As work-from-home continues into 2021 indefinitely and the reality of this increased risk becomes clearer, organizations should heavily prioritize the modernization of their existing business applications – especially legacy ERP applications like PeopleSoft. Mainly because native user authentication, governance, data privacy and visibility features can leave an organization open to a myriad of risks. This has opened the door to organizations scoping a defense-in-depth strategy.
When you hear the term defense in depth, you typically think about traditional information security measures like network security controls, antivirus protection, database monitoring, and more. IT and security teams realized that multiple layers of security are necessary across the enterprise because cybercriminals will find vulnerabilities somewhere. Sadly, some of the most costly vulnerabilities for organizations using PeopleSoft ERP applications have proven to be the users themselves (employees, 3rd party vendors, students, etc.) It’s no secret that making these applications available on the open internet has introduced risk, so we frequently get the question, “how can I apply defense in depth to my PeopleSoft users?”
Step 1: Integrate your Identity & Access Management
This would be integrating your single sign-on and multi-factor authentication natively with PeopleSoft and your identity provider. Using proxy servers or customizing PeopleSoft poses their own risks and complexity, which is why using a native SAML handler (like Appsian) is a best practice. This minimizes the possibility of corruption, and a configurable solution(s) will scale much more effectively.
Integration of multi-factor authentication also enables stepped-up authentication, so users can be forced to re-authenticate once they have already passed the login screen. This should be applied to highly sensitive transactions like editing a direct deposit account number, accessing compensation data, or running a report containing employee PII.
Step 2: Apply Dynamic Authorization in Accordance with the Principle of Least Privilege
Controlling data access for high privilege PeopleSoft users can be challenging because native authorization is basically “all or nothing.” Limiting access to superfluous data or limiting access based on location/device/etc. is simply not an option. Leaving the door open to enormous risk. We have discussed time and time again that the context of access often defines risk, and this is never more true when users can access the system remotely.
Using a dynamic rules engine, Appsian can take the contextual variables of a user’s access and define privileges in real-time. Thus, mitigating risk. Don’t think a user needs access to compensation data from an unmanaged device or certain location? Want to limit the access granted to users or 3rd party vendors at certain hours of the day? Then dynamic authorization is the solution for managing that risk.
Step 3: Mask Sensitive Data Fields (Partial, Full, or Click-to-View)
This is data privacy 101, and as regulations like GDPR and CCPA become the norm (with wider federal guidelines likely coming soon), masking sensitive data is table stakes. After all, with PeopleSoft systems housing a wide range of PII, much of which belongs to past or prospective users (not just current employees), there is a treasure trove of personal data that comes with a far greater holding cost than you might realize. Masking data at the UI level at least ensures that those accessing the applications either in an authorized or unauthorized manner do not have needless access to valuable data through various pages, reports, or queries.
Step 4: Monitor Data Access & Usage
Monitoring the data users are accessing is not possible in PeopleSoft without enhancing logging and analytics capabilities. Having greater visibility cannot be overstated, and having a direct view of how data is accessed is one of the most valuable pieces of defense in depth. After all, in a sea of every day, authorized activity – how likely are you to detect the subtle hints of unauthorized activity? Phishing and privilege misuse are the main enemies of any data loss prevention strategy. The best way to detect and respond to unauthorized activity is through an analytics platform specifically designed for ERP applications, like Appsian360.
Step 5: Contact Appsian
To learn more about how you can apply Defense in Depth to PeopleSoft, contact us at email@example.com.
Figure 1: Prevent external and internal threats with defense in depth from Appsian.
When business stakeholders come to you looking for answers, having visibility and context around ERP data access and usage gives you the actionable insight necessary to provide value.
As a leader of Enterprise Applications, customizing legacy ERP applications like PeopleSoft, SAP ECC, Oracle EBS, etc., to meet your business’ exact process specifications can leave you between a rock and a hard place. The more customized your ERP applications get, the more your business stakeholders love it, but the complexity around application support and maintenance also increases. That being said, accepting more complexity is just part of the job, because after all, your most important role (in the eyes of others) is providing timely and accurate resolution to inquiries or incidents from your business stakeholders.
You know the drill: members from various business units come to you requesting help for a particular incident or an anomaly they spotted. It’s up to your team to provide a resolution in a timely manner. And that’s where the trouble begins. Many incidents require hours, weeks, and even months to research and resolve. It’s hard to provide excellent customer service to the lines of business when your team is facing major obstacles to resolving incidents in a timely manner.
