[searchandfilter taxonomies="search"]

Happy World Password Day! Celebrate By Adopting Passwordless Authentication (for PeopleSoft)

Every first Thursday in May, cybersecurity professionals collectively roll their eyes at the idea that there is (in fact), a World Password Day. Why? Because PeopleSoft passwords are the undisputed King of Liability of most enterprise organizations.

User credentials are stolen at an alarming rate – and the tactics are becoming more sophisticated. Throw in the fact that users are now working from their living rooms, home offices, and in many cases… mobile phones – hackers see their opportunity and they’re taking it.

This is precisely why Gartner predicts that by 2022, 60 percent of large and global enterprises, and 90 percent of mid-size enterprises will implement passwordless authentication methods.

Why Organizations are Adopting Passwordless

Risk of Weak/Stolen Passwords

Like I mentioned, phishing and spear phishing attacks are on the rise. Hackers are able to crack user credentials easily as evidenced by the 2017 Verizon Data Breach Report that stated 81% of hacking related breaches used either weak or stolen passwords. This would be a clear sign that an organization should limit their use of passwords wherever possible.

Passwords Can be Expensive to Maintain

Managing passwords can be an expensive affair. According to Forrester Research, the average helpdesk labor cost for a single password reset is $70. The more complex your identity and access management is, the more expensive it will be.

Passwords Hinder Productivity

Imagine an employee taking ten minutes out of their schedule to recover a forgotten password. Now imagine hundreds of users facing the same issue. Doing away with passwords can help organizations save time and increase productivity.

Why PeopleSoft Passwords are a Challenge

PeopleSoft throws an extra wrench into the authentication/password equation; given PeopleSoft passwords tend to be very weak and users require different credentials for each application. Some organizations use a portal to simulate a single sign-on but the challenge of weak passwords still remains for portal authentication.

Organizations are fully aware of the challenges with PeopleSoft passwords and tend to customize solutions that are complex, frequently break, and generally add more complexity than they’re worth – this is topic is heavily treaded.

The Fastest Path toward Adopting Passwordless for PeopleSoft

Establish an SSO through your existing SAML Identity Provider (IdP)

Your IdP is your central means of authenticating users – so use it for critical business applications like PeopleSoft. This is especially important for enabling remote access for high privilege users, because your IdP is the most reliable way to authenticate. Having to provision identity outside of your IdP just adds complexity. Establishing a SAML Single Sign-On for PeopleSoft is the best way to enable secure, seamless access without adding the complexity of a customized solution.

Implement Adaptive Multi-Factor Authentication (MFA) at App & Transaction levels

Adopting a multi-factor authentication (MFA) can be one of the fastest ways to a passwordless system. An MFA secures authentication with two or more factors: Something that a user is (biometrics), Something that the user knows (password), Something that a user has (an OTP, or a security token.)

Adaptive MFA enables additional authentication steps that align with the level of risk posed by the user. If combined with an SSO, an MFA can challenge a user if you feel their session could have an element of risk (unfamiliar location, device, outside of business hours, etc.) Using a combination of factors not only eliminates PeopleSoft passwords – it drastically decreases the likelihood of a successful data breach. And, as a bonus, provides a better user experience.

Appsian Supports Passwordless with Data-Centric Security

Appsian enables your security posture to be data-centric, not user-centric. Users have passwords and users lose passwords. Appsian enables your security policies to be aligned with the data a user is attempting to access. Thus, you are not relaying on a password to prevent unauthorized access – you’re able to rely on the true identity of the user.

Data-centric security in conjunction with solutions (SSO & MFA) that enable you to use your central authentication mechanisms (AzureAD, ADFS, OKTA, etc.) eliminate the need and liability of users having PeopleSoft passwords. Resulting in better security, productivity, and user experience.

Conclusion

As you “celebrate” World Password Day, we should all be reminded that the landscape has changed forever. Remote access, blended access, etc will be the new way of life and relying on passwords is no longer the most reliable way to maintain security.

