Security, Tips and Techniques

Happy World Password Day! Celebrate By Adopting Passwordless Authentication (for PeopleSoft)

By Scott Lavery • May 7, 2020

Every first Thursday in May, cybersecurity professionals collectively roll their eyes at the idea that there is (in fact), a World Password Day. Why? Because PeopleSoft passwords are the undisputed King of Liability of most enterprise organizations.

User credentials are stolen at an alarming rate – and the tactics are becoming more sophisticated. Throw in the fact that users are now working from their living rooms, home offices, and in many cases… mobile phones – hackers see their opportunity and they’re taking it.

This is precisely why Gartner predicts that by 2022, 60 percent of large and global enterprises, and 90 percent of mid-size enterprises will implement passwordless authentication methods.

Why Organizations are Adopting Passwordless

Risk of Weak/Stolen Passwords

Like I mentioned, phishing and spear phishing attacks are on the rise. Hackers are able to crack user credentials easily as evidenced by the 2017 Verizon Data Breach Report that stated 81% of hacking related breaches used either weak or stolen passwords. This would be a clear sign that an organization should limit their use of passwords wherever possible.

Passwords Can be Expensive to Maintain

Managing passwords can be an expensive affair. According to Forrester Research, the average helpdesk labor cost for a single password reset is $70. The more complex your identity and access management is, the more expensive it will be.

Passwords Hinder Productivity

Imagine an employee taking ten minutes out of their schedule to recover a forgotten password. Now imagine hundreds of users facing the same issue. Doing away with passwords can help organizations save time and increase productivity.

Why PeopleSoft Passwords are a Challenge

PeopleSoft throws an extra wrench into the authentication/password equation; given PeopleSoft passwords tend to be very weak and users require different credentials for each application. Some organizations use a portal to simulate a single sign-on but the challenge of weak passwords still remains for portal authentication.

Organizations are fully aware of the challenges with PeopleSoft passwords and tend to customize solutions that are complex, frequently break, and generally add more complexity than they’re worth – this is topic is heavily treaded.

The Fastest Path toward Adopting Passwordless for PeopleSoft

Establish an SSO through your existing SAML Identity Provider (IdP)

Your IdP is your central means of authenticating users – so use it for critical business applications like PeopleSoft. This is especially important for enabling remote access for high privilege users, because your IdP is the most reliable way to authenticate. Having to provision identity outside of your IdP just adds complexity. Establishing a SAML Single Sign-On for PeopleSoft is the best way to enable secure, seamless access without adding the complexity of a customized solution.

Implement Adaptive Multi-Factor Authentication (MFA) at App & Transaction levels

Adopting a multi-factor authentication (MFA) can be one of the fastest ways to a passwordless system. An MFA secures authentication with two or more factors: Something that a user is (biometrics), Something that the user knows (password), Something that a user has (an OTP, or a security token.)

Adaptive MFA enables additional authentication steps that align with the level of risk posed by the user. If combined with an SSO, an MFA can challenge a user if you feel their session could have an element of risk (unfamiliar location, device, outside of business hours, etc.) Using a combination of factors not only eliminates PeopleSoft passwords – it drastically decreases the likelihood of a successful data breach. And, as a bonus, provides a better user experience.

Appsian Supports Passwordless with Data-Centric Security

Appsian enables your security posture to be data-centric, not user-centric. Users have passwords and users lose passwords. Appsian enables your security policies to be aligned with the data a user is attempting to access. Thus, you are not relaying on a password to prevent unauthorized access – you’re able to rely on the true identity of the user.

Data-centric security in conjunction with solutions (SSO & MFA) that enable you to use your central authentication mechanisms (AzureAD, ADFS, OKTA, etc.) eliminate the need and liability of users having PeopleSoft passwords. Resulting in better security, productivity, and user experience.

Conclusion

As you “celebrate” World Password Day, we should all be reminded that the landscape has changed forever. Remote access, blended access, etc will be the new way of life and relying on passwords is no longer the most reliable way to maintain security.