What if I told you there’s a way to enable your team to spend less time researching an issue (or no time at all) and produce faster results while providing better value for the various business leaders and their teams?
Three Major Obstacles to Timely ERP Incident Resolution
You’re the last person who wants to hear or say, “well, that’s just [insert ERP app name here].” But that’s one way you can sum up the limitations and obstacles your team will immediately encounter.
Here’s a simplified view of that process from the perspective of PeopleSoft. Somebody from a line of business will contact a member of your Sys Admin team and say, “Hey, this user’s account was updated (i.e., maybe they didn’t get their paycheck), or there was some sort of anomaly in the execution of a typical business transaction (i.e., vendor didn’t get paid, etc.). We don’t know what it is, and the functional user(s) say it wasn’t them. We’re not sure what happened. Can you guys look into this? That would be great.”
This incident kicks off your process flow to find a resolution. Then come the obstacles:
Obstacle 1: Legacy ERP Logs Can’t Tell You About Data Access
Experience says that most people who use an ERP application like PeopleSoft don’t know who’s doing what (specifically), who’s accessing what information, or most importantly – why. You probably first need to work out if this is something that the user did themselves or a hacker was able to gain access to the system – and also work out if this is an inside job or an external attack.
And while the logs can point you in the right direction, the legacy ERP logs are not designed to provide detailed information on who accessed what or even, in most cases, viewed something sensitive. This leads to major obstacle number two…
Obstacle 2: ERP Logs are Disparate and Not Correlated
ERP logs were designed for troubleshooting, not granular activity logging, which contributes to organizations and business units not knowing what their employees are doing inside the applications. When it’s time to go under the application hood and examine the native logs, another metaphor comes to mind: looking for a needle in the haystack. Here’s an example of all the native logs you might find in your instance of PeopleSoft:
- App Server
- PIA (Web Server)
- Process Scheduler
- Load Balancer
- Identity Provider (SAML, LDAP, ADFS)
- Host O/S Logs
Your organization likely has more than one of these servers where these logs reside. You might have four application servers, eight web servers, and so on. Now you’re looking at finding a needle in multiple haystacks. And that data is not correlated, so there is little relative context that can enable your investigation.
Here’s a nerdy example using the App Server and Web Server logs. On the Web Server, you cannot identify the person who logged in because you don’t know the OPRID. All you have are an IP address and a timestamp. You need to go to the App Server and review the OPRID, timestamp, and IP address on login or log out and attempt to correlate that information with similar information on the Web Server.
Obstacle 3: Log Data is Not Enriched with Any Context That Makes It Actionable
Once your team has collected data from the logs and assembled material from other sources, the final step is to interpret everything and make a best guess so an action item can be established. How actionable is having a collection of raw data such as IP addresses, user IDs, location of devices, completed transaction, etc., if you’re not able to place that data into a human context?
Let’s take the example of “Jim” and the incident involving him not receiving a paycheck. The raw ERP data shows that Jim’s credentials accessed pages containing personal information and bank account information several times over a period of time. Jim, the human, denies that he made any changes to the data on those pages, so the paycheck should have been routed to his usual bank account. Maybe you change Jim’s username and password and cut him another check. Was Jim trying to defraud the company and get an extra check, or was Jim’s account compromised in some way? Could a hacker have accessed Jim’s payroll data, changed the account number, received the funds, then changed the number back – getting away without a trace? Absolutely! It happens every day. If you cut Jim a new check, you fix Jim’s immediate problem, but do you understand what’s happening in your system?
Why Appsian360 Immediately Makes You a Hero to Your Organization
You’ve been waiting in suspense to know when IT becomes the hero – well, here it is. When the business comes to you looking for answers related to a specific incident, Appsian360 provides the quick, actionable insight necessary to provide the company with the understanding of what happened with their ERP data.
How? Appsian360 logs granular user access to data, correlates existing ERP logs, enriches the data with contextual attributes (who, when, where, what device, etc.), and visualizes the ERP data’s access and usage on dashboards. Now your team can easily look at data access by IP addresses, user IDs, location of devices, pages accessed, etc., and very quickly understand the facts behind an incident.
Let’s go back to Jim’s situation. With just a handful of clicks in Appsian360, you confirm that “Jim’s credentials” did indeed access and edit his personal information. Additionally, you discover that “Jim” was logging in after-hours using a foreign IP address based in another country. With a few more clicks, it’s clear that the IP address is responsible for other compromised user accounts. You didn’t just discover Jim’s breach, you now have a clear picture and a direction to fix the actual security issue – one that was growing in urgency by the day!