The stakes are too high and while there may feel like a never-ending list of priorities, adopting a passwordless security model should be at the top of the list.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Oracle Extends PeopleSoft Support to 2031. Now’s the Time to Invest in PeopleSoft Data Security Projects

On April 19, 2020, Oracle announced on its PeopleSoft Support blog that the company is extending support for the ERP application through 2031. As stated on the blog, Oracle remains “committed to a rolling ten years of support for PeopleSoft. We will review and plan to extend support again next year, and the year after that, so that you have a decade of committed support and can plan your enterprise software investments accordingly.”

This news should give PeopleSoft customers a sense of certainty that investing in the long-term success of their PeopleSoft applications is mission-critical. Thanks to COVID-19, organizations may be concerned about their short-term financial stability. Add in the newfound uncertainly of continuing large-scale IT projects in this climate (like a cloud ERP migration) – organizations have now found themselves looking for ways to reap maximum benefits with the lowest degree of overhead and project completion time.

Three “Home Improvement” PeopleSoft Data Security Projects

With large-scale projects on hold, it’s a good time to invest in smaller-scale projects that focus on what is truly mission-critical today (and for the near future) – PeopleSoft data security. You’re already working hard to secure data while users are accessing remotely and while bandaids may be in place right now, organizations must consider strategies that scale long-term.

Here are three smaller “home improvement” projects that strengthen your PeopleSoft data security posture:

Integrate your SAML Identity Provider (IdP) for Single Sign-On (SSO)

When you count the hours spent managing passwords (80% of help desk calls) or tackling SSO projects using customizations and home-grown solutions, you find that removing the complexity of PeopleSoft password management is an ROI positive project. Add in the lost productivity of users not being able to access business transactions (because they’re waiting for their password to be reset), then the ROI increases. The bottom line, a SAML-configured Single Sign-On for PeopleSoft will make everybody happy. A SAML SSO provides the combination of security and productivity that organizations are striving for. And, given the alarming uptick in phishing attacks – user credentials have become an obvious liability.

Strengthen IAM with Adaptive Multi-Factor Authentication (MFA)

When you’re buying new appliances for a remodeling project, you buy a washer and dryer in pairs. Yes, you can wash and dry your clothes using one or the other, but using both is a better option. Same with applying an adaptive multi-factor authentication (MFA) with your SSO as an effective method for verifying identity. Adaptive MFA ensures that contextual attributes (ex. device, network, location) are the determining factor for deploying MFA challenges. The context of access varies in mobile and work-from-home environments, and your level of control should do the same. This is essential if your users are accessing remotely, as managing authentication (especially for high privilege users) can be challenging.

It is also recommended to expand the use of MFA and apply step-up challenges on transactions that may be considered ‘highly sensitive.’

Real-Time Visibility for User Activity Monitoring and Transaction Logging

Just like a rug can tie a room together, real-time visibility via user activity monitoring and transaction logging can be the perfect complement to your PeopleSoft data security fixer upper. There are a lot of sensitive transactions being executed outside of the office these days, and monitoring user activity gives you a better sense of how your data is being accessed and used.

Invest in Today and Plan for Tomorrow

Now is a good time to take Oracle’s lead in their extension of PeopleSoft support – and alleviate a lot of the complexity around PeopleSoft data security, identity, and access management. Securing remote access with SSO and adaptive MFA today provides significant PeopleSoft ROI – along with applying a strong data security framework that can scale with a myriad of workforce and landscape changes.

Best yet, you can complete these projects in only two to four weeks, and we guarantee you won’t be cleaning up any sawdust when you’re done.

Request a demonstration of the Appsian Security Platform today.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

How to Streamline the SAP Segregation of Duties Exception Process Using Attribute-Based Access Controls

Secure, compliant, and efficient business processes are critical to enterprise operations. In SAP, Segregation of Duties (SoD) is a key principle in making this possible.

What happens when an SoD exception is necessary?

Often times a user will need to be granted roles and privileges that pose a conflict of interest. It could be that an employee is part of a small department, or that a security clearance precludes others from involvement. Whatever the reason, this user needs the ability to handle multiple steps in a business process – and an exception is made.