The stakes are too high and while there may feel like a never-ending list of priorities, adopting a passwordless security model should be at the top of the list.

Contact us to learn how we can enable your rapid adoption of a passwordless PeopleSoft authentication strategy.

Stay Updated

Security, Tips and Techniques

How to Streamline the SAP Segregation of Duties Exception Process Using Attribute-Based Access Controls

By Ryan Quinonez • April 29, 2020

Secure, compliant, and efficient business processes are critical to enterprise operations. In SAP, Segregation of Duties (SoD) is a key principal in making this possible.

What happens when an SoD exception is necessary?

Often times a user will need to be granted roles and privileges that pose a conflict of interest. It could be that an employee is part of a small department, or that a security clearance precludes others from involvement.  Whatever the reason, this user needs the ability to handle multiple steps in a business process – and an exception is made.

Here’s where things can get tricky. Once an SoD exception is made, your standard preventive controls are no longer effective. This is one of the major shortfalls of SAP’s static, role-based access controls.

Shifting from a preventive approach to a detective approach…

… you must now gather access logs, filter out false-positives, and finally, send to the appropriate control owner to review and sign-off. Besides the additional overhead of manual reviews and approvals, detective controls create room for human error and increase the dwell time before red flags are caught.

So why are current SAP SoD Controls limited?

Without the logic ability to decipher potential violations from actual violations, preventive controls are a non-starter. Your (preventive) SAP access controls determine authorizations based on two things: 1.) a user’s role and 2.) the role’s associated permissions (think transactions.) While this works in the vast majority of cases, enforcing SoD requires controls with more granularity.

Let’s take a look at what an actual SoD violation entails

The whole objective of SoD is to avoid conflicts of interest in your business processes. Although, conflicting transactions do not necessarily pose a conflict of interest, unless the subject is the same.

For example, a user performs the transactions to create and approve multiple purchase orders. Looking at the transactions themselves, this activity has the potential for violations. Looking deeper into the PO details, you may see that the user never created and approved the same PO – therefore no violation was made.

SAP can show you 1.) the user and role, and 2.) the transactions performed, but is missing the 3rd component: the field-level values in the PO itself. This lack of visibility into attributes beyond roles and permissions is what makes preventive controls a non-starter and clutters SoD audit logs with false-positives when exceptions have been made.

The Solution? Enforcing SoD Policy with Attribute-Based Access Controls

Attribute-Based Access Controls (ABAC) enable the use of “attributes” in authorization decisions. These attributes can be anything from user details such as role, department, nationality, or even a user’s security clearance level. Additionally, access context such as IP address, location, time, device and transaction history can be considered. And most importantly for SoD, data attributes can now be used in authorization logic. This means that field-level values within SAP can be used to determine whether to block or allow a transaction, and these details can further be used in reporting activities.

In the Purchase Order example above, data attributes can be used to identify whether a user performed the first transaction and make the correlation that performing the second transaction would result in a violation. 

Combining SAP’s role-based access controls (RBAC) with an attribute-based access control (ABAC) solution enables granular control and visibility that delivers a wide range of business benefits.

Newfound Flexibility in SoD Exception ScenariosRBAC + ABAC Hybrid Approach

The RBAC + ABAC hybrid approach opens the possibility to apply preventive controls in SoD exception scenarios. By doing so, you can offer users the flexibility an exception provides while still preventing any actual violations from happening.

Together, this hybrid approach (RBAC + ABAC) enables a dynamic SoD model that prevents violations while still allowing the flexibility of conflicting roles to be assigned (when necessary) and reinforces role-based policy to mitigate over-provisioning.

RBAC + ABAC Hybrid Approach Using Appsian

Appsian adds an additional authorization layer to SAP GRC Access Control that correlates user, data and transaction attributes, along with identified SoD conflicts, to block conflicting transactions at runtime.

Contact Us to learn more about how a hybrid access control approach can strengthen Segregation of Duties (SoD) at your organization.

