ERP Data Security for Peoplesoft ,SAP, OracleEBS

Workday versus PeopleSoft: Which One to Choose?

The HR and Finance software market is witnessing tough competition among various players, big and small. Among all players, PeopleSoft and Workday, both leaders in the segment, compete hard to capture the future market. The epic war between them is to win the market share and improve the features to the highest possible standards.

Both of them are good choices, with each having its dedicated client base, and when you opt for them, each brings in a lot of efficiency and effectiveness into the system. Both deliver robust, end-to-end HR and Finance solutions. The goal behind the design of the software (both PeopleSoft and Workday) is to standardize the business processes and also to improve organizational competitiveness.

In creating next-generation cloud-based enterprise-grade technology, both PeopleSoft and Workday have established themselves. Implementing PeopleSoft ERP or Workday can remove the upfront cost and ongoing maintenance costs inherent in conventional software implementation.

Workday and PeopleSoft: The Similarities

Both are major players in the market for HR and Finance software. PeopleSoft ERP is essentially a software from Oracle, a global market leader in enterprise technology. Their emphasis on integrated systems has helped them become one of the most innovative and comprehensive business software providers worldwide. Workday, too, is known as a thought leader in the industry. They are always competing for a bigger market share.

Workday and PeopleSoft: The Differences

Let’s explore how distinct they are from each other.

Updates & Deployment

One of the main differences between Workday and PeopleSoft application is the deployment options. Workday is mainly designed for a cloud base, enabling the latest versions of applications for any customer, as the software updates are automatically completed. Another great advantage of Workday is that it has invested in tech partnerships to extend its native integration offerings, which can connect its services to Slack, Salesforce, and many other required business resources.

PeopleSoft also offers deployment in the cloud, but in on-site and private cloud implementation, it must be purchased. While PeopleSoft releases updates regularly, users may select the updates they want to run; they don’t automatically do so. This selective model helps users to monitor their updates and to manage them effectively.

The Differences in CRM

The PeopleSoft CRM is essentially based on Oracle. It is fundamentally intertwined with the other PeopleSoft applications related to management. It can also be tailored according to the customers’ requirements to fit into the manufacturing, marketing, or service sectors. Within this CRM, business process management solutions are also available, which allow users to set up orders, workflows easily and automate the processes.

Workday has an agreement with cloud computing pioneer Salesforce to provide native integrations through the Salesforce Service Cloud.

Analytics and Reporting

PeopleSoft has integrated analytics into all its applications, allowing analytical data to be delivered to users. Access to PeopleSoft is limited to the usability of the internal data. Workday Analytics tool, on the other hand, offers access to external data sources and creates the analytical reports inside Workday. This is one of the software’s salient features.

User Interface

User Interface is an aspect where Workday has intuitive design at its best. It is based on modern architecture and is also fitted with an excellent user interface for the web. Workday has been working hard to give its users a seamless experience across smartphones, tablets, and desktop views. The User Interface is designed to incorporate the latest designs without making the user access the core features.

PeopleSoft’s implemented the Fluid User Interface. It’s challenging to move from a desktop app to a responsive mobile-ready environment, but PeopleSoft conquered it by educating users with the new UI. But this move was inevitable, making PeopleSoft a market leader in the cloud-based computing niche.

Conclusion

Both PeopleSoft and Workday are at their best in delivering their customers with the best available software applications. It depends on the customers’ requirements and the vertical (HR or Finance) for which you want to install the application.

Securing ERP Data From Application Vulnerabilities: A Multi-Layered Security Approach

Nowadays, it has become extremely important to secure your SAP and Oracle ERP data. Cybercriminals have been exposing many vulnerabilities using application misconfigurations. This has become more popular as criminals find ways to covertly penetrate applications and obtain access to thousands of records of employees.

In December 2019, this situation happened to Microsoft. It was a human error. But these kinds of misconfigurations and human errors are one of the ways hackers can gain a foothold in your SAP or PeopleSoft ERP framework. The question now is, how can you secure your data after your perimeter protections have been side-stepped by an attacker?