Without context, you lack insight. Context around data access and usage creates actionable insights. Actionable insights support the company and provide value to key stakeholders.
Understanding user activity and data usage are precisely what the business needs – and without Appsian360, ERP logs lack insight. You can buck that trend with Appsian360.
Contact us to learn how Appsian360 can provide you with the most powerful, real-time view into ERP data access & usage.
Don’t Risk the Security of your Data by Customizing an SSO Integration for PeopleSoft
I was on a discovery call recently, and the Senior Software Engineer shared how they’re “ripping out” a custom-built (for PeopleSoft) single sign-on solution (SSO). After acquiring an enterprise SSO, they attempted to build a custom integration with PeopleSoft that presented far more challenges than benefits – especially when users attempted to access with a deep link. Now they’re looking to remove the solution along with the additional infrastructure that was required.
And here’s the sad part: they’re not the first organization I’ve encountered this month who are experiencing the same challenge. Across all verticals including healthcare, higher education, government, retail and more – PeopleSoft customers are rethinking their decision to enable their enterprise SSO solutions with custom coding, external gateway agents, and reverse proxies. Alternatively, implementing solutions that feature native SAML authentication handlers.
Your Custom Single Sign-On Integration Was Not Designed with ERP Data Security in Mind
These projects often start with the IT department recognizing that it can solve a business requirement by building the solution themselves or by using a generic gateway with copy-and-paste code off an internet forum. The main motivation? They possibly save the company some money, bypass the need for approvals or budget, and check a project off their list. Easy-peasy, right? As highlighted in the example above, it’s not always that straight forward.
Often, these projects lack a thoughtful mindset and instead leverage code that is many years old, unsupported and public to developers and hackers alike. Here lies one of the biggest problems with customizing PeopleSoft for SSO authentication. Getting the integration to work “well enough” is often the goal, and since developers are not information security professionals – they may not have considered the ramifications of using code that hackers can reverse engineer, potentially exploiting loopholes to gain unauthorized access. As a former PSAdmin who personally retrofitted a custom PeopleSoft SSO solution in my past life, I can tell you that security implications are not on the forefront. Between IT wanting to be a good partner to the business and drowning in long-haul projects, “good enough” was often the goal.
The “Typical” Custom Single Sign-On Approach
There are a few ways to approach building a custom SSO solution. You could try linking SAML open-source code libraries, using reverse proxies, or having an external agent handle it. These solutions seem relatively simple at the outset, but the introduced vulnerabilities are often not obvious or ignored. The end result is that the SSO “works” but is plagued by technical, functional, and security issues once in production.
Linking SAML Open Source Code Libraries
A custom coding project typically begins with a review of PeopleBooks and a Google search to find a relatively quick way to write the code. PeopleCode allows you to link external open source java libraries inside PeopleSoft. This is code that you’re literally pulling from an old blog and has not been reviewed since the author first published it. Imagine using code from 2007 to secure your custom single sign-on project. It would never pass a security review!
Secondly, developing a solution yourself is tricky. It isn’t easy to write software that deals with passwords, identity, and authentication. Reputable IdPs spend tens of thousands of man-hours designing, coding, and testing, then supporting their solutions. The lone developer who built your custom solution is now responsible for supporting, maintaining, and upgrading the code. That’s excellent job security for him but a security liability for you.
Reverse Proxies, Gateways, and External Authentication Agents
This one is probably a favorite with system administrators who want to support a multitude of non-SAML apps with a one-size-fits-all solution. I’ve also implemented SSO like this in the past, so I can speak from experience about how this works and its risks.
The short version of how this works is that the authentication is offloaded to a reverse-proxy, an agent, or a gateway, that sits outside PeopleSoft. Once the authentication process is successfully completed, only then is a connection made to PeopleSoft, and the authenticated user-ID passed to the HTTP header. Then that request has to be trusted by a custom Sign-on PeopleCode.
Aside from the risky firewall configuration, another issue here is that it needs to be scaled carefully for bandwidth because all of the requests will now go through a new server and several new applications to complete the process. Now you have additional hardware, software, and customizations to maintain and patch in addition to your regular PeopleSoft duties.
Why a Native SAML Handler is Best Practice
SSO is critical to help you increase your security posture within your organization while keeping your customers happy, so I don’t want to sound negative, and I’m not trying to put you off on installing an SSO solution in your environment. Instead, I want to make sure you do it correctly and aligned to security best practices.