Stay Updated

Tips and Techniques

Five Tips to Make You a Work-From-Home Pro

By Joseph Barringhaus • March 20, 2020

The streets are empty, offices are closed, and your favorite bar around the corner is shut down until… well, we don’t know when. COVID-19 has taken us all by surprise and companies are implementing work-from-home policies at a rapid pace. 

Working from home can, at times, feel like a prison. If you’re one of the lucky ones, you have video conferencing and it isn’t overloaded (just yet.) Some of us are used to working from home or were already remote before the pandemic – others are working from home for the first time and have never experienced this lack of social interaction before. 

Here are a few work-from-home tips to consider: 

1) Stick to your schedule. 

It’s tempting when you first start working from home to sleep-in late. Don’t! Stick to your normal routine. If you normally go into the office from 9 am to 5 pm, be at your computer/iPad/phone/whatever from 9 am to 5 pm. Your body gets used to these habits and it’s important to still have some boundaries between your work life and home life.

2) Create a workspace. 

It feels like I’ve heard every sort of work-from-home space idea there is. Working from the bathtub has to be the most interesting, and equally the most concerning. The same way that our minds get used to a work schedule, we get used to a workspace. If we do work in our bed, our minds may struggle to leave work at “work” when we’re trying to sleep. If we do work on our couch, distractions to turn the tv on for a minute or rest your eyes can become consistent habits. Clear space on your kitchen table or make a standing desk out of your counter, anything to create a secondary location that you can use just for work. 

3) Communicate with your team (well). 

If you’ve never worked from home, you likely had the ability to walk down the hall or simply turn your head to ask a question. I saw the message “I wonder how many meetings become emails now” all over social media last week. Utilize all of your tools, not just email. If your company has Microsoft Teams/Slack for messaging, use it to stay in touch and send your updates. If you have video conferencing, have your meeting with the cameras on just to have that in-person feeling. 

For those that work from home, it’s important to communicate not only with your coworkers, but your boss as well. Let them know what you’re working on and how you’re utilizing your time. If your boss has never worked from home either, they may be concerned that your work could suffer. Keep them informed with how your progress is and what you need from them, just like you should be doing in your office. 

4) Take care of your appearance. 

Growing up I played hockey and every gameday we would dress up and say “look good, feel good, play good.” We didn’t always win, but there’s something about feeling your best that puts you in the right frame of mind. I don’t mean to say you should dress in a suit to work from your home office, but at least come presentable to your “office.” If you’re doing a video call, opening your email, or just sitting at your desk you want to set yourself up for success. Prepare for your day just like you would any other day. 

5) Take breaks. 

When you work in an office, breaks are built into your day whether we know it or not. My good/bad habit when working from home is that when I sit down at my desk, I don’t get up for hours at a time. I’m glued to my screen with no distractions. At work, you get up to grab a drink and have a conversation with your deskmate on the way. Maybe you’re in a “cool office” and your office plays a game of ping pong once a day. Whatever your “break” is in the office, you need one when working from your home office too.

Try walking to get your mail, go outside for five minutes and just breathe in the fresh air, or really anything else that gets you up from your chair (or if you’re lucky away from your standing desk). It doesn’t (and shouldn’t) be long, but make sure you still are moving some. 

Hopefully these 5 tips help you become a work-from-home work pro during this COVID-19 pandemic. Stay safe and be sure to keep checking the CDC’s guidelines, found here

Interested in what we do at Appsian? Click here

Stay Updated

Security, Tips and Techniques

2020’s Top ERP Security Challenges: It’s All About the Data!

By Scott Lavery • December 19, 2019

As we enter the new year, the criticality of securing sensitive data will continue to mold and transform the structure of security strategies across enterprises, resulting in a heightened focus on access controls, visibility solutions, and (generally) data-centric ERP investments. With numerous data privacy regulations on the horizon, the cost of data breaches will be more catastrophic for businesses. In 2020, enterprises must invest in proactive strategies that combat the dynamic threats targeting an organization’s most sensitive data.

