With remote workplaces being put to the test, organizations are looking to quickly scale their security practices. Unfortunately, many are learning the hard way. They find themselves at the intersection of using conventional security technology like a virtual private network (VPN) to secure data residing in traditional, on-premise ERP applications like PeopleSoft and SAP ECC. This can be a toxic combination that may leave you feeling secure, but it should be noted that your data remains at risk.
A VPN is Not Data Security
Plain and simple – a VPN is a connection point. While it may shrink your threat surface, there are still many risk factors to consider. For instance: where is a user coming from? What data are they trying to access? What device are they using? Is that device actually being used by the right person? What PeopleSoft data are they trying to extract onto their personal device? And so on, and so one…
Once a VPN authenticates a user, a myriad of risk factors remain. This is where a VPN ends and data security should begin. However, most organizations are simply not prepared to mitigate the risks that come once a user has passed a VPN. Here are a few examples:
Federating High Privilege Users
High privilege users should face the most scrutiny. Ideally, a high privilege user should authenticate through Active Directory or whatever identity provider an organization is using. They should then receive federated privileges to PeopleSoft based on the contextual attributes of their access (ex. are they accessing from a foreign country?) Federating high privilege access is a fundamental way to ensure a user is provided with the appropriate level of privilege. However, a VPN cannot do this. In fact, authenticating to PeopleSoft using a SAML identity provider (like Active Directory) can be challenging unto itself (see this blog for more info.)
If the point of a VPN is securing remote access, then why not consider the contextual attributes that come with said access? After all, the remoteness is what is considered the risk. In this scenario, a VPN is merely acting as a thin authentication layer, on top of PeopleSoft’s typical username and password model. What if a user opts to make their VPN password the same as their PeopleSoft password? This is what hackers anticipate and sadly, they are usually correct.
Malicious Insiders Tend to be High Privilege Users
This is a touchy subject but should be acknowledged. While no one wants to assume the worst in their employees, the fact remains that the more access you have, the more damage you can do. Given the right motivation – bad things can happen. This is the most compelling case for data security because the highest stakes surround high privilege users. A/P, A/R, Finance, Supply Chain, Payroll – all these functions deal with money. Having the ability to lock down and limit access to data and transactions will have a tremendous impact on an organization’s ability to mitigate financial losses from fraud, theft, and espionage. And because of COVID-19, all of these functions are now being executed remotely. The potential for damage is exponentially greater than before.
Ask yourself – should payroll queries be run and exported onto a personal device? Should wires be sent outside of normal business hours? Should a vendor be created when access is coming from a foreign country? I believe the answer you’re looking for is… NOOOOOOO!!!
Integrating dynamic, risk aware controls on sensitive financial transactions (and data fields) mitigates much of this risk. In addition, transaction logging and analytics prove to be extremely beneficial, as many organizations would prefer not to hamstring their employees with restrictions. However, they would prefer to gain better visibility in case an anomaly is detected.
A VPN Can Be Costly, Unscalable, and Leave You in The Lurch
Like any addition to your architecture, downtime can occur. VPN vendors can experience enterprise-wide outages – causing major disruption. In addition, with organizations moving toward a 100% remote access, VPNs can be prone to kicking people off after a period of time. Adjusting to remote work environments is frustrating enough, but if access is limited or hindered, and you don’t have the benefit of a readily available help desk – your users will become agitated. With so many senior leaders focused on business continuity, having additional hoops for your employees to jump through is counter to productivity.
And then there is the cost factor – which will certainly balloon with the increased number of users. We understand that costs will vary, but the ROI of 100% of your employees requiring a VPN to log into PeopleSoft is not positive. And as we established above, if the point of a VPN is increasing data security/maintaining integrity of financial transactions – then the ROI is even further from positive.
How Appsian Provides ERP Data Security for PeopleSoft and SAP Applications
Appsian believes user authentication is important, but it’s only one part of an ERP data security posture. This is why we developed the Appsian Security Platform for PeopleSoft. Enhancing an organizations ability to authenticate users is most effective when its: integrated with your existing identity management strategy and risk aware. This is where Appsian provides far greater value than a VPN. We enable seamless, secure access to PeopleSoft (specifically) via Single Sign-On (integrated with a SAML IdP), along with adaptive Multi-Factor Authentication. These solutions combine to provide a much better user experience and a vastly superior value if protecting PeopleSoft from bad actors is the primary intention of your VPN.