My advice is to use a solution that natively supports a SAML authentication handler and seamlessly and securely passes the token to PeopleSoft built-in authentication without customizations. The term “native” is extremely important here! The lack of native support is a critical issue that plagues custom solutions, creating more hoops to jump through to complete the project.
Fortunately, Appsian delivers the SAML integration layer required to connect PeopleSoft, an IdP, and your enterprise Single Sign-On. This solution is natively installed right into the PeopleSoft Internet Architecture (PIA) and does not require the use of proxy servers, agents, or gateways. Furthermore, there are zero customizations, simple configuration with extensive support for SAML attributes, user-mapping, and the support and maintenance is offloaded from your team.
There is Beauty in Customization but Comfort in ERP Data Security
Part of PeopleSoft’s beauty and power is that you can customize the system to improve your business processes. However, one thing you shouldn’t take into your own hands is authentication, and indirectly, security. Your IT team, system admins, and developers should spend their time supporting and customizing your system to provide outstanding service to the business units and keeping the system running smoothly. Why add more hardware, software, applications, and customization than necessary?
Contact us today to learn how Appsian solves the SAML integration challenge by providing the only configurable SSO for PeopleSoft.
It’s not uncommon for higher education institutions to approach us (with great haste) about our Single Sign-On (SSO) solution for PeopleSoft Campus Solutions. Lately, I’ve noticed an uptick in the urgency. Nobody’s hair is literally on fire, but after speaking with a handful of universities, it sure feels that urgent. Here’s what’s happening.
The COVID-19 Pivot Strikes Again
When COVID-19 first caused colleges and universities to shut down their campuses and rapidly switch to online learning, that was their primary focus. Pretty much all non-essential IT (and PeopleSoft) projects were immediately put on hold. After an intense focus on student, staff, and faculty safety and performing herculean feats to enable remote learning and remote access for thousands, IT departments are back to focusing on data security and access.
This summer, many institutions around the country were cautiously optimistic they could reopen in the fall and were making plans to welcome back faculty and students into something they hope will resemble normal campus life. IT and security teams were also busy, reviewing priorities, projects, and budgets. They know that thousands of students, faculty, and staff depend on the institution’s applications to keep operations running smoothly.
Unfortunately, all this planning and optimism might be for naught. Almost daily, universities that had released detailed plans for in-person classes in the Fall have reversed themselves and said they will go almost entirely online. Because of these sudden changes, some IT departments are quickly pivoting to adapt their systems to better handle remote access and excessive self-service demands.
And that’s the urgency we’re experiencing: To improve productivity, enhance security, and improve the overall user experience, universities are (urgently) turning to a SAML SSO solution for PeopleSoft Campus Solutions. Why? Because the first step in addressing usability is ensuring authentication is secure, without causing user friction.
Enable PeopleSoft SSO with SAML-Based IdPs
The good news is that Appsian can help universities meet this urgent request in two weeks or less. We provide the only turnkey SAML integration solution for PeopleSoft without any custom development or additional hardware. You can allow thousands of users (students and faculty) to access multiple applications, not just PeopleSoft, using a single login on any device.
Customers can also use multiple IdPs concurrently, including Okta, Ping, ADFS, Shibboleth, Azure, and more, ensuring that any patchwork of systems used across groups, buildings, and departments are accessible and secure.
The More Things Change, the More Changes You Have to Make
COVID-19 has utterly wrecked the college experience for students, but requirements for accessing and securing applications for the upcoming school year haven’t changed for IT departments.
What’s changed is the urgency to make sure that applications, data, transactions, and lectures are accessible and secure.
At the end of the day, institutions must pivot their operations to ensure that applications can be seamlessly accessed. For no other reason than friction causes abandon – and when students are 100% virtual, abandon is far more likely.
The quickest way to improve usability and security for PeopleSoft Campus Solutions is with a SAML Single Sign-On SSO.
Contact us today to learn how you can make this happen in 2 weeks!
Organizations using traditional, on-premise ERP applications like SAP ECC and Oracle PeopleSoft are facing a rapidly changing reality around the collection, storage, and usage of data. Aside from the growing number of compliance regulations they need to follow, such as GDRP, CCPA, and others, they face critical visibility gaps related (explicitly) to understanding ERP data access & usage. Especially at a fine-grained level.
This lack of visibility is exacerbated by organizations enabling remote and mobile access to their users, exposing them to a myriad of data security and compliance threats like hacking (phishing), along with fraud and theft from internal users. All of which result in the loss of millions of dollars each year.