Enterprises can expect the trend of increased data breaches in ERP systems to continue to rise in 2020

Since ERP was first designed as an application product, ERP systems have been incapable of evolving alongside an organization’s maturing IT environment – and are unable to integrate with advanced security initiatives. It is, and will remain very challenging to keep ERP systems up-to-date and due to the business criticality of these applications – enterprises are wary of switching them out entirely.

In order to secure ERP systems in 2020, business owners must realize the criticality of their businesses’ usability of ERP apps. It is the business owner who is more familiar with the users, and as Gartner concluded, ‘it is the user – not the provider – who fails to manage the controls used to protect an organization’s data.’ With the growing number of connected applications running across the company, such as payment and HR apps, business owners need to evolve their ERP systems and go beyond firewalls.

In 2020, there will be a CIO responsibility shift from “systems technology experts” to “data experts”, as security increasingly becomes more of a data-level function

As enterprises become more and more aware that the security of sensitive ERP data is a high priority, especially with the rise in data privacy regulations such as CCPA – there will be a rise in Chief Data Officer roles as well as a shift in the roles of CIO’s from focus on systems to a focus on data. This shift will cause many challenges though, as the majority of CIO’s do not specialize in the systems aspect of ERP. Yet, the rise in data-centric compliance initiatives, as well as the deployment of fundamental security tools such as multi-factor authentication and SSO across the enterprise, will ease the transition from a systems-centric CIO to a data-centric CIO.

Additionally, from an organizational perspective, we can expect more CIO and CISOs at the board level as organizations continue to mature and invest further in security and understand the varying operational budgets.

In the coming year, we can expect more enterprises adopting Privileged access management (PAM) as a key IT security project as well as effective access controls due to heightened third-party risk

PAM is the first, fundamental level of data protection, privacy and compliance when logging and auditing are concerned, and with more and more data privacy regulations on the horizon, PAM will become a key IT security project in the coming year. Additionally, given that the majority (83%) of organizations engaging with third parties to provide business services identified risks, organizations must hold all third parties at greater liability and bound them by their contracts as to data protocols if breached in 2020.

Users will increasingly demand ERP access beyond their corporate networks core transactions will need to face the open internet

As organizations continue to make (and demand) employees be more productive, employees will (in turn) insist that their ERP transactions are available from any location, at any time. In order to maintain high levels of security, ERP transactions have traditionally been available (only) behind corporate firewalls. However, this model immediately causes user push-back, especially as more organizations rely on mobile workforces to scale and keep business running in the coming years. When enterprises insist that employees only execute their ERP transactions when they have access to a corporate network, users will inevitably avoid it which will cause increased strain on an organization across functions.

Therefore, in 2020, we can expect more organizations to invest in solutions that focus on enhancing access controls and logging. More and more organizations will begin to understand the importance of expanding access as a table stakes initiative as productivity requirements shift, demanding users to be as mobile as possible.

What are your ERP security and compliance goals for 2020?

The security experts at Appsian would love to help ease the journey toward a fully secure and compliant ERP system. Email us at info@appsian.com to learn how we do it!

Stay Updated

Security, Tips and Techniques

Why Adaptive Multi-Factor Authentication (MFA) is the Key to Strict ERP Security – Without Causing User Friction

By Scott Lavery • November 14, 2019

Cats & dogs, oil & water…

Apparently, these groups don’t get along. You can definitely add Security Admins & Business Users to that list. The reasons are (sort of) obvious, but only if you point them out. Simply put, one group restricts access and the other group demands access. I understand this is an over-simplification. At the end of the day, if user or corporate data is compromised, everyone gets upset. However, from a tactical standpoint, these two groups are trying to accomplish goals simultaneously and inevitably get in each other’s way.

The friction between business users and security policies typically occurs during the authentication process. For example, when a user is asked to enter login credentials or go through an MFA challenge. While this may seem innocuous, it should be noted that friction (over time) builds and builds – and if a user does not see the benefits in the extra authentication step(s), they are likely to abandon whatever business transaction they’re trying to access. And, abandonment certainly does not promote productivity!