Misconfigurations: Fastest Growing Security Risk

Misconfiguration errors (failure to enforce all security controls) are up 4.9 percent from last year’s report, according to the 2020 Verizon Data Breach Investigations Report, and reflect the fastest-growing risk to web applications. It is easy to apply this form of risk to legacy ERP systems because SAP and PeopleSoft ERP environments often consist of millions of custom-coded lines and custom-built components that interact with each other and with external systems via various APIs and time-bound interfaces.

Besides, you’re dealing with a multitude of changes to roles, access controls, configurations, and compliance policy changes to accommodate new business processes and changing data privacy policies. If organizations are not evaluating and tracking all of these shifts and movement’s underlying security consequences, they are sure to face similar situations.

Lastly, many companies don’t keep up to date with system updates and security patches. Just half of the vulnerabilities are patched within three months of detection, leaving businesses vulnerable to attacks against established exploits, according to the Data Breach Investigations Study.

Adopting A Multi-Layered ERP Data Security Approach

The rising complexity of environments such as SAP and PeopleSoft, makes securing ERP data a significant challenge. In order to avoid inadvertent exposures through misconfiguration, it is recommended that businesses must follow a multi-layered security strategy with dynamic security tools that can track user access in real-time, offering clarity about what data is accessed and by whom.

This multi-layered approach involves the masking of sensitive data, identity verification through multi-factor authentication (MFA), and enhanced logging and analytics. There are data security solutions that integrate protection layers to your ERP system to ensure that when an intruder strolls past your perimeter defenses due to a misconfiguration, your data is still secured.

Dynamic Data Masking: It sets out contextual masking policies that respond to the access context. What it means is if a hacker tries to access sensitive data fields but does not match essential attributes such as user ID, privilege, device, location, or IP address, absolute, partial, click-to-view masking, or complete data field redaction will occur.

Adaptive MFA: This ensures that contextual attributes (e.g., system, network, location) are the deciding factors in implementing MFA challenges. For example, when a user account accesses the system from a remote IP address, or after business hours, customers may require an MFA challenge.

Enhanced Logging and Analytics: This feature allows you to track the networks for suspicious behavior and provide comprehensive insights into how, when, and by whom data fields and transactions are being accessed. This visibility is especially critical for recognizing users with high-privilege access that should not be accessing pages they are. Improved logging will track all the pages that a user has accessed during a session, helping to detect a possible intrusion. SAP and PeopleSoft ERP consumers did not have this sort of real-time data access and usage visibility earlier.

Microsoft’s latest data breach owing to misconfiguration highlights the value of a security policy that continually checks for misconfigurations and compliance breaches. Enterprises should deploy a multi-layered security strategy that prevents unauthorized access to data and endows organizations with the ability to detect access patterns that can suggest incorrect access controls.

Misconfigurations are a common mistake and should be handled by security professionals with the same sense of urgency and degree of commitment as their perimeter network. Not all attacks are external, after all.

Tips to Protect ERP Data When Moving to the Cloud

Aptly known as the ‘crown jewels’ of a company, ERP data is the key to the most valuable information about companies, storing and transacting data related to inventory, customers, budgets, sales, payroll, etc.

ERP systems have much vulnerability that makes them prone to cyberattacks. This is precisely why there is so much discussion these days relating to data privacy and ERP data security. This is particularly true for companies migrating from on-premises to cloud-based ERP systems.

ERP Data Security: Important Issues

It is observed that individual companies are migrating their ERP systems either to web hyper-scalers (AWS, for example), or vendor-specific clouds, or hosting providers. But the security departments are concerned with ERP security aspects as in who has access to their data once their systems have migrated. When ERP moves to the cloud, most development instances usually have a complete copy of production with all sensitive data as the production has. Many of these organizations are trying to change this.

Shifting to the Cloud: Concern Areas

In most of the instances, the cloud vendor runs all hardware and software. It also administers all applications. So, it has access to all data of its clients. This is a precarious situation relating to data privacy and data security.

Some organizations are very apprehensive about switching to the cloud because of specific worries about ERP data security. They don’t want all private, confidential data in an environment they do not have complete control over. So we’re witnessing a shift to data controls, whether it’s multi-factor authentication (MFA) or data masking, particularly for those accounts that are based on who can access what kind of data or whether it’s private personal data. Layering in of many of those controls, particularly in the development stack, is being observed to have better control over ERP security.

