California State University, the largest four-year public university system in the country, made headlines when it announced Tuesday that it intends to continue with remote teaching in the fall term at all 23 CSU campuses, affecting most of its 482,000 students. This was a bold move, but I applaud the CSU system, or any college or university, as the rapid shift to online instruction amidst COVID-19 has been an undertaking of historic proportions.
Lost in the headlines is the amount of work that IT teams must do to enable remote access for nearly the entire university staff and faculty. For Cal State University (an Appsian customer – 17 campuses), that’s more than 53,000 faculty and staff who need access to key information and systems. Along with student users, in total, that’s 535,000 (mostly remote) users accessing the university’s ERP systems from all over the world.
The implications of this decision are wide-reaching. Beyond answering questions like, how will you be able to keep students engaged or how will you be able to provide parity to classroom learning, there are a myriad of implications placed squarely on the enterprise systems that support these institutions (ex. PeopleSoft and SAP ECC.) With millions of students, faculty and staff depending on these applications to keep operations running smoothly, how will campuses look to adapt these systems to their new normal? How can they ensure these systems can meet these new demands?
Universities Must Focus on (2) Key Areas: User Experience and Data Security
Remote and distance learning means operations will be extremely dependent on self-service. Universities using PeopleSoft Campus Solutions face a double-whammy. Maintaining strict authentication and data security policies create challenges on their own. In addition, many campuses require additional UX/UI solutions that enable a unified mobile user experience. Without additional UX solutions in place, PeopleSoft’s mobile user experience can be challenging for students to navigate – especially as they’re trying to access self service via mobile devices. Several colleges and universities use the full suite of Appsian’s technology to address these issues.
For Students, User Experience is EVERYTHING
Today, student’s primary method for communication is through their mobile devices. A common problem for universities is that PeopleSoft Campus Solutions’ primary interface is PeopleSoft Classic. This UI is not mobile responsive and has a look and feel that doesn’t necessarily align with Millennial and Gen Z. expectations. As tens of thousands of students register for classes in the fall, this user experience could prove to be problematic, as students are so used to intuitive experiences. Without UX/UI enhancements, campuses run the risk of flooding their support desks or having students abandon self-service transactions – not meeting key enrollment deadlines.
PeopleUX by Appsian turns the Classic interface of PeopleSoft Campus Solution into a visually engaging user experience. Students can easily navigate through transactions like add/drop/swap courses, view grades, class schedules, search for classes, access advisor information, and financial aid details from their mobile device. Giving students the proper tools to execute the majority of their tasks through self-service will alleviate your staff’s workload. It will also provide one less hurdle students (especially new students) will have to get over before class begins in the Fall.
For EVERYONE, Data Security is EVERYTHING
Colleges and universities face the same challenges as businesses that had to transition entire workforces from office-based to work-from-home. Remote access is now a requirement, and IT departments should have the ability to dynamically control access to sensitive transactions and maintain granular visibility into user behavior – something ERP systems like PeopleSoft and SAP ECC inherently lack.
Campuses are turning to VPN to ensure secure authentication, but VPNs have plenty of vulnerabilities. In many cases, adding Multi-Factor Authentication via Duo Security® has been a top choice – one that Appsian couldn’t recommend more. However, integrating an MFA like Duo with PeopleSoft or SAP ECC presents significant challenges. Integration is necessary, especially if you’re looking to apply step-up MFA at the transaction level. This is recommended because application-layer authentication is good, but transaction level authentication is ultimately the best way to ensure data isn’t unnecessarily exposed.
Integration also allows you to leverage adaptive MFA. This can enable you to deploy MFA challenges (at the application layer) based on the context of access, such as business hours, location of the device accessing the system, and type of device. This flexibility can reduce the disruption of MFA challenges on the user and ultimately provides significantly better data security.
Additionally, campuses must consider how they can maintain visibility over the data in their transactions. After all, when you consider the sheer volume of sensitive data in a student information system like student records, student financial information, parent financial information, etc. it becomes clear that the implications of a breach could be catastrophic. This is not lost on hackers who are now aware that large university systems are moving to 100% remote learning. These are data security implications that are not simple to solve, but the focus must be on visibility, control, oversight, and accountability. How detailed is your view of data access and usage? If there was a potential security threat, how long would it take you to detect and remediate it?