Fortunately, ERP applications that were once considered a “black box” can now be enhanced with the most sophisticated logging and analytics technology available on the market. Introducing Appsian360, the first and only data access and usage analytics platform for SAP and PeopleSoft.
Why Context of User Access and Data Usage Matters
Far too often, user behavior is a mystery, resulting in security, fraud, theft, and business policy violations. Specifically, a lack of detailed insights regarding how, when, and by whom transactions and data fields are being accessed.
As they exist today, legacy on-premise SAP and PeopleSoft systems simply do not provide organizations the granular visibility and context of user access and data usage they need in real-time to make proactive and strategic decisions.
“For years, organizations have been operating with limited visibility, and current threats to ERP data have made this status quo completely intolerable,” said Piyush Pandey, CEO of Appsian. “Appsian360 is about knowing who is doing what – at a very granular level.”
With Appsian360, security and compliance leaders can drill into specific data access and know exactly who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan.
“The beauty of Appsian360 is it’s a comprehensive solution that provides actionable insights,” added Pandey. “We know that forensic investigations and time to mitigation costs organizations countless amounts of money – and we’re pleased that Appsian360 can alleviate much of this burden.”
Appsian360 for SAP and PeopleSoft
Appsian360 installs into your ERP web server and does not require any additional customizations. There are zero noticeable effects on application performance. Here’s a high-level look at what Appsian360 can do for you.
Detect Security Threats in Real-Time: Appsian360 proactively alerts you to security threats like hacking, phishing, misuse of privileged accounts, and many more. You can quickly receive the information required to fully enable forensic investigations.
Uncover Hidden Business Risks: Appsian360 helps you detect and respond to fraud, theft, and errors by employees and third parties (vendors, consultants, etc.). Companies can maintain a complete view of sensitive business transactions, and what (specific) users are doing.
Monitor Employee Productivity: Appsian360 helps you maintain oversight as users process and execute business transactions. You can use these insights to ensure efficient staffing and identify potential bottlenecks in critical HR, payroll, and finance activities.
Understand Data Access & Usage with More Clarity Than Ever Before
Organizations can no longer rely on having a lot of data. They need to start triangulating and developing context around the data they’re getting and how it’s being used. Appsian360 provides real-time data access and usage visibility previously unavailable to SAP and Oracle ERP customers.
To see how data security and compliance threats that were once considered “the price of doing business” are no match for the watchful eye of Appsian360, join us for a virtual demonstration on Thursday, August 13. You can register here: https://www.appsian.com/visibilty-using-appsian360/.
Contact us today for a personalized demo and find out how Appsian360 can fill critical visibility gaps for your organization.
Time is almost up for companies scrambling to get their data privacy strategies in compliance with the California Consumer Protection Act (CCPA). Beginning as early as July 1, 2020, the California Attorney General’s office can start enforcing the CCPA and handing out penalties of up to $2,500 per violation or up to $7,500 per intentional violation.
So, when exactly, will the CCPA become law? On June 1, 2020, the California AG took the final step before the regulations become enforceable by submitting the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”). The OAL has 30 working days–plus an additional 60 calendar days related to the COVID-19 pandemic–to review the submission and approve it to become an enforceable law. Doing the math, the California AG can begin enforcing violations as early as July 1 or as late as September 1, 2020.
Strategies for Improving ERP CCPA Compliance
Companies using PeopleSoft, SAP ECC, S/4HANA and Oracle EBS are likely facing additional compliance challenges due to inherent limitations built into these legacy ERP systems. Let’s look at a couple of tactics for enhancing your ERP systems to improve compliance with CCPA and establishing the capabilities to prepare for the uncertainty around data privacy.
1: Enhance Visibility into User Activity
The CCPA requires organizations to implement appropriate security measures around personal data and satisfy data subject access requests (DSARs). That means businesses must know what personal data they store and the user activity going on around it. However, traditional ERP systems do not provide the required level of granularity.
To achieve detailed visibility around data usage, organizations need to expand their native logging capabilities by adopting a strategy that focuses on data access and usage. Meaning, organizations must capture contextual details like date of access, UserID, IP address, device, location of access, actions performed, etc.
This is information that is critical for compliance reporting and understanding how data is being used within your organization.
