Accessibility, Security

Why Colleges and Universities are Rushing to Implement Single Sign-On for PeopleSoft

By Scott Lavery • August 4, 2020

It’s not uncommon for higher education institutions to approach us (with great haste) about our Single Sign-On (SSO) solution for PeopleSoft Campus Solutions. Lately, I’ve noticed an uptick in the urgency. Nobody’s hair is literally on fire, but after speaking with a handful of universities, it sure feels that urgent. Here’s what’s happening. 

The COVID-19 Pivot Strikes Again 

When COVID-19 first caused colleges and universities to shut down their campuses and rapidly switch to online learning, that was their primary focus. Pretty much all non-essential IT (and PeopleSoft) projects were immediately put on hold. After an intense focus on student, staff, and faculty safety and performing herculean feats to enable remote learning and remote access for thousands, IT departments are back to focusing on data security and access.  

This summer, many institutions around the country were cautiously optimistic they could reopen in the fall and were making plans to welcome back faculty and students into something they hope will resemble normal campus life. IT and security teams were also busy, reviewing priorities, projects, and budgets. They know that thousands of students, faculty, and staff depend on the institution’s applications to keep operations running smoothly.  

Unfortunately, all this planning and optimism might be for naught. Almost daily, universities that had released detailed plans for in-person classes in the Fall have reversed themselves and said they will go almost entirely online. Because of these sudden changes, some IT departments are quickly pivoting to adapt their systems to better handle remote access and excessive self-service demands.  

And that’s the urgency we’re experiencing: To improve productivity, enhance security, and improve the overall user experience, universities are (urgently) turning to a SAML SSO solution for PeopleSoft Campus Solutions. Why? Because the first step in addressing usability is ensuring authentication is secure, without causing user friction. 

Enable PeopleSoft SSO with SAML-Based IdPs 

The good news is that Appsian can help universities meet this urgent request in two weeks or less. We provide the only turnkey SAML integration solution for PeopleSoft without any custom development or additional hardware. You can allow thousands of users (students and faculty) to access multiple applications, not just PeopleSoft, using a single login on any device.  

Customers can also use multiple IdPs concurrently, including Okta, Ping, ADFS, Shibboleth, Azure, and more, ensuring that any patchwork of systems used across groups, buildings, and departments are accessible and secure. 

The More Things Change, the More Changes You Have to Make 

COVID-19 has utterly wrecked the college experience for students, but requirements for accessing and securing applications for the upcoming school year haven’t changed for IT departments.  

What’s changed is the urgency to make sure that applications, data, transactions, and lectures are accessible and secure.  

At the end of the day, institutions must pivot their operations to ensure that applications can be seamlessly accessed. For no other reason than friction causes abandon – and when students are 100% virtual, abandon is far more likely. 

The quickest way to improve usability and security for PeopleSoft Campus Solutions is with a SAML Single Sign-On SSO. 

Contact us today to learn how you can make this happen in 2 weeks! 

Stay Updated

Security

When it Comes to ERP Data Security, Context (of Access) Matters – Appsian360 Can Help!

By Michael Cunningham • July 28, 2020

Organizations using traditional, on-premise ERP applications like SAP ECC and Oracle PeopleSoft are facing a rapidly changing reality around the collection, storage, and usage of data. Aside from the growing number of compliance regulations they need to follow, such as GDRP, CCPA, and others, they face critical visibility gaps related (explicitly) to understanding ERP data access & usage.  Especially at a fine-grained level.

This lack of visibility is exacerbated by organizations enabling remote and mobile access to their users, exposing them to a myriad of data security and compliance threats like hacking (phishing), along with fraud and theft from internal users. All of which result in the loss of millions of dollars each year.  

Fortunately, ERP applications that were once considered a “black box” can now be enhanced with the most sophisticated logging and analytics technology available on the market. Introducing Appsian360, the first and only data access and usage analytics platform for SAP and PeopleSoft.  