Here’s where things can get tricky. Once an SoD exception is made, your standard preventive controls are no longer effective. This is one of the major shortfalls of SAP’s static, role-based access controls.

Shifting from a preventive approach to a detective approach…

… you must now gather access logs, filter out false-positives, and finally, send to the appropriate control owner to review and sign-off. Besides the additional overhead of manual reviews and approvals, detective controls create room for human error and increase the dwell time before red flags are caught.

So why are current SAP SoD Controls limited?

Without the logic ability to decipher potential violations from actual violations, preventive controls are a non-starter. Your (preventive) SAP access controls determine authorizations based on two things: 1.) a user’s role and 2.) the role’s associated permissions (think transactions.) While this works in the vast majority of cases, enforcing SoD requires controls with more granularity.

Let’s take a look at what an actual SoD violation entails

The whole objective of SoD is to avoid conflicts of interest in your business processes. Although, conflicting transactions do not necessarily pose a conflict of interest, unless the subject is the same.

For example, a user performs the transactions to create and approve multiple purchase orders. Looking at the transactions themselves, this activity has the potential for violations. Looking deeper into the PO details, you may see that the user never created and approved the same PO – therefore no violation was made.

SAP can show you 1.) the user and role, and 2.) the transactions performed, but is missing the 3^rd component: the field-level values in the PO itself. This lack of visibility into attributes beyond roles and permissions is what makes preventive controls a non-starter and clutters SoD audit logs with false-positives when exceptions have been made.

The Solution? Enforcing SoD Policy with Attribute-Based Access Controls

Attribute-Based Access Controls (ABAC) enable the use of “attributes” in authorization decisions. These attributes can be anything from user details such as role, department, nationality, or even a user’s security clearance level. Additionally, access context such as IP address, location, time, device and transaction history can be considered. And most importantly for SoD, data attributes can now be used in authorization logic. This means that field-level values within SAP can be used to determine whether to block or allow a transaction, and these details can further be used in reporting activities.

In the Purchase Order example above, data attributes can be used to identify whether a user performed the first transaction and make the correlation that performing the second transaction would result in a violation.

Combining SAP’s role-based access controls (RBAC) with an attribute-based access control (ABAC) solution enables granular control and visibility that delivers a wide range of business benefits.

Newfound Flexibility in SoD Exception Scenarios – RBAC + ABAC Hybrid Approach

The RBAC + ABAC hybrid approach opens the possibility to apply preventive controls in SoD exception scenarios. By doing so, you can offer users the flexibility an exception provides while still preventing any actual violations from happening.

Together, this hybrid approach (RBAC + ABAC) enables a dynamic SoD model that prevents violations while still allowing the flexibility of conflicting roles to be assigned (when necessary) and reinforces role-based policy to mitigate over-provisioning.

RBAC + ABAC Hybrid Approach Using Appsian

Appsian adds an additional authorization layer to SAP GRC Access Control that correlates user, data and transaction attributes, along with identified SoD conflicts, to block conflicting transactions at runtime.

Contact Us to learn more about how a hybrid access control approach can strengthen Segregation of Duties (SoD) at your organization.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Why VPN is Not Enough – and why Investing in ERP Data Security is Critical

With remote workplaces being put to the test, organizations are looking to quickly scale their security practices. Unfortunately, many are learning the hard way. They find themselves at the intersection of using conventional security technology like a virtual private network (VPN) to secure data residing in traditional, on-premise ERP applications like PeopleSoft and SAP ECC. This can be a toxic combination that may leave you feeling secure, but it should be noted that your data remains at risk.

