Top U.S. bank improves security visibility in peoplesoft

CHALLENGE

As a U.S. bank, the client faced multiple compliance requirements from banking regulators across all enterprise applications – including PeopleSoft. Due to limited out-of-the-box logging capabilities, the client’s PeopleSoft applications had continued to create flare ups during security audits for its lack of direct visibility. With public facing PeopleSoft applications, the client also sought a way to improve remote access security and control the exposure of sensitive information, as well as generate activity logs for all PeopleSoft activity.

SOLUTION

Using Appsian’s Application Security Platform (ASP), the client was able to enhance PeopleSoft’s logging capabilities to eliminate blind spots and gain visibility into all activity around sensitive information. Logging was implemented to gather user activity for all data access except for low-risk self-service transactions. To improve visibility on privileged accounts, all actions were logged for high-risk roles such as PS_ADMIN. Data masking with click-to-view functionality was also implemented, allowing the client to simultaneously reduce data exposure and explicitly track when sensitive data was accessed and by whom. Combining 2FA and location-based security, the client secured remote access by implementing 2FA challenges at login and restricting PeopleSoft access outside their trusted network to self-service transactions only. To further protect their employees, multi-factor authentication challenges were implemented inside PeopleSoft at the field-level – requiring identity reconfirmation for any changes made to direct deposit information, phone numbers, and other fields containing sensitive PII.

RESULTS

Upon implementing ASP, enhanced logging provided the client with direct visibility into PeopleSoft activity and generated access logs with actionable context tied to activity. Using field-level masking and location-based security, the client significantly reduced their risk profile while minimizing negative impacts to user experience. Click-to-view masking prevented unintentional exposure but at the time allowed easy access and simultaneously generated tagged logs for improved auditing and threat management. Location-based access controls limited remote access to self-service functionality only, further protecting the client from data leakage. Combined, ASP allowed the client to improve their security posture and fully align to compliance requirements within PeopleSoft.