most ERP breaches are now originating from the unauthorized use of valid login credentials – stolen directly from the user themselves. Thus, making your users (and their passwords) by far, the weakest link in your security chain.
Recommendations for mitigating the “human error” element
Inspired by dozens of successful PeopleSoft security projects, security experts at Appsian have compiled a list of best practices that every organization must utilize, and details the steps that should be taken to implement a layered approach to securing PeopleSoft. Rather than solely focusing security efforts on the perimeter, we will discuss how your sensitive data can be protected from malicious intruders (and even insiders) who are able to access PeopleSoft with valid credentials:
- Enabling SAML for centralized identity management and establishing a single sign-on to reduce the risk caused by users having multiple (potentially) weak passwords.
- Expanding traditional multi-factor authentication from login-only to field, page and component levels to ensure data protection from insider threats.
- Employing location-based security to enforce least privilege access when sensitive systems are being accessed from outside your corporate network.
- Enhancing data masking to alleviate challenges posed by static role-based masking rules and reduce unwanted exposure of sensitive data fields.
- Extending logging capabilities to be compliance-ready with 360-degree awareness of what going on inside your PeopleSoft systems and user activity.
- Bringing real-time visibility to breaches, suspicious events, and potential vulnerabilities by incorporating security analytics to your PeopleSoft security infrastructure.
Download the whitepaper to learn more about the best practices for achieving an end-to-end security and compliance strategy.
On a time-crunch? Request a quick session with our PeopleSoft security experts.
Gartner recently released a report addressing the speculations around Oracle’s on-premise and cloud ERP applications. Focusing on Oracle ERP customers’ frequently asked questions, the report is aimed at helping CIOs make informed decisions on whether Cloud applications are a viable replacement for their on-premises suites. Here are the most important takeaways and highlights from the report:
On-premises ERP suites are not at the “end-of-life” stage.
From thousands of client interactions, Gartner concluded that Oracle’s ERP customers are unsure about Oracle’s commitment to its on-premises suite. To put their doubts to rest, Gartner highlighted several factors that reiterate Oracle’s continued investment in their on-premise applications:
Revenue from on-premise applications remains strong
“Oracle’s on-premises suites are not at the end-of-life stage” assures Gartner. “Oracle receives the majority of its software license revenue from customers paying for maintenance, and new sales of its on-premises products,” (68% and 65% in 2016 & 2017 respectively). According to Oracle’s co-founder Larry Ellison, “Oracle spends over $5 billion per year on research and development (R&D) and continues to invest in all its on-premises application products.”
Fluid symbolizes the future for (on-premise) PeopleSoft
Specific to PeopleSoft, the report mentions that the “…extended Support timeline for PeopleSoft is stated through at least 2027,” and with the launch of enhancement features such as Fluid UI for PeopleSoft, Oracle continues to demonstrate its continued investment in their existing on-premise ERP applications.
Best Practice: Map Your Business Requirements Against the Maturity of Oracle’s Cloud Applications
According to Gartner, Oracle’s cloud applications are the inevitable future of ERP functions, but having been released to different timetables, cloud applications have differing levels of maturity and may not (at this time) offer true parity to Oracle’s legacy, on premise suite. As a best practice, Gartner recommends that decision-makers must consider the development roadmap of the respective cloud applications and avoid confusing the desire to source a new technology with the objective of fulfilling a specific business requirement. In other words, stating that “a full ‘rip and replace’ of your current applications may not be your best option.” Gartner goes on to urge customers to map business requirements carefully against the maturity of Oracle’s cloud applications and ensure that present day business objectives can be met so costly and unexpected change management can be avoided. In addition, the report offers a detailed outline of various situations and subsequent appropriate actions for ERP customers using Oracle’s on-premise suites.
Best Practice: “Take the postmodern approach”
Gartner emphasizes that the decision to move to the cloud must be based solely on the value proposition cloud applications offer over existing on-premises applications. While talking about moving to Cloud applications “as part of a business transformation initiative” Gartner asks decision makers to be aware of “the risks and limitations of recent releases.” Instead of a complete “rip and replace” Gartner suggests a “postmodern approach,” where an organization could decide to replace only parts of their on-premises footprint. Gartner also advises Oracle customers to not “assume that the level of expertise that exists for application support and implementation services for on-premises suites also exists for cloud applications.”
As stated above, while the future appears to be headed towards the cloud, the fact remains that a “look before you leap” approach is recommended. A cloud migration project must begin with a thorough evaluation of your business objectives in order to ensure proper alignment between the cloud technology you are adopting and the expected results. Change management can add significant cost and disruption to a project, and while complete elimination of change management is impossible, the more evaluation you undergo prior to the start of a migration project – the more likely to avoid “budget busting” surprises.
So, consider the postmodern approach – what objectives do you need to achieve today vs. what do you need to achieve 5 years from now? Are there specific ERP functions that are working just fine today? If not, are there lightweight optimizations that can be done in the meantime to enhance current functionality? Gartner recommends a postmodern approach in order to avoid a scenario where you go “all in” on the cloud and are left to address an unexpected mess.
Appsian is here to help you make PeopleSoft exceptional. Email us at email@example.com and let us know how PeopleSoft can be working better for you today!