…and, here in lies the true conflict between security and productivity

Securing data that resides in ERP applications has all the makings of a classic conflict between security and business user productivity. All the security focus is on login screen authentication – and traditional, on-premise ERP applications (SAP, PeopleSoft, Oracle EBS) are filled with sensitive data with limited ways to implement fine-grained controls. The result is Security Admins have no choice but to be overly-strict with their security policies (ex. requiring MFA at each login) – causing users to push back and possibly abandon critical business transactions.

This is where Appsian comes in… enabling adaptive multi-factor authentication (MFA)

Appsian enables organizations to implement adaptive, data-centric ERP security policies. Meaning, if fine-grained control is what you’re looking to accomplish – then, Appsian gives you the ability to align specific security policies to specific data elements/transactions. Being specific mitigates user friction, and here is why…

Not all sessions/transactions are risky

Question: Should you have to pass an MFA challenge if you’re working on your company-issued computer and logged on to your corporate network? What is the likelihood the context of that access is fraudulent?

Users appreciate when risk level aligns with security measures

Users don’t like their data compromised either, and when they are executing transactions that are deemed ‘high risk’ (ex. change direct deposit, update benefits, update W-4) a user should expect stepped-up security challenges.

When security aligns to the context of access – security and business policies live in harmony!

It’s corny, but its true. By aligning security to specific data elements and transactions, business processes and security policies become aligned and everyone gets what they want. Users are only challenged when necessary and Security Admins can feel their polices are properly focused.

Users can be fully productive and feel confident their data is safe and secure. True love!

Want to learn more about implementing adaptive MFA for ERP systems? Then Let’s Talk!

Stay Updated

Tips and Techniques

California Consumer Protection Act (CCPA) – Do You Have an Action Plan for your ERP?

By Scott Lavery • October 24, 2019

CCPA – A Quick Review

CCPA takes effect on January 1,2020. The spirit of CCPA revolves around consumers taking back control of their personal information – pushing data privacy to the forefront. According to the regulation, California citizens will have the right to know what personal data (PII) has been collected by a business. Consumers also have the right to say ‘No’ to the sale of their information and delete all data that an organization owns (related to them.) Once CCPA comes into effect, consumers can file lawsuits against companies for breaches.

After being implemented (on Jan 1, 2020), CCPA will also have a Look Back period – organizations will need to disclose how they have been collecting, using, storing, and sharing data over the past year. 

Consequences of Non-Compliance

In the case of non-compliance, organizations run the risk of facing hefty fines. CCPA imposes up to $2,500 per unintentional violation and $7,500 per each intentional violation. 

Preparing your ERP for CCPA in (2) Steps

To ensure compliance and avoid high penalties, organizations need to have additional mechanisms in place. Here are a couple tactical strategies organizations should consider to prepare their ERP systems for the 1/1/2020 deadline:

1.   Enhance Visibility into User Activity

CCPA requires organizations to have complete visibility into how their data is obtained, used, stored, and shared with third parties. Note the term: used. To achieve detailed visibility around data usage, organizations need to adopt a robust, real-time logging strategy. Logging user information (such as date of access, UserID, IP address, device, location of access, etc.) is crucial for understanding how data is being used within your organization.

Traditional ERP systems like PeopleSoft, SAP ECC and Oracle EBS do not provide this level of granularity. It is recommended that logging enhancement tools be scoped, as actionable insights that highlight who viewed what data field(s) are currently a blindspot inside these systems.

Logging data can be leveraged inside a SIEM to provide trends and analytics – making audit practices more efficient.

2.   Prevent Unnecessary Data Exposure for High Privilege Users

Today, CIO’s all over the country are leading efforts to define what constitutes PII, identifying where it resides and furiously writing policies to restrict access. When it comes to ERP systems, the static rules that govern access and data exposure can be limiting – this is especially true when it comes to the ability to mask or redact data fields.