Why Context of User Access and Data Usage Matters  

Far too often, user behavior is a mystery, resulting in security, fraud, theft, and business policy violations. Specifically, a lack of detailed insights regarding how, when, and by whom transactions and data fields are being accessed.   

As they exist today, legacy on-premise SAP and PeopleSoft systems simply do not provide organizations the granular visibility and context of user access and data usage they need in real-time to make proactive and strategic decisions.   

“For years, organizations have been operating with limited visibility, and current threats to ERP data have made this status quo completely intolerable,” said Piyush Pandey, CEO of Appsian. “Appsian360 is about knowing who is doing what – at a very granular level.”   

With Appsian360, security and compliance leaders can drill into specific data access and know exactly who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan.   

“The beauty of Appsian360 is it’s a comprehensive solution that provides actionable insights,” added Pandey. “We know that forensic investigations and time to mitigation costs organizations countless amounts of money – and we’re pleased that Appsian360 can alleviate much of this burden.”  

Appsian360 for SAP and PeopleSoft  

Appsian360 installs into your ERP web server and does not require any additional customizations. There are zero noticeable effects on application performance. Here’s a high-level look at what Appsian360 can do for you.  

Detect Security Threats in Real-Time: Appsian360 proactively alerts you to security threats like hacking, phishing, misuse of privileged accounts, and many more. You can quickly receive the information required to fully enable forensic investigations.  

Uncover Hidden Business Risks: Appsian360 helps you detect and respond to fraud, theft, and errors by employees and third parties (vendors, consultants, etc.). Companies can maintain a complete view of sensitive business transactions, and what (specific) users are doing.  

Monitor Employee Productivity: Appsian360 helps you maintain oversight as users process and execute business transactions. You can use these insights to ensure efficient staffing and identify potential bottlenecks in critical HR, payroll, and finance activities.  

Understand Data Access & Usage with More Clarity Than Ever Before  

Organizations can no longer rely on having a lot of data. They need to start triangulating and developing context around the data they’re getting and how it’s being used. Appsian360 provides real-time data access and usage visibility previously unavailable to SAP and Oracle ERP customers.  

To see how data security and compliance threats that were once considered “the price of doing business” are no match for the watchful eye of Appsian360, join us for a virtual demonstration on Thursday, August 13. You can register here: https://www.appsian.com/visibilty-using-appsian360/.  

Contact us today for a personalized demo and find out how Appsian360 can fill critical visibility gaps for your organization.   

Stay Updated

Security

CCPA Enforcement Is on Track to Start July 1, 2020. Are Your Data Privacy Strategies Ready?

By Michael Cunningham • June 24, 2020

Time is almost up for companies scrambling to get their data privacy strategies in compliance with the California Consumer Protection Act (CCPA). Beginning as early as July 1, 2020, the California Attorney General’s office can start enforcing the CCPA and handing out penalties of up to $2,500 per violation or up to $7,500 per intentional violation.  

So, when exactly, will the CCPA become law? On June 1, 2020, the California AG took the final step before the regulations become enforceable by submitting the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”). The OAL has 30 working days–plus an additional 60 calendar days related to the COVID-19 pandemic–to review the submission and approve it to become an enforceable law. Doing the math, the California AG can begin enforcing violations as early as July 1 or as late as September 1, 2020

Strategies for Improving ERP CCPA Compliance  

Companies using PeopleSoft, SAP ECC, S/4HANA and Oracle EBS are likely facing additional compliance challenges due to inherent limitations built into these legacy ERP systems. Let’s look at a couple of tactics for enhancing your ERP systems to improve compliance with CCPA and establishing the capabilities to prepare for the uncertainty around data privacy. 

1: Enhance Visibility into User Activity 

The CCPA requires organizations to implement appropriate security measures around personal data and satisfy data subject access requests (DSARs). That means businesses must know what personal data they store and the user activity going on around it. However, traditional ERP systems do not provide the required level of granularity. 

To achieve detailed visibility around data usage, organizations need to expand their native logging capabilities by adopting a strategy that focuses on data access and usage. Meaning, organizations must capture contextual details like date of access, UserID, IP address, device, location of access, actions performed, etc. 