Access the full version of the report HERE
Stop me if you’ve heard this one…
“Do you want to get the most from your ERP? Then you must move to the cloud. Your bottom line will appreciate it, your users will appreciate it, and your IT security team will appreciate it.” Sounds like a pretty good deal, right?
In our upcoming blog series, we examine some of the most popular cloud adoption myths. By myths, we mean that there is a flipside to every story – and the cloud is no exception.
It’s important to note that we are not “anti-cloud.” Cloud HR functions serve an important purpose, and while there are undoubtedly benefits to moving some functions to the cloud – it’s important to not get too caught up in the hype. So, before you undergo a traumatic “rip and replace” of your core ERP and trade it in for that shiny cloud product – we invite you to stop and take a quick breath.
Hybrid as a Best Practice
From Gartner in their 2016 report, “…the extreme of having nothing cloud-based will largely disappear with Hybrid being the most common usage of the cloud.” As organizations determine specific business cases that are best served by a cloud solution, the corporate “no cloud” policy will become increasingly obsolete. This approach is fully supported by GreyHeller and we contend that using specific business cases to guide your cloud migration initiatives is a best practice. With that being said, the business case for a “rip and replace” of your core HR function is rare and can come with many negative implications. This blog series serves to examine just some of those implications and discuss the negative consequences that can occur.
Stay tuned as we release additional blogs in our upcoming “Adopting Cloud: Fact or Myth” blog series, where we address the truths behind:
- Cloud as a platform for Innovation
- Improving security via the cloud
- Offloading operational costs
- Market trends towards cloud adoption
In this two-part series, GreyHeller founders and former, early PeopleSoft Technical Strategists, Larry Grey and Chris Heller will discuss ERP trends and how they affect PeopleSoft customers. Part I will discuss Gartner’s recently published 2015 Strategic Road Map for Postmodern ERP and how the opportunities and challenges affect PeopleSoft customers. Part II will be a demo-intensive session showing how GreyHeller customers are meeting these challenges today.
July 15 • 11am PST
According to Gartner, Monolithic ERP solutions are being deconstructed into postmodern ERP that will result in a more federated, loosely coupled ERP environment with much of the functionality sourced as cloud services or via business process outsourcers. This direction is driven by a need to support strategic, organization-wide functionality that is more flexible, secure, integrated, and modern.
Where does this leave you as a PeopleSoft customer? Do you need to replace PeopleSoft to achieve the architecture and benefits to drive your organization in the future, or do you have an option to leverage it along with other cloud-based solutions?
This session will answer these questions as well as describe how PeopleSoft can be part of a hybrid approach to utilizing PeopleSoft and the cloud:
- Where PeopleSoft fits
- Integration considerations, including data and security
- User experience modernization
- Lifecycle Management and compliance
- Control over functionality and infrastructure
July 29 • 11am PST
This session will discuss how GreyHeller customers are utilizing our technology today to utilize PeopleSoft effectively in their postmodern ERP roadmap. This demo-intensive session will include customer case studies and product demonstrations that illustrate how to flexibly and safely retain your PeopleSoft investment by evolving its role from being a monolithic application to a key component of your hybrid ERP architecture.
Security: how to protect your most sensitive data and processes in an ever-evolving cybercrime landscape
Identity Management: how to leverage multiple identity providers for your different constituents — Candidates, Vendors, Employees using solutions such as Facebook, LinkedIn, Azure, and on-premise resources
User Experience: how to provide a seamless solution that is modern, looks consistent across cloud and on-premise components, and is easy to use
Flexibility: how to evolve the functionality you deploy rapidly
Lifecycle Management: how to keep up with new updates (driven by regulatory or business value requirements) while keeping a low TCO
Integration: how to control all of the integrations between each of the component
Larry just posted a YouTube video that describes how our ERP Firewall product’s 2-Factor Authentication feature can help prevent students from hacking into PeopleSoft Campus Solutions and changing grades. The video contains specifics on how 2-Factor Authentication works.
Larry created the YouTube video based on what was reported recently at Purdue University where students are facing felony charges for hacking into secure systems and changing grades (we don’t know whether the Purdue incident involved PeopleSoft).
Apparently, hacking to change grades is not uncommon:
David Pigman of SpearMC consulting presented Advanced PeopleSoft Security Audit.
Most of the presentation consisted of walking through slides of the PeopleTools security table structures, along with some discussions of things to watch out for. Some examples included key field names that are different between tables (which means Query won’t autojoin), decoding the ACTIONS field (which is a bitfield) into meaningful data, and understanding that PeopleTools like Data Mover, Application Designer, etc actually get secured by menu names (eg DATA_MOVER) that don’t actually exist as menu definitions, but are hard-coded in the PeopleTools internal code.
The presentation was good (although I don’t think that I would call it advanced audit). A little more demo vs slides would be nice as well. A number of the queries that David did show (either in ppt or in an environment) are available with the presentation to be downloaded later.
They also have a product offering with additional queries that a security auditor might find useful. Towards the end of the presentation David showed a few of these in a live environment.
Labels: 2010, OpenWorld, Oracle