It’s too early to tell how many colleges and universities will follow Cal State University’s lead and announce remote learning plans for the Fall semester. Regardless, now is the time to prepare for a school year that still has many variables and unknown factors that can influence a decision.
Request a demonstration so you can get to know the many ways that Appsian can help your university and college tighten your PeopleSoft data security and deliver a mobile-responsive and visually compelling user experience to students.
Analytics have always been necessary for informing ERP data security policies. This has never been more relevant than today, in this everybody-works-from-home environment where function leaders are scrambling to attain oversight and accountability. With whole departments spending 8 hours a day in business applications like PeopleSoft and SAP, establishing strong ERP user activity monitoring strategies is mission-critical. We also touched on this topic a few weeks ago, but now that organizations are adopting visibility solutions, the question becomes – what are the most important details to capture?
Always Capture the Who, Where, When, What, and How
Remember the good old days of February 2020 when articles touted the growing trend of working from home and that remote access to your ERP system and making transactions available on the internet will one day become the “new normal?” Ah, good times.
Then COVID-19 happened, and remote work went from growing trend to hard-core reality in a matter of days. System administrators scrambled to collaborate with managers to create new or updated work-from-home polices that determine who, what, where, when, and how workers can access ERP data – and what transactions they’re allowed to perform. Good times, indeed.
Let’s break down these different details…
1. Who – Details of the User Accessing the Data
Even if your user authentication strategies are strong (ex. leveraging multi-factor authentication), you’re still going to have security concerns – especially with high privileged user accounts. Narrowing your visibility efforts on high privilege user activity allows you to focus on the accounts that can cause the most damage (if corrupted or misused.) For example, your organization may be global (with ERP access coming from multiple countries) but your high privilege users may primarily reside near your domestic HQ. High privilege access coming from outside this IP range may be an early sign of unauthorized activity.
2. What – Details of the Data Being Accessed
What are those Tier 1, highly sensitive data fields you want to closely watch? I’m talking about C-suite salary information, social security numbers, bank account information, etc. Application level logging falls short in showing exactly what a user accessed. However, these details are ultimately the most important. If you do not have visibility into exactly what a user accessed, then you are missing a significant part of the data security puzzle. In many instances, field level logging can show you how much “over access” users may have. After all, least privilege is a best practice – especially in remote environments.
3. Where – Location Where the User is Accessing the Data
As mentioned above, location can be a leading indicator of unauthorized activity. This strategy can be expanded, especially if you’re operating in a vertical that typically doesn’t require global access (ex. higher education, healthcare, state & local government, etc.) Whether it is a sudden influx of authentication requests from China or one-off access from a European country, having location data is an essential component of ERP user activity monitoring.
4. When –Time of Day When User is Accessing Data
Thanks to stay-at-home orders, normal 8 to 5 work hours don’t apply when users must (potentially) deal with kids or other distractions. Simply enacting policies that restrict certain transactions from being executed outside of business hours is a quick way organizations can enhance oversight – but how can you really enforce it at scale? Either way, monitoring after hours activity, while not an obvious indicator of a problem, is a solid baseline. Especially if most ERP processing activities are being executed by hourly employees.
5. How – Type of Device Accessing Data
One of the difficult aspects of rapidly deploying remote ERP access is getting an inventory of all the devices they’ll use. Corporate-managed vs personal devices have a large impact on how you want sensitive business data accessed. Even if every employee has a company-issued device, you’re bound to see unauthorized devices (mobile phone, tablet, personal workstation or laptop, etc.) accessing your system. Knowing exactly what these devices are accessing (or possibly downloading) is extremely important for data loss prevention.
Real-Time User Activity Monitoring Leads to More Informed ERP Data Security Decisions
Using the Appsian Analytics Console, you get a 360-degree view of what is happening around your ERP data. From there, you can map out a targeted incident response before damages become catastrophic and influence your ERP data security policies.
Some additional examples of ERP data security measures you can deploy include:
- Enabling adaptive authentication policies that deploy additional authentication challenges based on the context of access
- Restricting the availability of specific transactions (partial or full) when access is coming from unwanted geographic locations
- Masking any data field (partial or full)
Appsian enables organizations to enhance their level of control and visibility over business data. To ease the anxiety of allowing remote ERP access, Appsian can help you make the rapid changes (avg. go-live in 2 weeks) necessary to manage and mitigate risk.
Request a demonstration of the Appsian Analytics Console today.