This is information that is critical for compliance reporting and understanding how data is being used within your organization. 

2: High Privilege Access Should be the Highest Priority for Strengthening DLP 

When it comes to ERP systems, the static rules that govern access can be limiting because roles and privileges are user-centric, not data-centric. User-centric roles say a person (or group in most cases) can view something under any circumstances, while data-centric means the nature of the data defines the access. This gets organizations in trouble time and time again from a DLP perspective because high privilege users always have the ability to see more data than they actually need (to do their job.) This makes non-compliance with CCPA almost inevitable. Overexposure of data is your biggest enemy and governing access by static rules (aka ‘all or nothing access rules’) creates an enormous liability.

Implementing data-centric policies (typically through attribute-based access controls) ensures that a user can only access data deemed necessary and job-related. This is because the data itself is governing access – not a user role. For example, access to certain high-risk transactions can be restricted based on a user’s location – or access can be granted, but with masked data fields. With every variation of context, attribute-based access controls can pivot and adjust accordingly. By reducing the threat surface, companies can reduce the risk of data leakage and mitigate compromised access damages.  

3: Use Real-Time Analytics and Data Visualization (SEIM) to Expedite Incident Response Time 

 Integrated and real-time analytics displayed on dashboards were always a “nice-to-have” feature for security teams; however, keeping CCPA deadlines of breach identification and reporting in mind, data visualization has become a must-have feature. These advanced dashboards equip security professionals with real-time snapshots of data usage. The drill-down capabilities allow for enhanced data discovery and exploration to expedite breach detection and response, helping organizations stay compliant with CCPA and other existing and upcoming regulations.   

Ready or Not, CCPA Enforcement Has Arrived  

If you’ve not wrapping up your CCPA compliance efforts by now, there’s no better time than the present to start (or continue down that road). Appsian can help you fast track your compliance efforts by enhancing your visibly and applying a data-centric ERP compliance framework. 

The last thing any company wants is to discover that they’re out of CCPA compliance only when there’s a breach of the regulation. 

Contact us to learn how Appsian can help you address your end-to-end security and compliance needs.

Stay Updated

Security

Oracle Extends PeopleSoft Support to 2031. Now’s the Time to Invest in PeopleSoft Data Security Projects

By Michael Cunningham • May 6, 2020

On April 19, 2020, Oracle announced on its PeopleSoft Support blog that the company is extending support for the ERP application through 2031. As stated on the blog, Oracle remains “committed to a rolling ten years of support for PeopleSoft. We will review and plan to extend support again next year, and the year after that, so that you have a decade of committed support and can plan your enterprise software investments accordingly.”  

This news should give PeopleSoft customers a sense of certainty that investing in the long-term success of their PeopleSoft applications is mission-critical. Thanks to COVID-19, organizations may be concerned about their short-term financial stability. Add in the newfound uncertainly of continuing large-scale IT projects in this climate (like a cloud ERP migration) – organizations have now found themselves looking for ways to reap maximum benefits with the lowest degree of overhead and project completion time.

Three “Home Improvement” PeopleSoft Data Security Projects  

With large-scale projects on hold, it’s a good time to invest in smaller-scale projects that focus on what is truly mission-critical today (and for the near future) – PeopleSoft data security. You’re already working hard to secure data while users are accessing remotely and while bandaids may be in place right now, organizations must consider strategies that scale long-term. 

Here are three smaller “home improvement” projects that strengthen your PeopleSoft data security posture: 

Integrate your SAML Identity Provider (IdP) for Single Sign-On (SSO)  

When you count the hours spent managing passwords (80% of help desk calls) or tackling SSO projects using customizations and home-grown solutions, you find that removing the complexity of PeopleSoft password management is an ROI positive project. Add in the lost productivity of users not being able to access business transactions (because they’re waiting for their password to be reset), then the ROI increases. The bottom line, a SAML-configured Single Sign-On for PeopleSoft will make everybody happy. A SAML SSO provides the combination of security and productivity that organizations are striving for. And, given the alarming uptick in phishing attacks – user credentials have become an obvious liability.