2: High Privilege Access Should be the Highest Priority for Strengthening DLP
When it comes to ERP systems, the static rules that govern access can be limiting because roles and privileges are user-centric, not data-centric. User-centric roles say a person (or group in most cases) can view something under any circumstances, while data-centric means the nature of the data defines the access. This gets organizations in trouble time and time again from a DLP perspective because high privilege users always have the ability to see more data than they actually need (to do their job.) This makes non-compliance with CCPA almost inevitable. Overexposure of data is your biggest enemy and governing access by static rules (aka ‘all or nothing access rules’) creates an enormous liability.
Implementing data-centric policies (typically through attribute-based access controls) ensures that a user can only access data deemed necessary and job-related. This is because the data itself is governing access – not a user role. For example, access to certain high-risk transactions can be restricted based on a user’s location – or access can be granted, but with masked data fields. With every variation of context, attribute-based access controls can pivot and adjust accordingly. By reducing the threat surface, companies can reduce the risk of data leakage and mitigate compromised access damages.
3: Use Real-Time Analytics and Data Visualization (SEIM) to Expedite Incident Response Time
Integrated and real-time analytics displayed on dashboards were always a “nice-to-have” feature for security teams; however, keeping CCPA deadlines of breach identification and reporting in mind, data visualization has become a must-have feature. These advanced dashboards equip security professionals with real-time snapshots of data usage. The drill-down capabilities allow for enhanced data discovery and exploration to expedite breach detection and response, helping organizations stay compliant with CCPA and other existing and upcoming regulations.
Ready or Not, CCPA Enforcement Has Arrived
If you’ve not wrapping up your CCPA compliance efforts by now, there’s no better time than the present to start (or continue down that road). Appsian can help you fast track your compliance efforts by enhancing your visibly and applying a data-centric ERP compliance framework.
The last thing any company wants is to discover that they’re out of CCPA compliance only when there’s a breach of the regulation.
Contact us to learn how Appsian can help you address your end-to-end security and compliance needs.
On April 19, 2020, Oracle announced on its PeopleSoft Support blog that the company is extending support for the ERP application through 2031. As stated on the blog, Oracle remains “committed to a rolling ten years of support for PeopleSoft. We will review and plan to extend support again next year, and the year after that, so that you have a decade of committed support and can plan your enterprise software investments accordingly.”
This news should give PeopleSoft customers a sense of certainty that investing in the long-term success of their PeopleSoft applications is mission-critical. Thanks to COVID-19, organizations may be concerned about their short-term financial stability. Add in the newfound uncertainly of continuing large-scale IT projects in this climate (like a cloud ERP migration) – organizations have now found themselves looking for ways to reap maximum benefits with the lowest degree of overhead and project completion time.
Three “Home Improvement” PeopleSoft Data Security Projects
With large-scale projects on hold, it’s a good time to invest in smaller-scale projects that focus on what is truly mission-critical today (and for the near future) – PeopleSoft data security. You’re already working hard to secure data while users are accessing remotely and while bandaids may be in place right now, organizations must consider strategies that scale long-term.
Here are three smaller “home improvement” projects that strengthen your PeopleSoft data security posture:
Integrate your SAML Identity Provider (IdP) for Single Sign-On (SSO)
When you count the hours spent managing passwords (80% of help desk calls) or tackling SSO projects using customizations and home-grown solutions, you find that removing the complexity of PeopleSoft password management is an ROI positive project. Add in the lost productivity of users not being able to access business transactions (because they’re waiting for their password to be reset), then the ROI increases. The bottom line, a SAML-configured Single Sign-On for PeopleSoft will make everybody happy. A SAML SSO provides the combination of security and productivity that organizations are striving for. And, given the alarming uptick in phishing attacks – user credentials have become an obvious liability.
Strengthen IAM with Adaptive Multi-Factor Authentication (MFA)
When you’re buying new appliances for a remodeling project, you buy a washer and dryer in pairs. Yes, you can wash and dry your clothes using one or the other, but using both is a better option. Same with applying an adaptive multi-factor authentication (MFA) with your SSO as an effective method for verifying identity. Adaptive MFA ensures that contextual attributes (ex. device, network, location) are the determining factor for deploying MFA challenges. The context of access varies in mobile and work-from-home environments, and your level of control should do the same. This is essential if your users are accessing remotely, as managing authentication (especially for high privilege users) can be challenging.
It is also recommended to expand the use of MFA and apply step-up challenges on transactions that may be considered ‘highly sensitive.’
Real-Time Visibility for User Activity Monitoring and Transaction Logging
Just like a rug can tie a room together, real-time visibility via user activity monitoring and transaction logging can be the perfect complement to your PeopleSoft data security fixer upper. There are a lot of sensitive transactions being executed outside of the office these days, and monitoring user activity gives you a better sense of how your data is being accessed and used.