A VPN is Not Data Security

Plain and simple – a VPN is a connection point. While it may shrink your threat surface, there are still many risk factors to consider. For instance: where is a user coming from? What data are they trying to access? What device are they using? Is that device actually being used by the right person? What PeopleSoft data are they trying to extract onto their personal device? And so on, and so one…

Once a VPN authenticates a user, a myriad of risk factors remain. This is where a VPN ends and data security should begin. However, most organizations are simply not prepared to mitigate the risks that come once a user has passed a VPN. Here are a few examples:

Federating High Privilege Users

High privilege users should face the most scrutiny. Ideally, a high privilege user should authenticate through Active Directory or whatever identity provider an organization is using. They should then receive federated privileges to PeopleSoft based on the contextual attributes of their access (ex. are they accessing from a foreign country?) Federating high privilege access is a fundamental way to ensure a user is provided with the appropriate level of privilege. However, a VPN cannot do this. In fact, authenticating to PeopleSoft using a SAML identity provider (like Active Directory) can be challenging unto itself (see this blog for more info.)

If the point of a VPN is securing remote access, then why not consider the contextual attributes that come with said access? After all, the remoteness is what is considered the risk. In this scenario, a VPN is merely acting as a thin authentication layer, on top of PeopleSoft’s typical username and password model. What if a user opts to make their VPN password the same as their PeopleSoft password? This is what hackers anticipate and sadly, they are usually correct.

Malicious Insiders Tend to be High Privilege Users

This is a touchy subject but should be acknowledged. While no one wants to assume the worst in their employees, the fact remains that the more access you have, the more damage you can do. Given the right motivation – bad things can happen. This is the most compelling case for data security because the highest stakes surround high privilege users. A/P, A/R, Finance, Supply Chain, Payroll – all these functions deal with money. Having the ability to lock down and limit access to data and transactions will have a tremendous impact on an organization’s ability to mitigate financial losses from fraud, theft, and espionage. And because of COVID-19, all of these functions are now being executed remotely. The potential for damage is exponentially greater than before.

Ask yourself – should payroll queries be run and exported onto a personal device? Should wires be sent outside of normal business hours? Should a vendor be created when access is coming from a foreign country? I believe the answer you’re looking for is… NOOOOOOO!!!

Integrating dynamic, risk aware controls on sensitive financial transactions (and data fields) mitigates much of this risk. In addition, transaction logging and analytics prove to be extremely beneficial, as many organizations would prefer not to hamstring their employees with restrictions. However, they would prefer to gain better visibility in case an anomaly is detected.

A VPN Can Be Costly, Unscalable, and Leave You in The Lurch

Like any addition to your architecture, downtime can occur. VPN vendors can experience enterprise-wide outages – causing major disruption. In addition, with organizations moving toward a 100% remote access, VPNs can be prone to kicking people off after a period of time. Adjusting to remote work environments is frustrating enough, but if access is limited or hindered, and you don’t have the benefit of a readily available help desk – your users will become agitated. With so many senior leaders focused on business continuity, having additional hoops for your employees to jump through is counter to productivity.

And then there is the cost factor – which will certainly balloon with the increased number of users. We understand that costs will vary, but the ROI of 100% of your employees requiring a VPN to log into PeopleSoft is not positive. And as we established above, if the point of a VPN is increasing data security/maintaining integrity of financial transactions – then the ROI is even further from positive.

How Appsian Provides ERP Data Security for PeopleSoft and SAP Applications

Appsian believes user authentication is important, but it’s only one part of an ERP data security posture. This is why we developed the Appsian Security Platform for PeopleSoft. Enhancing an organizations ability to authenticate users is most effective when its: integrated with your existing identity management strategy and risk aware. This is where Appsian provides far greater value than a VPN. We enable seamless, secure access to PeopleSoft (specifically) via Single Sign-On (integrated with a SAML IdP), along with adaptive Multi-Factor Authentication. These solutions combine to provide a much better user experience and a vastly superior value if protecting PeopleSoft from bad actors is the primary intention of your VPN.

Lastly, visibility is key. With sensitive transactions being executed outside of the office having a better sense of how your data is being accessed and used is critically important. Using transaction logging and real-time analytics, Appsian provides PeopleSoft customers with unparalleled levels of visibility. Thus, allowing you to keep a watchful eye on your data at all times.

Summary

When approaching how you can enable secure, remote access – its best to identify what are the key objectives and invest in the technology that best suits those needs. Are you concerned that the data inside your ERP applications could be breached or exfiltrated? Are you concerned that financial transactions could be corrupted? If the answer is yes, then data security – and not solely a VPN are the answer.