Strengthen IAM with Adaptive Multi-Factor Authentication (MFA)

When you’re buying new appliances for a remodeling project, you buy a washer and dryer in pairs. Yes, you can wash and dry your clothes using one or the other, but using both is a better option. Same with applying an adaptive multi-factor authentication (MFA) with your SSO as an effective method for verifying identity. Adaptive MFA ensures that contextual attributes (ex. device, network, location) are the determining factor for deploying MFA challenges. The context of access varies in mobile and work-from-home environments, and your level of control should do the same.  This is essential if your users are accessing remotely, as managing authentication (especially for high privilege users) can be challenging.

It is also recommended to expand the use of MFA and apply step-up challenges on transactions that may be considered ‘highly sensitive.’

Real-Time Visibility for User Activity Monitoring and Transaction Logging  

Just like a rug can tie a room together, real-time visibility via user activity monitoring and transaction logging can be the perfect complement to your PeopleSoft data security fixer upper. There are a lot of sensitive transactions being executed outside of the office these days, and monitoring user activity gives you a better sense of how your data is being accessed and used.  

Invest in Today and Plan for Tomorrow 

Now is a good time to take Oracle’s lead in their extension of PeopleSoft support – and alleviate a lot of the complexity around PeopleSoft data security, identity, and access management. Securing remote access with SSO and adaptive MFA today provides significant PeopleSoft ROI – along with applying a strong data security framework that can scale with a myriad of workforce and landscape changes.

Best yet, you can complete these projects in only two to four weeks, and we guarantee you won’t be cleaning up any sawdust when you’re done. 

Request a demonstration of the Appsian Security Platform today.

Stay Updated

Security

Why VPN is Not Enough – and why Investing in ERP Data Security is Critical

By Scott Lavery • April 22, 2020

With remote workplaces being put to the test, organizations are looking to quickly scale their security practices. Unfortunately, many are learning the hard way. They find themselves at the intersection of using conventional security technology like a virtual private network (VPN) to secure data residing in traditional, on-premise ERP applications like PeopleSoft and SAP ECC. This can be a toxic combination that may leave you feeling secure, but it should be noted that your data remains at risk.

A VPN is Not Data Security

Plain and simple – a VPN is a connection point. While it may shrink your threat surface, there are still many risk factors to consider. For instance: where is a user coming from? What data are they trying to access? What device are they using? Is that device actually being used by the right person? What PeopleSoft data are they trying to extract onto their personal device? And so on, and so one…

Once a VPN authenticates a user, a myriad of risk factors remain. This is where a VPN ends and data security should begin. However, most organizations are simply not prepared to mitigate the risks that come once a user has passed a VPN. Here are a few examples:

Federating High Privilege Users

High privilege users should face the most scrutiny. Ideally, a high privilege user should authenticate through Active Directory or whatever identity provider an organization is using. They should then receive federated privileges to PeopleSoft based on the contextual attributes of their access (ex. are they accessing from a foreign country?) Federating high privilege access is a fundamental way to ensure a user is provided with the appropriate level of privilege. However, a VPN cannot do this. In fact, authenticating to PeopleSoft using a SAML identity provider (like Active Directory) can be challenging unto itself (see this blog for more info.)

If the point of a VPN is securing remote access, then why not consider the contextual attributes that come with said access? After all, the remoteness is what is considered the risk. In this scenario, a VPN is merely acting as a thin authentication layer, on top of PeopleSoft’s typical username and password model. What if a user opts to make their VPN password the same as their PeopleSoft password? This is what hackers anticipate and sadly, they are usually correct.

Malicious Insiders Tend to be High Privilege Users

This is a touchy subject but should be acknowledged. While no one wants to assume the worst in their employees, the fact remains that the more access you have, the more damage you can do. Given the right motivation – bad things can happen. This is the most compelling case for data security because the highest stakes surround high privilege users. A/P, A/R, Finance, Supply Chain, Payroll – all these functions deal with money. Having the ability to lock down and limit access to data and transactions will have a tremendous impact on an organization’s ability to mitigate financial losses from fraud, theft, and espionage. And because of COVID-19, all of these functions are now being executed remotely. The potential for damage is exponentially greater than before.