Invest in Today and Plan for Tomorrow
Now is a good time to take Oracle’s lead in their extension of PeopleSoft support – and alleviate a lot of the complexity around PeopleSoft data security, identity, and access management. Securing remote access with SSO and adaptive MFA today provides significant PeopleSoft ROI – along with applying a strong data security framework that can scale with a myriad of workforce and landscape changes.
Best yet, you can complete these projects in only two to four weeks, and we guarantee you won’t be cleaning up any sawdust when you’re done.
Request a demonstration of the Appsian Security Platform today.
With remote workplaces being put to the test, organizations are looking to quickly scale their security practices. Unfortunately, many are learning the hard way. They find themselves at the intersection of using conventional security technology like a virtual private network (VPN) to secure data residing in traditional, on-premise ERP applications like PeopleSoft and SAP ECC. This can be a toxic combination that may leave you feeling secure, but it should be noted that your data remains at risk.
A VPN is Not Data Security
Plain and simple – a VPN is a connection point. While it may shrink your threat surface, there are still many risk factors to consider. For instance: where is a user coming from? What data are they trying to access? What device are they using? Is that device actually being used by the right person? What PeopleSoft data are they trying to extract onto their personal device? And so on, and so one…
Once a VPN authenticates a user, a myriad of risk factors remain. This is where a VPN ends and data security should begin. However, most organizations are simply not prepared to mitigate the risks that come once a user has passed a VPN. Here are a few examples:
Federating High Privilege Users
High privilege users should face the most scrutiny. Ideally, a high privilege user should authenticate through Active Directory or whatever identity provider an organization is using. They should then receive federated privileges to PeopleSoft based on the contextual attributes of their access (ex. are they accessing from a foreign country?) Federating high privilege access is a fundamental way to ensure a user is provided with the appropriate level of privilege. However, a VPN cannot do this. In fact, authenticating to PeopleSoft using a SAML identity provider (like Active Directory) can be challenging unto itself (see this blog for more info.)
If the point of a VPN is securing remote access, then why not consider the contextual attributes that come with said access? After all, the remoteness is what is considered the risk. In this scenario, a VPN is merely acting as a thin authentication layer, on top of PeopleSoft’s typical username and password model. What if a user opts to make their VPN password the same as their PeopleSoft password? This is what hackers anticipate and sadly, they are usually correct.
Malicious Insiders Tend to be High Privilege Users
This is a touchy subject but should be acknowledged. While no one wants to assume the worst in their employees, the fact remains that the more access you have, the more damage you can do. Given the right motivation – bad things can happen. This is the most compelling case for data security because the highest stakes surround high privilege users. A/P, A/R, Finance, Supply Chain, Payroll – all these functions deal with money. Having the ability to lock down and limit access to data and transactions will have a tremendous impact on an organization’s ability to mitigate financial losses from fraud, theft, and espionage. And because of COVID-19, all of these functions are now being executed remotely. The potential for damage is exponentially greater than before.
Ask yourself – should payroll queries be run and exported onto a personal device? Should wires be sent outside of normal business hours? Should a vendor be created when access is coming from a foreign country? I believe the answer you’re looking for is… NOOOOOOO!!!
Integrating dynamic, risk aware controls on sensitive financial transactions (and data fields) mitigates much of this risk. In addition, transaction logging and analytics prove to be extremely beneficial, as many organizations would prefer not to hamstring their employees with restrictions. However, they would prefer to gain better visibility in case an anomaly is detected.
A VPN Can Be Costly, Unscalable, and Leave You in The Lurch
Like any addition to your architecture, downtime can occur. VPN vendors can experience enterprise-wide outages – causing major disruption. In addition, with organizations moving toward a 100% remote access, VPNs can be prone to kicking people off after a period of time. Adjusting to remote work environments is frustrating enough, but if access is limited or hindered, and you don’t have the benefit of a readily available help desk – your users will become agitated. With so many senior leaders focused on business continuity, having additional hoops for your employees to jump through is counter to productivity.
And then there is the cost factor – which will certainly balloon with the increased number of users. We understand that costs will vary, but the ROI of 100% of your employees requiring a VPN to log into PeopleSoft is not positive. And as we established above, if the point of a VPN is increasing data security/maintaining integrity of financial transactions – then the ROI is even further from positive.