Lastly, visibility is key. With sensitive transactions being executed outside of the office having a better sense of how your data is being accessed and used is critically important. Using transaction logging and real-time analytics, Appsian provides PeopleSoft customers with unparalleled levels of visibility. Thus, allowing you to keep a watchful eye on your data at all times.
When approaching how you can enable secure, remote access – its best to identify what are the key objectives and invest in the technology that best suits those needs. Are you concerned that the data inside your ERP applications could be breached or exfiltrated? Are you concerned that financial transactions could be corrupted? If the answer is yes, then data security – and not solely a VPN are the answer.
At the end of the day, COVID-19 has forced organizations into unprecedented challenges. With an unstable market and unpredictable year(s) ahead, it’s important to focus security efforts on internal data and processes – as these being corrupted will result in losses that can make recovery significantly harder.
I was recently speaking with a customer who expressed a common concern. Because of COVID-19, their entire finance team was forced to work remotely and they were concerned about the risks of executing critical financial transactions. Purchasing, payroll, expenses, everything… all being done from unknown locations and on devices they couldn’t regulate.
From Convenient to Mandatory
It got me thinking, prior to COVID-19 the objectives for enabling remote access to PeopleSoft had mostly been out of a desire for productivity and convenience. For years, Appsian has been working with forward-thinking organizations who identified remote access had significant value. Post COVID-19, organizations are in ‘survival mode’ and have no choice but to open access to their most sensitive financial transactions – and hope for the best. The potential for ‘adding insult to injury’ (ie financial losses) in a remote environment is enormous, and like any rapid pivot, requires a strong strategy to be successful.
You Don’t Know What You Don’t Know
During our conversation, it became clear that their situation posed far more questions than answers. For instance, ‘confidentiality around salary has never been more important’ (I assume they’ve required some employees to take salary reductions) ‘how can I know who viewed salary information, or perhaps downloaded queries?’ ‘how can I be sure unauthorized vendors are not being created?’ ‘how can I be sure payroll is being issued correctly?’ ‘how can I be sure sensitive information isn’t downloaded to someone’s home computer?’ It became clear they were flying blind – and starting to panic.
Traditional ERP Visibility Come Up Short
None of the questions above were able to be answered in this customer’s current environment. It’s common knowledge that traditional ERP logging and analytics focus on troubleshooting errors and scanning for broad system vulnerabilities. They were not designed for understanding user behavior, data access, and usage. If the task is to ensure that data is not being accessed maliciously, exfiltrated, or business processes are not being exploited – ERP visibility comes up short.
This customer initially partnered with Appsian for Single Sign-On and Multi-Factor Authentication – both of which, they were happy to have! However, their attention had turned from intrusion prevention to incident response and risk management. While they had the capability to ensure user authentication was strong, they lacked the ability to understand what activity was taking place. And more importantly, if trends in user behavior were indicative of malicious activity.
How ERP Analytics Prevent ‘Adding Insult to Injury’
This is where ERP Analytics becomes essential. When ERP access is both remote and ubiquitous, the ability to detect and respond to malicious activity is greatly reduced.
Using the Appsian Analytics platform, customers are fully enabled to understand exactly how their ERP data is being accessed – by whom, from where, on what and why. With this information in hand, organizations are fully enabled to detect unauthorized activity and formulate a rapid response before damages become catastrophic.
Analytics Provide Peace-of-Mind
Needless to say, it feels good to provide true value to a customer. It’s not everyday that a customer comes to you, concerned that their business is in trouble (from a market perspective) and they are also concerned additional financial losses will follow (from a business process perspective.) This is where having available data and granular oversight will provide peace-of-mind. During unpredictable times, having as much information at your disposal is critical. This is especially true when sensitive financial processes are taking place outside of your office – essentially your direct control and watchful eye.
The Next Step…
If a lack of visibility is a concern, we’d love to talk. In a brief 30 minute session, we can outline how deep our Analytics can go, common use cases that are pre-configured in the platform, and how they can align to your unique business processes.
It’s no secret that managing PeopleSoft passwords can be challenging. This has been a hot topic for years – and with COVID-19, we’re seeing a resurgence from increased remote access. A remote workforce can quickly put a strain on IT help desk services – especially with resetting passwords. Btw, hackers know that passwords are being reset at a record pace, as demonstrated by the massive uptick in phishing attempts (+667% since Feb. according to Forbes.)