Ask yourself – should payroll queries be run and exported onto a personal device? Should wires be sent outside of normal business hours? Should a vendor be created when access is coming from a foreign country? I believe the answer you’re looking for is… NOOOOOOO!!!

Integrating dynamic, risk aware controls on sensitive financial transactions (and data fields) mitigates much of this risk. In addition, transaction logging and analytics prove to be extremely beneficial, as many organizations would prefer not to hamstring their employees with restrictions. However, they would prefer to gain better visibility in case an anomaly is detected.

A VPN Can Be Costly, Unscalable, and Leave You in The Lurch

Like any addition to your architecture, downtime can occur. VPN vendors can experience enterprise-wide outages – causing major disruption. In addition, with organizations moving toward a 100% remote access, VPNs can be prone to kicking people off after a period of time. Adjusting to remote work environments is frustrating enough, but if access is limited or hindered, and you don’t have the benefit of a readily available help desk – your users will become agitated. With so many senior leaders focused on business continuity, having additional hoops for your employees to jump through is counter to productivity.

And then there is the cost factor – which will certainly balloon with the increased number of users. We understand that costs will vary, but the ROI of 100% of your employees requiring a VPN to log into PeopleSoft is not positive. And as we established above, if the point of a VPN is increasing data security/maintaining integrity of financial transactions – then the ROI is even further from positive.

How Appsian Provides ERP Data Security for PeopleSoft and SAP Applications

Appsian believes user authentication is important, but it’s only one part of an ERP data security posture. This is why we developed the Appsian Security Platform for PeopleSoft. Enhancing an organizations ability to authenticate users is most effective when its: integrated with your existing identity management strategy and risk aware. This is where Appsian provides far greater value than a VPN. We enable seamless, secure access to PeopleSoft (specifically) via Single Sign-On (integrated with a SAML IdP), along with adaptive Multi-Factor Authentication. These solutions combine to provide a much better user experience and a vastly superior value if protecting PeopleSoft from bad actors is the primary intention of your VPN.

Lastly, visibility is key. With sensitive transactions being executed outside of the office having a better sense of how your data is being accessed and used is critically important. Using transaction logging and real-time analytics, Appsian provides PeopleSoft customers with unparalleled levels of visibility. Thus, allowing you to keep a watchful eye on your data at all times.

Summary

When approaching how you can enable secure, remote access – its best to identify what are the key objectives and invest in the technology that best suits those needs. Are you concerned that the data inside your ERP applications could be breached or exfiltrated? Are you concerned that financial transactions could be corrupted? If the answer is yes, then data security – and not solely a VPN are the answer.

At the end of the day, COVID-19 has forced organizations into unprecedented challenges. With an unstable market and unpredictable year(s) ahead, it’s important to focus security efforts on internal data and processes – as these being corrupted will result in losses that can make recovery significantly harder.

To learn more about how the Appisan Security Platform can protect your ERP data, please Schedule Your Demonstration

Stay Updated

Security

User Behavior Analytics are Critical in Remote ERP Environments. Here’s Why…

By Scott Lavery • April 17, 2020

I was recently speaking with a customer who expressed a common concern. Because of COVID-19, their entire finance team was forced to work remotely and they were concerned about the risks of executing critical financial transactions. Purchasing, payroll, expenses, everything… all being done from unknown locations and on devices they couldn’t regulate.

From Convenient to Mandatory

It got me thinking, prior to COVID-19 the objectives for enabling remote access to PeopleSoft had mostly been out of a desire for productivity and convenience. For years, Appsian has been working with forward-thinking organizations who identified remote access had significant value. Post COVID-19, organizations are in ‘survival mode’ and have no choice but to open access to their most sensitive financial transactions – and hope for the best. The potential for ‘adding insult to injury’ (ie financial losses) in a remote environment is enormous, and like any rapid pivot, requires a strong strategy to be successful.