How Appsian Provides ERP Data Security for PeopleSoft and SAP Applications
Appsian believes user authentication is important, but it’s only one part of an ERP data security posture. This is why we developed the Appsian Security Platform for PeopleSoft. Enhancing an organizations ability to authenticate users is most effective when its: integrated with your existing identity management strategy and risk aware. This is where Appsian provides far greater value than a VPN. We enable seamless, secure access to PeopleSoft (specifically) via Single Sign-On (integrated with a SAML IdP), along with adaptive Multi-Factor Authentication. These solutions combine to provide a much better user experience and a vastly superior value if protecting PeopleSoft from bad actors is the primary intention of your VPN.
Lastly, visibility is key. With sensitive transactions being executed outside of the office having a better sense of how your data is being accessed and used is critically important. Using transaction logging and real-time analytics, Appsian provides PeopleSoft customers with unparalleled levels of visibility. Thus, allowing you to keep a watchful eye on your data at all times.
When approaching how you can enable secure, remote access – its best to identify what are the key objectives and invest in the technology that best suits those needs. Are you concerned that the data inside your ERP applications could be breached or exfiltrated? Are you concerned that financial transactions could be corrupted? If the answer is yes, then data security – and not solely a VPN are the answer.
At the end of the day, COVID-19 has forced organizations into unprecedented challenges. With an unstable market and unpredictable year(s) ahead, it’s important to focus security efforts on internal data and processes – as these being corrupted will result in losses that can make recovery significantly harder.
I was recently speaking with a customer who expressed a common concern. Because of COVID-19, their entire finance team was forced to work remotely and they were concerned about the risks of executing critical financial transactions. Purchasing, payroll, expenses, everything… all being done from unknown locations and on devices they couldn’t regulate.
From Convenient to Mandatory
It got me thinking, prior to COVID-19 the objectives for enabling remote access to PeopleSoft had mostly been out of a desire for productivity and convenience. For years, Appsian has been working with forward-thinking organizations who identified remote access had significant value. Post COVID-19, organizations are in ‘survival mode’ and have no choice but to open access to their most sensitive financial transactions – and hope for the best. The potential for ‘adding insult to injury’ (ie financial losses) in a remote environment is enormous, and like any rapid pivot, requires a strong strategy to be successful.
You Don’t Know What You Don’t Know
During our conversation, it became clear that their situation posed far more questions than answers. For instance, ‘confidentiality around salary has never been more important’ (I assume they’ve required some employees to take salary reductions) ‘how can I know who viewed salary information, or perhaps downloaded queries?’ ‘how can I be sure unauthorized vendors are not being created?’ ‘how can I be sure payroll is being issued correctly?’ ‘how can I be sure sensitive information isn’t downloaded to someone’s home computer?’ It became clear they were flying blind – and starting to panic.
Traditional ERP Visibility Come Up Short
None of the questions above were able to be answered in this customer’s current environment. It’s common knowledge that traditional ERP logging and analytics focus on troubleshooting errors and scanning for broad system vulnerabilities. They were not designed for understanding user behavior, data access, and usage. If the task is to ensure that data is not being accessed maliciously, exfiltrated, or business processes are not being exploited – ERP visibility comes up short.
This customer initially partnered with Appsian for Single Sign-On and Multi-Factor Authentication – both of which, they were happy to have! However, their attention had turned from intrusion prevention to incident response and risk management. While they had the capability to ensure user authentication was strong, they lacked the ability to understand what activity was taking place. And more importantly, if trends in user behavior were indicative of malicious activity.
How ERP Analytics Prevent ‘Adding Insult to Injury’
This is where ERP Analytics becomes essential. When ERP access is both remote and ubiquitous, the ability to detect and respond to malicious activity is greatly reduced.
Using the Appsian Analytics platform, customers are fully enabled to understand exactly how their ERP data is being accessed – by whom, from where, on what and why. With this information in hand, organizations are fully enabled to detect unauthorized activity and formulate a rapid response before damages become catastrophic.
Analytics Provide Peace-of-Mind
Needless to say, it feels good to provide true value to a customer. It’s not everyday that a customer comes to you, concerned that their business is in trouble (from a market perspective) and they are also concerned additional financial losses will follow (from a business process perspective.) This is where having available data and granular oversight will provide peace-of-mind. During unpredictable times, having as much information at your disposal is critical. This is especially true when sensitive financial processes are taking place outside of your office – essentially your direct control and watchful eye.
The Next Step…
If a lack of visibility is a concern, we’d love to talk. In a brief 30 minute session, we can outline how deep our Analytics can go, common use cases that are pre-configured in the platform, and how they can align to your unique business processes.