With a myriad of IT projects and an ever-changing list of demands from the organization, setting priorities can be difficult. We’d suggest PeopleSoft customers prioritize a single sign-on for (4) key reasons:
PeopleSoft Passwords are a Security Liability
I eluded to this above, but the statistics speak for themselves. According the 2019 Verizon Data Breach Investigation Report, ‘91% of hacking attacks begin with phishing/spear phishing attacks.’ Organizations try to mitigate this by using a VPN. However, after the expense and potential disruption in service after a large percentage of your workforce is accessing critical business transactions using a VPN – there is little ROI in this strategy.
Might I suggest, requiring VPN access for ‘high privilege’ access only? Normal users that are accessing self-service can be secured by leveraging a Single Sign-On (and possible multi-factor authentication.)
IT Resources Need to be More ‘Focused’ Than Ever
We don’t need to belabor this point but suffice to say that changing your business operations overnight (in the case of COVID-19) causes complexity. Ensuring network/server availability and using help desk services to troubleshoot strategic issues is better than one-off password resets.
The ROI of an SSO Project (over time) is Very High
When you count up the hours spent managing passwords (80% of help desk calls), you quickly find that removing the complexity of PeopleSoft password management, is an ROI positive project. Add in the lost productivity of users not being able to access business transactions (because they’re waiting for their password to be reset), then the ROI increases. Bottom line, an SSO project will delight both users, IT teams, and your CFO alike!
This Project Can be Done Quickly (2-4 weeks.)
We’ve come to the (sort of) tricky part. Organizations have tackled SSO projects using customizations and home-grown solutions – all of which modify PeopleSoft code and create challenges down the line. Needless to say, if you’re looking for rapid deployment, with minimum complexity (today and in the future) – than a configurable approach is recommended.
This is where Appsian comes in, as we’ve developed the native SAML connector that can seamlessly integrate your Identity Provider (OKTA, ADFS, Azure, Shibb, etc.) with PeopleSoft – creating a configurable Single Sign-On. Thus, not effecting underlying PeopleCode or having an impact on future application upgrades.
Bottom line, if you’re looking to quickly alleviate a lot of the complexity around PeopleSoft identity and access management – Appsian can help! We have worked with hundreds of PeopleSoft customers around the world, helping them remove costly customizations and implement a SAML-configured Single Sign-On for PeopleSoft.
Let us show you! We can get you up in running in a couple of weeks!
Single Sign-On (SSO) solutions have emerged as the gold standard in identity management. While poor password practices continue to prevail, the effectiveness of the ‘username and password’ as the main authentication model has deteriorated.
Password management can be a nightmare for IT, as it reduces department productivity and increases service costs. However, SSO solutions allow administrators to centralize identity management, as end-users utilize a single set of credentials to access every enterprise application.
Establishing an SSO for PeopleSoft
PeopleSoft applications are a vital part of an organization’s enterprise architecture, and unfortunately, integrating PeopleSoft into an enterprise Single Sign On can present challenges. This has lead administrators to look to the market for help – and as you evaluate an SSO solution for PeopleSoft, you should ALWAYS ask these 6 questions – the answer will be the difference between project success and failure:
How Does Your Product Interact with PeopleSoft?
To successfully implement an SSO solution, organizations first need to integrate all applications with a centralized ID provider. Most popular ID providers such as Microsoft Azure Active Directory, OKTA, etc., use SAML – the open federation standard that allows identity providers (IdP) to communicate with enterprise applications.
Many off-the-shelf SSO vendors claim to support PeopleSoft. However, they ignore the fact that PeopleSoft applications do not natively support SAML. With a conventional SSO solution, PeopleSoft applications are likely to stay alienated from the rest of the organization’s business applications. Organizations must ensure that their SSO provider addresses the SAML problem upfront. Or it can lead to a ripple of problems with the implementation (ex. inflated budget, time lines, complexity, etc.)
Is There a Need for Customizations?
