Can your organization maintain strict data security policies when access to PeopleSoft is available outside your corporate network?

A strategic step towards upgrading the PeopleSoft user experience is by making transactions mobile-friendly. Companies are prioritizing remote access to self-service modules like benefits enrollment, time entry, approvals, and student self-service so that users can complete tasks on their own time and often on their own devices. Despite the benefits of mobilizing and opening applications for PeopleSoft remote access, security ramifications are a major concern. Expansion of access to sensitive data beyond a secure network perimeter increases the risk of threats and more successful breaches. Also, the proliferation of user-centric threats adds to the risk, as hackers increasingly target individual users and devices – leveraging the human-error factor to their advantage.

Key Challenges

PeopleSoft applications lack native SAML support. As a result, PeopleSoft applications cannot connect with SAML supporting ID providers and are likely to be alienated from other enterprise applications. Most off-the-shelf SSO providers are unaware of this limitation and suggest custom development, which is costly, time-consuming, and often requires the purchase of additional hardware.

PeopleSoft allows organizations to implement role-based access controls (RBAC) based on static rules. With increased remote access from outside a secure network, organizations need more flexibility to control what users can access based on contextual information. RBAC cannot use dynamic information such as project ID, company code, IP address, location, device type, and more to authorize access.

PeopleSoft’s primary security model of username & password authentication is limited to an application’s login – a limitation that still exists with third party MFA add-ons. After a user passes login, you have no way of protecting the data across your PeopleSoft applications. This gap in security control means that a malicious insider with access to high privileged credentials could pass login and then have access to your PeopleSoft systems and data.

Out-of-the-box, PeopleSoft offers high-level logging designed primarily for debugging and troubleshooting. These logs do not provide information on what data was accessed or any details on the context of access, such as who obtained it, when, or from where. Additionally, PeopleSoft lacks the capability to monitor, track, and record user activity on a granular level, along with the context of activity.

PeopleSoft’s existing data masking functionality is limited and depends on static, role-based rules. That means users who have the privilege to access sensitive data can view it all, no matter where they are accessing the application. As a result, sensitive data fields are vulnerable to exposure if privilege user credentials are stolen or when privileged users download data on personal/home computers using queries.