Sometimes the ERP systems are mission-critical, and you have to think about recovery from disasters and what happens if the network gets disconnected or destroyed. If you are on-site, you will always have access to all those devices. But if it is in the cloud, you can’t get there. It implies a significant data security risk.

ERP systems pose significant challenges as it is generally not easy to define them and determine who has access to what information. Many ERPs are now designed to where they are metadata-driven apps, and you need to understand the metadata to truly understand what a user accesses. It’s more challenging to grasp what people are doing because of ERPs’ complex nature, whether it’s PeopleSoft or SAP.

Measures to Ensure ERP Data Security

Within the ERP framework, it needs to be context-based security. If you think about how you use your software or depending on how you access the program, you must have data that is either masked or multi-factor authentication needs to be stepped up. Also, you can monitor access to that specific transaction depending on where the user is located. These are precise, contextual attribute-based controls integrated into the application and give back control to the organization. Most of these internet-enabled ERP applications are just authenticated with user IDs and passwords, and they’re highly vulnerable if a hacker has those credentials. That’s why the phishing attacks are successful as they access the system and all the roles and transactions that the user has access to. This is where you want the least-privileged access to be implemented when they come from an untrusted location. That’s where you come through additional defense layers and decide what someone really will be able to do, see or edit through specific attributes.

How Does Peoplesoft Single Sign-On Works

Single sign-on (SSO) is an Identity and Access Management (IAM) property that allows users to authenticate safely with various websites and applications, by signing in only once — with only one set of credentials (username and password). With single sign-on solutions, the app or website (that the user is trying to access) depends on a trusted third party to ascertain that users actually are who they say they are.

Without Single Sign-On, how does authentication work?

Without a single sign-on solution, each website has its own user database and credentials. When you attempt to log in to an app or website, this is what happens:

1. First, the website checks to see if you are already authenticated. It allows you access to the site if you have.

2. If you haven’t, it prompts you to log in and checks your username and password against the user database information.

3. After you log in, the site passes authentication verification data as you move through the website to verify that you are already authenticated each time you visit a new page.

How does Single Sign-On function?

SSO authentication (e.g., PeopleSoft SSO) is based on a relationship of trust between domains (websites). When you attempt to log in to an app or website with single sign-on:

1. First, the website checks to see if the SSO solution has already authenticated you, in which case it gives you access to it.

2. If you haven’t already logged in, it sends you to the SSO solution.

3. You enter the username/password you are using for enterprise access.

4. The SSO solution requests authentication from your company’s Identity Provider or authentication system. They check your identity and inform the SSO solution.

5. The SSO solution passes the website’s authentication data and returns you to that domain.

6. The site keeps on passing authentication verification data after you log in and move through the site verifying that you are authenticated every time you go to a new page.

The SSO website verifies users’ identity with a provider of identities, such as Active Directory.

Every new website checks with the SSO solution when the user is trying to access it. Since the user has already been authenticated, it verifies the user’s identity to the new site without requiring further login.

What constitutes a true SSO system?

Comprehending the difference between single sign-on and password vaulting, which is sometimes referred to as SSO, is essential. You may be having the same username and password, but with password vaulting, you must enter it every time you move to another application or website. PeopleSoft single sign-on is a case in point.

With PeopleSoft Single Sign On, for example, you can access all company-approved applications and websites without having to log in again after you’ve logged in via the SSO solution. This includes both cloud applications and on-prem applications, which are frequently available via a PeopleSoft single sign-on portal (also called a login portal). To provide federated SSO, single sign-on solutions use a concept called federation.

Federated SSO: What does it mean?

SSO solutions using a federation allow true single sign-on by taking advantage of the identity provider (IP) of the company, such as Microsoft Active Directory (AD) or Azure Active Directory (Azure AD). Usually, the identity provider acts as the authentication server and stores the user’s identity and information, such as the username, password, domains that the user has access to, and even what activities the user is permitted to do on each site or within each app. Verification of the activities that the user is allowed to execute is known as authorization.

Either the SSO solution is integrated into the Identity Provider for true SSO, or it uses identity provider(s) to authenticate the user.