User-centric vs. data-centric

Use Case: Should PII, like a user’s social security number be visible to even high privilege users? Is there a ‘business process’ reasons for that (or any personal info: marital status, home address, health insurance info, etc.) to be accessible by anyone except the individual who owns that PII?

These scenarios are difficult to manage in ERP systems because roles and privileges are user-centric, not data-centric. The distinction being a user centric role says a person (or group in most cases) can view something under any circumstances. And, data-centric means the nature of the data defines the access. People (and roles) may come and go, but the data remains the centerpiece of the policy.

Having the ability to mask any data field (via a data-centric policy) is the best way to ensure that access to PII is limited under the most strict of circumstances. After all, the principal of least privilege dictates that a user should only be accessing what’s truly necessary. Having your data exposure be defined by static user roles (and not the data itself) will inevitably lead to compliance problems.

Conclusion

Once an organization goes through the process of locating and defining their PII – the true compliance efforts begin! The (2) steps above provide helpful framing around how an organization should approach tactical ERP data compliance strategies. And Appsian can help!

CCPA and GDPR are the beginning of a series of compliance mandates expected to follow. Several states in the U.S. are drawing up their own mandates for data privacy. It’s a given that visibility into ERP data access is no longer an option but a necessity. Contact us to learn how you can fast track your preparation for compliance by enhancing your visibly and applying a data-centric ERP compliance framework.

Example CCPA Analytics Dashboard (powered by Appsian)
Use Cases Highlighted: PII access volume (by User ID) and Sensitive data access volume (by IP)

Stay Updated

Tips and Techniques

Evaluating a PeopleSoft Single Sign-On (SSO) Solution: 6 Questions to Ask your Vendor

By Scott Lavery • September 6, 2019

Single Sign-On (SSO) solutions have emerged as the gold standard in identity management. While poor password practices continue to prevail, the effectiveness of the ‘username and password’ as the main authentication model has deteriorated.

Password management can be a nightmare for IT, as it reduces department productivity and increases service costs. However, SSO solutions allow administrators to centralize identity management, as end-users utilize a single set of credentials to access every enterprise application.  

Establishing an SSO for PeopleSoft 

PeopleSoft applications are a vital part of an organization’s enterprise architecture, and unfortunately, integrating PeopleSoft into an enterprise SSO can present challenges. This has lead administrators to look to the market for help – and as you evaluate an SSO solution for PeopleSoft, you should ALWAYS ask these 6 questions – the answer will be the difference between project success and failure:

How does your product interact with PeopleSoft?   

To successfully implement an SSO solution, organizations first need to integrate all applications with a centralized ID provider. Most popular ID providers such as: Microsoft Azure Active Directory, OKTA, etc. use SAML – the open federation standard that allows identity providers (IdP) to communicate with enterprise applications.  

Many off-the-shelf SSO vendors claim to support PeopleSoft. However, they ignore the fact that PeopleSoft applications do not natively support SAML. With a conventional SSO solution, PeopleSoft applications are likely to stay alienated from the rest of the organization’s business applications. Organizations must ensure that their SSO provider addresses the SAML problem upfront. Or it can lead to a ripple of problems with the implementation (ex. inflated budget, time lines, complexity, etc.) 

Is there a need for customizations?   

Exclusive to PeopleSoft, most SSO providers are required to build an extensive framework of customizations. Customizations demand extra resources and prolong the implementation timeline – thus, increasing the project liability. Even after that, custom SSO solutions can be insecure, fragile, lack functionality for some transactions and be prone to problems that are difficult to troubleshoot. Moreover, building and maintaining a customized framework requires both coding and PeopleTools expertise – which is a rare skill combination. Alternatively, PeopleSoft customers can seek a configurable SSO based on logic workflows built outside of the PeopleCode. 

Are there additional hardware/server requirements?   

In most cases, organizations will be required to purchase additional hardware to support the customizations designed to simulate communication between PeopleSoft and their respective Identity Provider. The procurement of new infrastructure (reverse proxy servers) is not ideal and can result in unexpected project budget overruns. 