You Don’t Know What You Don’t Know

During our conversation, it became clear that their situation posed far more questions than answers. For instance, ‘confidentiality around salary has never been more important’ (I assume they’ve required some employees to take salary reductions) ‘how can I know who viewed salary information, or perhaps downloaded queries?’ ‘how can I be sure unauthorized vendors are not being created?’ ‘how can I be sure payroll is being issued correctly?‘how can I be sure sensitive information isn’t downloaded to someone’s home computer?’ It became clear they were flying blind – and starting to panic.

Traditional ERP Visibility Come Up Short

None of the questions above were able to be answered in this customer’s current environment. It’s common knowledge that traditional ERP logging and analytics focus on troubleshooting errors and scanning for broad system vulnerabilities. They were not designed for understanding user behavior, data access, and usage. If the task is to ensure that data is not being accessed maliciously, exfiltrated, or business processes are not being exploited – ERP visibility comes up short.

This customer initially partnered with Appsian for Single Sign-On and Multi-Factor Authentication – both of which, they were happy to have! However, their attention had turned from intrusion prevention to incident response and risk management. While they had the capability to ensure user authentication was strong, they lacked the ability to understand what activity was taking place. And more importantly, if trends in user behavior were indicative of malicious activity.

How ERP Analytics Prevent ‘Adding Insult to Injury’

This is where ERP Analytics becomes essential. When ERP access is both remote and ubiquitous, the ability to detect and respond to malicious activity is greatly reduced.

Using the Appsian Analytics platform, customers are fully enabled to understand exactly how their ERP data is being accessed – by whom, from where, on what and why. With this information in hand, organizations are fully enabled to detect unauthorized activity and formulate a rapid response before damages become catastrophic.

Analytics Provide Peace-of-Mind

Needless to say, it feels good to provide true value to a customer. It’s not everyday that a customer comes to you, concerned that their business is in trouble (from a market perspective) and they are also concerned additional financial losses will follow (from a business process perspective.) This is where having available data and granular oversight will provide peace-of-mind. During unpredictable times, having as much information at your disposal is critical. This is especially true when sensitive financial processes are taking place outside of your office – essentially your direct control and watchful eye.

The Next Step…

If a lack of visibility is a concern, we’d love to talk. In a brief 30 minute session, we can outline how deep our Analytics can go, common use cases that are pre-configured in the platform, and how they can align to your unique business processes.

Request a Demonstration Today

Stay Updated

Security

Looking for a PeopleSoft ‘Quick Win’? Integrate SAML for Single Sign-On (SSO)

By Scott Lavery • April 7, 2020

It’s no secret that managing PeopleSoft passwords can be challenging. This has been a hot topic for years – and with COVID-19, we’re seeing a resurgence from increased remote access. A remote workforce can quickly put a strain on IT help desk services – especially with resetting passwords. Btw, hackers know that passwords are being reset at a record pace, as demonstrated by the massive uptick in phishing attempts (+667% since Feb. according to Forbes.)

With a myriad of IT projects and an ever-changing list of demands from the organization, setting priorities can be difficult. We’d suggest PeopleSoft customers prioritize a single sign-on for (4) key reasons:

PeopleSoft Passwords are a Security Liability

I eluded to this above, but the statistics speak for themselves. According the 2019 Verizon Data Breach Investigation Report, ‘91% of hacking attacks begin with phishing/spear phishing attacks.’ Organizations try to mitigate this by using a VPN. However, after the expense and potential disruption in service after a large percentage of your workforce is accessing critical business transactions using a VPN – there is little ROI in this strategy.

Might I suggest, requiring VPN access for ‘high privilege’ access only? Normal users that are accessing self-service can be secured by leveraging a Single Sign-On (and possible multi-factor authentication.)

IT Resources Need to be More ‘Focused’ Than Ever

We don’t need to belabor this point but suffice to say that changing your business operations overnight (in the case of COVID-19) causes complexity. Ensuring network/server availability and using help desk services to troubleshoot strategic issues is better than one-off password resets.