Requests for authentication and information are passed using standard, secure protocols like OAuth, or SAML.

ERP App Behavior Monitoring: Five Most Relevant Information to Capture

Analytics has always been necessary to inform ERP data security policies. In this everybody-works-from-home scenario, with function leaders scrambling to achieve oversight and accountability, it has become more relevant than ever before. Businesses across the globe use applications such as PeopleSoft and SAP; therefore, strong ERP app management techniques are essential. With organizations embracing visibility solutions – what are the most relevant information to capture?

Capture Who, Where?

Flashback to the good old days of February 2020 when articles revealed the trend of work-from-home, remote access to your ERP program, and transactions accessible on the internet would one day become the ‘new normal’. Ah, excellent times!

Then COVID-19 happened, and in a matter of days, remote work went from being a growing trend to a hardcore reality. System administrators collaborated with managers to develop new or modified work-from-home policies that decide the who, what, when, where, and how of staffs’ access to ERP data. Indeed, good times.

Let’s break down this information.

1. Who – Details of Users Accessing Data

Even if your user authentication methods are powerful (e.g., multi-factor authentication leverage), you will still have security issues, particularly with high-privilege user accounts. Reducing your visibility efforts on high-privilege user activity allows you to focus on statements. This can cause severe damage (when corrupted or misused). For example, your organization could be global (with multi-country ERP access), but your high-privilege users may primarily be residing near your home base. High-privilege access outside this IP range may be an early sign of unauthorized activity.

2. What – Details of Data Accessed

What are the highly sensitive data fields you want to watch closely? Application-level logging fails to show exactly what a user has accessed. Ultimately, however, these details are the most important. If you don’t have visibility in precisely what a user has accessed, a significant part of the data security puzzle is missing.

3. Where – Location Where a User Accesses Data

Location often can be a leading indicator of unauthorized activity. This strategy can be expanded, primarily if you’re operating in a vertical that typically doesn’t require global access (e.g., higher education, healthcare, state & local government, etc.). Whether it’s a sudden influx of Chinese authentication requests or one-off access from a European country, location data is essential to ERP user monitoring.

4. When – Day and Time of Data Access

Due to stay-at-home orders, regular 9 to 5 timing of work does not apply when users (potentially) deal with kids or distractions. Introducing laws limiting transactions executed outside business hours is an agile way organizations can improve oversight, but how can they enforce it on a scale? Hour-long monitoring-while not a visible indicator of a problem-is a solid baseline primarily if hourly employees perform most ERP processing activities.

5. How – Data Access System Form

One of the hardest obstacles in the fast deployment of remote ERP access is getting an inventory of all the devices employees will use. Even if everyone has a company-issued device, you’re bound to see unauthorized devices accessing your system (mobile phone, tablet, a personal workstation, laptop, etc.). Knowing exactly what these devices access (or possibly download) is extremely important to prevent data loss.

ERP Data Security Decisions Help Real-time User Activity Monitoring

The Appsian Analytics Console gives you a 360-degree view of what’s happening around your ERP results. From there, you can map a tailored incident response before harm is catastrophic, affecting your ERP data protection policy.

Some additional examples of ERP data protection initiatives are:

Enabling adaptive authentication policies that deploy additional access-based authentication challenges
Restricting specific (partial or full) transactions from unwanted locations
Masking any field (partial or full)

Appsian enables organizations to increase control and visibility over business data. Easing the anxiety of allowing remote access to ERP, Appsian can help you make the rapid changes (average go-live in 2 weeks) needed to manage and mitigate risk.

Request a demo of the Appsian Analytics Console today!

Five Tips for Easy Access to PeopleSoft

Enabling mobile access is a primary goal for many organizations. Naturally, security concerns arise when transactions are made available online. Here are (5) best practices to consider

1) Identity and access management

A username/password security model is insufficient to restrict unauthorized access effectively. PeopleSoft passwords are inherently weak, simple to crack and may have several passwords.

2) Align Identity Provider Authentication (IdP)

This is achieved with an IdP-integrated enterprise Single Sign-On. For PeopleSoft, your IdP is the best authentication database because your corporate password mandates centrally to provide it.