Exclusive to PeopleSoft, most SSO providers are required to build an extensive framework of customizations. Customizations demand extra resources and prolong the implementation timeline – thus, increasing the project liability. Even after that, custom SSO solutions can be insecure, fragile, lack functionality for some transactions, and be prone to problems that are difficult to troubleshoot. Moreover, building and maintaining a customized framework requires both coding and PeopleTools expertise – which is a rare skill combination. Alternatively, PeopleSoft customers can seek a configurable SSO based on logic workflows built outside of the PeopleCode.
Are there Additional Hardware/Server Requirements?
In most cases, organizations will be required to purchase additional hardware to support the customizations designed to simulate communication between PeopleSoft and their respective Identity Provider. The procurement of new infrastructure (reverse proxy servers) is not ideal and can result in unexpected project budget overruns.
Does the Solution Support Deep Embedded Links?
One of the primary benefits of an SSO solution is allowing users to bypass login with the use of deep links or embedded links. These links, when sent to a user, can take them to a specific transaction using the previously authenticated SSO session. Thus, saving time and increasing user satisfaction and productivity. However, most off-the-shelf SSO providers don’t support this functionality. With increasing remote access on mobile devices, deep-link navigation can be important to usability and engagement. For instance, a user can go straight to an intended transaction by following a link (sent via email, text, etc.) even if they are required to authenticate an SSO session on a device they don’t use frequently.
How Does the Solution Impact PeopleTools Lifecycle Management?
PeopleSoft’s native functionality is continuously evolving with every single image released via the PeopleSoft Update Manager (PUM). These updates include frequent changes in the authentication model, which means that a customized solution would demand excessive upgrade and alteration with each update. The constant need for upkeep can adversely affect the adequate use of customer resources and time, making room for an increased scope of errors and subsequent troubleshooting.
What if We Decide to Switch an SSO Identity Provider?
One of the most important decisions organizations need to make while choosing an SSO solution is the flexibility of adaptation if and when they decide to switch SSO identity providers. Ideally, organizations must look for a configurable SSO instead of a coded (customized) one. The reason being, when an organization plans to switch to a new SSO identity provider, a custom solution would require building a whole integration framework. Therefore, a custom SSO can prove tedious and time-consuming, unlike a configurable SSO that can allow a seamless switch.
Appsian’s PeopleSoft SSO Connector
Designed to create a simple, extensible, and easy-to-maintain approach to the implementation of modern authentication, Appsian’s PeopleSoft SSO Connector is the only turnkey solution for native SAML-compatibility in PeopleSoft – enabling customers to:
- Leverage existing investment in SSO solutions with PSFT
- Authenticate PSFT sessions via SAML-based Identity Providers
- Access PeopleSoft via deep link navigation
- Support multiple IdPs concurrently
- Deploy SSO for PeopleSoft in as quick at 7 days
- Implemented without additional hardware or custom coding
Establishing security best practices for your PeopleSoft applications is always a work in progress. As newer, more advanced threats come to light, staying current can feel like a daunting task. While PeopleSoft systems are inherently robust and secure, a constantly evolving threat landscape, PLUS new data regulations have paved the way for several necessary security enhancements. As the end of 2018 draws near, now more than ever, organizations must be aware of the myriad of threats that are well-aware that “year-end” bonus season is coming… and are preparing their tactics to redirect your employees hard-earned payroll/bonuses.
What is the weakest link in your ERP security chain?
Threats today have become increasingly user-centric. The targets for malicious hackers have shifted from entire networks to applications. By leveraging phishing and social engineering attacks, most ERP breaches are now originating from the unauthorized use of valid login credentials – stolen directly from the user themselves. Thus, making your users (and their passwords) by far, the weakest link in your security chain.
Recommendations for mitigating the “human error” element
Inspired by dozens of successful PeopleSoft security projects, security experts at Appsian have compiled a list of best practices that every organization must utilize, and details the steps that should be taken to implement a layered approach to securing PeopleSoft. Rather than solely focusing security efforts on the perimeter, we will discuss how your sensitive data can be protected from malicious intruders (and even insiders) who are able to access PeopleSoft with valid credentials:
- Enabling SAML for centralized identity management and establishing a single sign-on to reduce the risk caused by users having multiple (potentially) weak passwords.
- Expanding traditional multi-factor authentication from login-only to field, page and component levels to ensure data protection from insider threats.
- Employing location-based security to enforce least privilege access when sensitive systems are being accessed from outside your corporate network.
- Enhancing data masking to alleviate challenges posed by static role-based masking rules and reduce unwanted exposure of sensitive data fields.