The ROI of an SSO Project (over time) is Very High

When you count up the hours spent managing passwords (80% of help desk calls), you quickly find that removing the complexity of PeopleSoft password management, is an ROI positive project. Add in the lost productivity of users not being able to access business transactions (because they’re waiting for their password to be reset), then the ROI increases. Bottom line, an SSO project will delight both users, IT teams, and your CFO alike!

This Project Can be Done Quickly (2-4 weeks.)

We’ve come to the (sort of) tricky part. Organizations have tackled SSO projects using customizations and home-grown solutions – all of which modify PeopleSoft code and create challenges down the line. Needless to say, if you’re looking for rapid deployment, with minimum complexity (today and in the future) – than a configurable approach is recommended.

This is where Appsian comes in, as we’ve developed the native SAML connector that can seamlessly integrate your Identity Provider (OKTA, ADFS, Azure, Shibb, etc.) with PeopleSoft – creating a configurable Single Sign-On. Thus, not effecting underlying PeopleCode or having an impact on future application upgrades.

Bottom line, if you’re looking to quickly alleviate a lot of the complexity around PeopleSoft identity and access management – Appsian can help! We have worked with hundreds of PeopleSoft customers around the world, helping them remove costly customizations and implement a SAML-configured Single Sign-On for PeopleSoft.

Let us show you! We can get you up in running in a couple of weeks!

Stay Updated

Security

December is Prime “ERP Data Breach” Season… Be Prepared!

By Scott Lavery • November 28, 2018

Establishing security best practices for your PeopleSoft applications is always a work in progress. As newer, more advanced threats come to light, staying current can feel like a daunting task. While PeopleSoft systems are inherently robust and secure, a constantly evolving threat landscape, PLUS new data regulations have paved the way for several necessary security enhancements. As the end of 2018 draws near, now more than ever, organizations must be aware of the myriad of threats that are well-aware that “year-end” bonus season is coming… and are preparing their tactics to redirect your employees hard-earned payroll/bonuses.

What is the weakest link in your ERP security chain?

Threats today have become increasingly user-centric. The targets for malicious hackers have shifted from entire networks to applications. By leveraging phishing and social engineering attacks, most ERP breaches are now originating from the unauthorized use of valid login credentials – stolen directly from the user themselves. Thus, making your users (and their passwords) by far, the weakest link in your security chain.

Recommendations for mitigating the “human error” element

Inspired by dozens of successful PeopleSoft security projects, security experts at Appsian have compiled a list of best practices that every organization must utilize, and details the steps that should be taken to implement a layered approach to securing PeopleSoft. Rather than solely focusing security efforts on the perimeter, we will discuss how your sensitive data can be protected from malicious intruders (and even insiders) who are able to access PeopleSoft with valid credentials:

  • Enabling SAML for centralized identity management and establishing a single sign-on to reduce the risk caused by users having multiple (potentially) weak passwords.
  • Expanding traditional multi-factor authentication from login-only to field, page and component levels to ensure data protection from insider threats.
  • Employing location-based security to enforce least privilege access when sensitive systems are being accessed from outside your corporate network.
  • Enhancing data masking to alleviate challenges posed by static role-based masking rules and reduce unwanted exposure of sensitive data fields.
  • Extending logging capabilities to be compliance-ready with 360-degree awareness of what going on inside your PeopleSoft systems and user activity.
  • Bringing real-time visibility to breaches, suspicious events, and potential vulnerabilities by incorporating security analytics to your PeopleSoft security infrastructure.

Download the whitepaper to learn more about the best practices for achieving an end-to-end security and compliance strategy.

Download Your Whitepaper!

On a time-crunch? Request a quick session with our PeopleSoft security experts.

Contact Us Today!