Does the solution support deep embedded links? 

One of the primary benefits of an SSO solution is allowing users to bypass login with the use of deep links or embedded links. These links, when sent to a user, can take them to a specific transaction using the previously authenticated SSO session. Thus, saving time and increasing user satisfaction and productivity. However, most off-the-shelf SSO providers don’t support this functionality. With increasing remote access on mobile devices, deep-link navigation can be important to usability and engagement. For instance, a user can go straight to an intended transaction by following a link (sent via email, text, etc.) even if they are required to authenticate an SSO session on a device they don’t use frequently.  

How does the solution impact PeopleTools Lifecycle Management? 

PeopleSoft’s native functionality is continuously evolving with every single image released via the PeopleSoft Update Manager (PUM). These updates include frequent changes in the authentication model, which means that a customized solution would demand excessive upgrade and alteration with each update. The constant need for upkeep can adversely affect the adequate use of customer resources and time, making room for an increased scope of errors and subsequent troubleshooting. 

What if we decide to switch an ID provider? 

One of the most important decisions organizations need to make while choosing an SSO solution, is the flexibility of adaptation if and when they decide to switch IDPs. Ideally, organizations must look for a configurable SSO instead of a coded (customized) one. Reason being, when an organization plans to switch to a new ID provider, a custom solution would require building a whole integration framework. Therefore, a custom SSO can prove to be tedious and time-consuming, unlike a configurable SSO that can allow a seamless switch. 

Appsian’s PeopleSoft SSO Connector  

Designed to create a simple, extensible, and easy-to-maintain approach to the implementation of modern authentication, Appsian’s PeopleSoft SSO Connector is the only turnkey solution for native SAML-compatibility in PeopleSoft – enabling customers to:

  • Leverage existing investment in SSO solutions with PSFT 
  • Authenticate PSFT sessions via SAML-based Identity Providers 
  • Access PeopleSoft via deep link navigation  
  • Support multiple IdPs concurrently 
  • Deploy SSO for PeopleSoft in as quick at 7 days  
  • Implemented without additional hardware or custom coding  

To learn more, Request a Demo with a PeopleSoft security expert or write to us at info@appsian.com 

Stay Updated

Tips and Techniques

How to Make ERP Compliance Audits Cheaper and Faster

By Scott Lavery • August 20, 2019

Organizations are facing growing challenges in order to meet the data privacy compliance requirements associated with mandates like The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) (taking effect in 2020.) Apart from these, several U.S state-specific regulations are expected to go into effect in the coming months.

The impact of these regulations is significant. Organizations must now keep track of where and how they obtain personally identifiable information (PII) from the moment they obtain, through the life of retention. They are also required to maintain records of data processing, consent forms and many other documents. All of these factors are naturally increasing the time to successfully complete an audit – all while new mandates are simultaneously minimizing the time allotted to complete the same audit. This new regulatory environment is putting pressure on organizations to find new strategies for managing and reporting on PII access and usage. Needless to say, the PII once gathered with precision and coveted as a valuable asset has now become a liability with a distinct holding cost.

Are companies truly equipped to handle Data Privacy Compliance requirements?

The answer is, no. Recently, many companies have come under fire for data breaches.

Marriott is facing a hefty fine of $123 million for a data breach in 2018. British Airways too faces a $230 million under GDPR (for weak data security policies resulting in a breach.) While this accounts for 1.5% of British Airways’ annual revenue, regulatory fines can go up to 4% of an organization’s annual revenue.

How to Manage ERP Audits when the Deck is Stacked Against You  

Traditional, on-premise ERP systems were not built with logging capabilities that aligned to understanding PII usage. Logs were meant to troubleshoot, find system errors and ensure applications were running properly. The PII inside the system was not a factor and understanding access and usage was irrelevant.

Now that organizations will be forced to perform audits more frequently, in a more precise manner and leveraging ERP systems that require the triangulation of multiple reports (exponentially increasing audit times) to just get a basic understanding of usage – the overall cost of an audit has skyrocketed.