3) Use multi-factor authentication

Multi-factor authentication (MFA) is an effective identity-checking method. While this functionality should be a standard part of a security posture at login, an adaptive MFA is recommended.

Adaptive MFA ensures that contextual attributes (e.g., device, network, location) are the determinant of MFA challenges. This helps align risk levels with access policies. Access background differs in a mobile environment, and your control level will do the same.

4) Prevent unauthorized data-exfiltration

Data leakage is # 1 breach source. When access is remote, data exfiltration becomes riskier, mostly because devices are no longer regulated. Limiting reporting and queries when access is remote helps ensure data is not exfiltrated on an unauthorized device.

Additionally, enforcing data masking on sensitive fields can help reduce sensitive data exposure.

5) Improve Data Access Visibility

Simply put, if you don’t log data on access and use, you ‘re at risk. Visibility of user activity is important to identify and address a security threat.

Also, routine audits are critical to understanding what’s happening inside your applications, and if further steps are needed.

Request today for Demo

How to streamline the SAP exemption process using attribute-based access controls

Secure, compliant, and effective business processes are critical for business. In SAP, segregation of duties (SOD) is key to this.

What happens when an SAP SOD exception is needed?

Often, positions and rights that present a conflict of interest would involve a user. It may be that an employee is part of a small team, or a security clearance prohibits others from participating. Whatever the reason, in a business process, this user needs the ability to handle multiple steps — as an exception

Things can be tricky. If an exception happens, the healthy preventive controls will no longer function—one of SAP’s most significant weaknesses in static, role-based access control.

Moving from preventive to detective approach

… It would help if you now collected access logs and false filter positives, and finally sent them to the appropriate owner for review and sign-off. Besides the additional overhead of manual checks and approvals, detective controls build space for human error and maximize dwelling time until spotted red flags.

So why is SAP SOD Controls limited?

Without the ability to distinguish possible violations from real violations, proactive tests are a non-starter. The (preventive) SAP access controls assess authorizations based on two things: 1.) user role and 2.) task-dependent permissions (think transactions). Although this works in the vast majority of situations, implementing SAP SOD requires more granular controls.

Consider what an actual SAP SOD violation entails.

SAP SOD ‘s main aim is to eliminate conflicts of interest in business processes. While conflicting transactions are not necessarily a conflict of interest unless the subject is the same.

For example, a user creates and approves multiple purchase orders. Looking at transactions, this can be breached. Looking deeper into the PO details, the user may never have created and adopted the same PO, so there was no violation.

SAP can show you 1.) user and role, and 2.) transactions, but the 3rd component is missing: field-level values in the PO itself. This lack of visibility in attributes outside functions and permissions makes preventive controls non-starter and clutters with false-positive SAP SOD audit logs when exceptions are produced.

The solution to this problem? Enforcing SAP SOD attribute-based access controls

Attribute-based access controls (ABAC) require “attributes” to be used in authorization decisions. These attributes will come from user information like role, department, nationality, or even the security clearance level of a user. History of access such as IP address, location, time, device, and the transaction can be considered. For SAP SOD, data attributes can now be included in the authorization logic. This means that SAP field-level values can be used to determine whether to block or allow a transaction, and these details can Use in reporting activities.

In the example above, Data Attributes can be used to determine when a user conducted the first transaction and make the inference that the second transaction will result in a violation.

Combining role-based access controls (RBAC) from SAP with attribute-based access control (ABAC) solution enables granular control and visibility that provides Wide-ranging business benefits.

Flexibility in SAP SOD Exception situations – RBAC + ABAC hybrid

The RBAC+ABAC hybrid solution opens the possibility of implementing preventive controls in exceptional SAP SOD Scenarios. Scenarios. By doing so, you can offer users excellent flexibility preventing any actual violations.

Together, this hybrid approach (RBAC+ABAC) allows a dynamic SAP SOD model that avoids violations while also allowing the flexibility of assigning contradictory roles (if necessary) and strengthens role-based policy to prevent over-provisioning.

RBAC+ABAC Hybrid Using Appsian

Appsian adds to SAP GRC Access Control an additional authorization layer that correlates user, data, and transaction attributes with identified SAP SOD conflicts to block conflicting transactions at runtime.