 

1. https://info.digitalshadows.com/ERPApplicationsUnderFire-Press.html
2. https://www.us-cert.gov/ncas/current-activity/2018/07/25/Malicious-Cyber-Activity-Targeting-ERP-Applications
3. https://www.cyberark.com/resource/cyberark-global-advanced-threat-landscape-report-2018/

Stay Updated

Tips and Techniques

Best Practices for Approaching Oracle Cloud Applications – March 29th Gartner Report

By Scott Lavery • May 8, 2018

Gartner recently released a report addressing the speculations around Oracle’s on-premise and cloud ERP applications. Focusing on Oracle ERP customers’ frequently asked questions, the report is aimed at helping CIOs make informed decisions on whether Cloud applications are a viable replacement for their on-premises suites. Here are the most important takeaways and highlights from the report:

On-premises ERP suites are not at the “end-of-life” stage.

From thousands of client interactions, Gartner concluded that Oracle’s ERP customers are unsure about Oracle’s commitment to its on-premises suite. To put their doubts to rest, Gartner highlighted several factors that reiterate Oracle’s continued investment in their on-premise applications:

Revenue from on-premise applications remains strong

“Oracle’s on-premises suites are not at the end-of-life stage” assures Gartner. “Oracle receives the majority of its software license revenue from customers paying for maintenance, and new sales of its on-premises products,” (68% and 65% in 2016 & 2017 respectively). According to Oracle’s co-founder Larry Ellison, “Oracle spends over $5 billion per year on research and development (R&D) and continues to invest in all its on-premises application products.”

Fluid symbolizes the future for (on-premise) PeopleSoft 

Specific to PeopleSoft, the report mentions that the “…extended Support timeline for PeopleSoft is stated through at least 2027,” and with the launch of enhancement features such as Fluid UI for PeopleSoft, Oracle continues to demonstrate its continued investment in their existing on-premise ERP applications.

Best Practice: Map Your Business Requirements Against the Maturity of Oracle’s Cloud Applications

According to Gartner, Oracle’s cloud applications are the inevitable future of ERP functions, but having been released to different timetables, cloud applications have differing levels of maturity and may not (at this time) offer true parity to Oracle’s legacy, on premise suite. As a best practice, Gartner recommends that decision-makers must consider the development roadmap of the respective cloud applications and avoid confusing the desire to source a new technology with the objective of fulfilling a specific business requirement. In other words, stating that “a full ‘rip and replace’ of your current applications may not be your best option.” Gartner goes on to urge customers to map business requirements carefully against the maturity of Oracle’s cloud applications and ensure that present day business objectives can be met so costly and unexpected change management can be avoided. In addition, the report offers a detailed outline of various situations and subsequent appropriate actions for ERP customers using Oracle’s on-premise suites.

Best Practice: “Take the postmodern approach”

Gartner emphasizes that the decision to move to the cloud must be based solely on the value proposition cloud applications offer over existing on-premises applications. While talking about moving to Cloud applications “as part of a business transformation initiative” Gartner asks decision makers to be aware of “the risks and limitations of recent releases.” Instead of a complete “rip and replace” Gartner suggests a “postmodern approach,” where an organization could decide to replace only parts of their on-premises footprint. Gartner also advises Oracle customers to not “assume that the level of expertise that exists for application support and implementation services for on-premises suites also exists for cloud applications.”

Summary

As stated above, while the future appears to be headed towards the cloud, the fact remains that a “look before you leap” approach is recommended. A cloud migration project must begin with a  thorough evaluation of your business objectives in order to ensure proper alignment between the cloud technology you are adopting and the expected results. Change management can add significant cost and disruption to a project, and while complete elimination of change management is impossible, the more evaluation you undergo prior to the start of a migration project – the more likely to avoid “budget busting” surprises.

So, consider the postmodern approach – what objectives do you need to achieve today vs. what do you need to achieve 5 years from now? Are there specific ERP functions that are working just fine today? If not, are there lightweight optimizations that can be done in the meantime to enhance current functionality? Gartner recommends a postmodern approach in order to avoid a scenario where you go “all in” on the cloud and are left to address an unexpected mess.

Appsian is here to help you make PeopleSoft exceptional. Email us at info@appsian.com and let us know how PeopleSoft can be working better for you today!       

 

Access the full version of the report HERE

Stay Updated