ERP Compliance Audits Can Actually be Cheaper and Faster than Once Believed

With this new data regulatory landscape in mind, organizations must look to enhance their audit capabilities by turning their attention to logging strategies dedicated to data usage (not just system performance.)

Appsian’s Security Platform for PeopleSoft and SAP takes data access into account, by adding granular logging capabilities that track user behavior and data access and then aggregates trends into easy-to-consume analytics dashboards. All designed to provide the same snapshot into usage that once took weeks to aggregate manually with traditional logging capabilities – but with Appsian, can now take a matter of minutes.

With Appsian, your ERP audit strategies can now scale to match the time and resource allocation demanded by new and upcoming data privacy mandates. And because these strategies can be integrated into traditional ERP systems, that may (at one time) been viewed as an audit liability, the life of your legacy ERP system can be extended – thus, maximizing your ROI and not being forced into an expensive and resource-draining rip and replace project.

To learn more about Appsian and how our Security Platform can help your organization prepare for data compliance audits, Contact Us.

Stay Updated

Tips and Techniques

PeopleSoft RECONNECT 19 Recap: Fluid Remains the HOTTEST Topic

By Scott Lavery • August 2, 2019

As the premier deep-dive PeopleSoft-focused event of the year, PeopleSoft Reconnect (presented by Quest Oracle User Group) has always touted itself as “created for PeopleSoft users… by PeopleSoft users.” This year’s conference (held in Rosemont, Illinois) did not disappoint.

Appsian was proud to be a conference sponsor, along with provide content, as our PeopleSoft User Experience experts presented sessions on improving PeopleSoft Security and Creating a Modern User Experience Across all PeopleSoft versions. The sessions were hugely successful, with an estimated 75% of conference attendance. During the session, many of the questions pertained to security concerns and the meeting of user experience expectations, as organizations continue to upgrade to PeopleSoft 9.2 and adopt Fluid UI – all in service to staying on Oracle support and maximizing their current ERP investment.

According to Scott Hirni, Director of User Experience Strategy and Solutions at Appsian (who has previously worked with PeopleSoft for 18+ years), “Fluid adoption and on-going enablement was among the top concerns for attendees.” While Fluid adoption is a top project in the PeopleSoft community, it was clear that not all PeopleSoft customers are able to leverage Fluid to its full potential.

Here are a few observations:

  • 75% of organizations we spoke to at RECONNECT haven’t attempted to roll out Fluid – despite being on version 9.2
  • 25% have started, but have required ongoing guidance
  • Most attendees expressed that they were in the process of identifying the key business drivers for implementing Fluid
  • Many questions arose about what to do with existing customizations while implementing Fluid

Inspired by Scott’s presentation at RECONNECT 19, here’s a quick look at the roadmap for customers looking to roll out Fluid.

  • Identify business drivers i.e. key functional areas that need optimization and would benefit from a Fluid implementation project
  • Review the list of already delivered Fluid screens and Classic retirement dates to prioritize rollout accordingly
  • Assess the version perquisites of to handle your existing PeopleSoft customizations
  • Prepare for UX changes and user adoption challenges that come with the new UI

The bottom line is, Appsian absolutely recommends upgrading to 9.2 and adopting Fluid as the best way to fully leverage your PeopleSoft investment. Staying current with Oracle maintenance and embracing the many advantages that come with a 9.2/Fluid adoption are critical, but we certainly understand that large-scale projects come with uncertainty and questions. With that in mind, Appsian has developed a strategic UX transformation plan that helps PeopleSoft customers analyze their business needs and assess how Fluid UI can help achieve their efficiency goals.

Not sure where to start? Leverage Appsian’s FREE PeopleSoft Fluid Assessment that includes:

· Complementary Onsite Workshop

· Strategic Analysis/Transaction/Use Case Mapping

· Fluid Rollout Plan

· Business/Institutional Alignment

To claim your FREE Fluid assessment you can also write to us at info@appsian.com

Stay Updated