- Extending logging capabilities to be compliance-ready with 360-degree awareness of what going on inside your PeopleSoft systems and user activity.
- Bringing real-time visibility to breaches, suspicious events, and potential vulnerabilities by incorporating security analytics to your PeopleSoft security infrastructure.
Download the whitepaper to learn more about the best practices for achieving an end-to-end security and compliance strategy.
On a time-crunch? Request a quick session with our PeopleSoft security experts.
In a previous blog ‘Time is Money’ we discussed what lacking a PeopleSoft-integrated SSO is costing your organization.
By now, we all should fully understand what the recurring password recovery cycle is costing organizations in terms of lost end-user productivity and excessive calls to the IT help desk. Organizations can use a single sign-on (SSO), to establish a centralized authentication system that allows IT to manage support costs and efficiently perform password database provisioning. An SSO also greatly reduces user downtime associated with password reset and recovery.
Off-the-shelf SSO solutions DO NOT work with PeopleSoft
There are numerous vendors who promise that the same SSO that you implement across all of your enterprise applications will also work seamlessly in your PeopleSoft environment. Unfortunately, when it comes to implementing that off-the-shelf SSO in PeopleSoft (specifically) those projects are destined for failure. The reason being that off-the-shelf SSO solutions rely on SAML based technology as an identity federation standard – and there’s no native SAML support in PeopleSoft. Unaware of this fact, SSO vendors will assume that PeopleSoft supports SAML (similar to your other applications) and eventually hit a roadblock during implementation/testing. This complication typically results in the recommendation of added customizations and web server(s) in order to save your PeopleSoft environment from being alienated from the rest of your enterprise applications.
The downsides of fitting a square peg in a round hole
Off-the-shelf SSO solutions need to go through extensive customizations in order to have any communication with PeopleSoft. Firstly, organizations need to build extensive frameworks to integrate SAML based identity providers (ADFS, Shibboleth, etc.) with PeopleSoft using a reverse proxy configuration. These custom developments require procuring and setting up additional infrastructure (hardware, web server(s), etc.) – resulting in prolonged project timelines and budget overruns. Secondly, these customizations (once implemented) are fragile, difficult to troubleshoot and require constant intervention – especially during PeopleSoft updates.
PeopleSoft Single Sign-On – a square peg for a square hole
Organizations can save both time and money by opting for an integrated SSO, exclusively designed for PeopleSoft. For years, the demand for a native SSO utilizing SAML identity providers was a hot topic in the Oracle community – fortunately, this solution is now a reality. Being the only native SSO solution for PeopleSoft, PeopleSoft Single Sign-On by GreyHeller allows organizations to support SAML-based authentication technology without any customizations or additional infrastructure. PeopleSoft Single Sign-On eliminates the need for end-users to utilize multiple (weak and easy to remember, but easy to crack) passwords and empowers them to seamlessly transition between PeopleSoft applications using a single, strong login credential. It also empowers IT teams to centralize authentication management and makes it easy for them to provision password databases as employees come and go in the organization.
Once implemented, PeopleSoft Single Sign-On enables your employees to:
- Authenticate PeopleSoft sessions via the leading identity providers such as: ADFS/Office 365, Shibboleth, or OKTA
- Access PeopleSoft via deep link navigation (sent by email or other enterprise communication channels)
- Utilize PeopleSoft links from a 3rd party portal
When it comes to your enterprise applications, opt for the peg that fits rather than hammering the one that doesn’t into a shape that partially fits! To learn more – request a live demo of PeopleSoft Single Sign-On with an Appsian Solutions Expert email us at firstname.lastname@example.org.
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmycompany.com] [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmycompany.compsfthr] “http”=dword:00000001 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmycompany.compsftfin] “http”=dword:00000001 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmycompany.compsftcrm] “http”=dword:00000001Not too bad. How about if we just want to flag the entire mycompany.com domain as the Intranet?
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmycompany.com] “*”=dword:00000001Before making changes like this, you’ll want to check that you don’t already have any custom settings for your standard workstations. If so, then you’ll need to merge these changes in with however those settings get deployed in your organization. If not, then you can save your own versions of these files with a .reg extension, and they’ll be ready for importing. You can use the /quiet flag for regedit to add this as part of your user’s Windows login scripts. Labels: Microsoft Windows Browser