At the end of the day, COVID-19 has forced organizations into unprecedented challenges. With an unstable market and unpredictable year(s) ahead, it’s important to focus security efforts on internal data and processes – as these being corrupted will result in losses that can make recovery significantly harder.

To learn more about how the Appisan Security Platform can protect your ERP data, please Schedule Your Demonstration

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

User Behavior Analytics are Critical in Remote ERP Environments. Here’s Why…

I was recently speaking with a customer who expressed a common concern. Because of COVID-19, their entire finance team was forced to work remotely and they were concerned about the risks of executing critical financial transactions. Purchasing, payroll, expenses, everything… all being done from unknown locations and on devices they couldn’t regulate.

From Convenient to Mandatory

It got me thinking, prior to COVID-19 the objectives for enabling remote access to PeopleSoft had mostly been out of a desire for productivity and convenience. For years, Appsian has been working with forward-thinking organizations who identified remote access had significant value. Post COVID-19, organizations are in ‘survival mode’ and have no choice but to open access to their most sensitive financial transactions – and hope for the best. The potential for ‘adding insult to injury’ (ie financial losses) in a remote environment is enormous, and like any rapid pivot, requires a strong strategy to be successful.

You Don’t Know What You Don’t Know

During our conversation, it became clear that their situation posed far more questions than answers. For instance, ‘confidentiality around salary has never been more important’ (I assume they’ve required some employees to take salary reductions) ‘how can I know who viewed salary information, or perhaps downloaded queries?’ ‘how can I be sure unauthorized vendors are not being created?’ ‘how can I be sure payroll is being issued correctly?’ ‘how can I be sure sensitive information isn’t downloaded to someone’s home computer?’ It became clear they were flying blind – and starting to panic.

Traditional ERP Visibility Come Up Short

None of the questions above were able to be answered in this customer’s current environment. It’s common knowledge that traditional ERP logging and analytics focus on troubleshooting errors and scanning for broad system vulnerabilities. They were not designed for understanding user behavior, data access, and usage. If the task is to ensure that data is not being accessed maliciously, exfiltrated, or business processes are not being exploited – ERP visibility comes up short.

This customer initially partnered with Appsian for Single Sign-On and Multi-Factor Authentication – both of which, they were happy to have! However, their attention had turned from intrusion prevention to incident response and risk management. While they had the capability to ensure user authentication was strong, they lacked the ability to understand what activity was taking place. And more importantly, if trends in user behavior were indicative of malicious activity.

How ERP Analytics Prevent ‘Adding Insult to Injury’

This is where ERP Analytics becomes essential. When ERP access is both remote and ubiquitous, the ability to detect and respond to malicious activity is greatly reduced.

Using the Appsian Analytics platform, customers are fully enabled to understand exactly how their ERP data is being accessed – by whom, from where, on what and why. With this information in hand, organizations are fully enabled to detect unauthorized activity and formulate a rapid response before damages become catastrophic.

Analytics Provide Peace-of-Mind

Needless to say, it feels good to provide true value to a customer. It’s not everyday that a customer comes to you, concerned that their business is in trouble (from a market perspective) and they are also concerned additional financial losses will follow (from a business process perspective.) This is where having available data and granular oversight will provide peace-of-mind. During unpredictable times, having as much information at your disposal is critical. This is especially true when sensitive financial processes are taking place outside of your office – essentially your direct control and watchful eye.

The Next Step…

If a lack of visibility is a concern, we’d love to talk. In a brief 30 minute session, we can outline how deep our Analytics can go, common use cases that are pre-configured in the platform, and how they can align to your unique business processes.

Request a Demonstration Today

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Looking for a PeopleSoft ‘Quick Win’? Integrate SAML for Single Sign-On (SSO)

It’s no secret that managing PeopleSoft passwords can be challenging. This has been a hot topic for years – and with COVID-19, we’re seeing a resurgence from increased remote access. A remote workforce can quickly put a strain on IT help desk services – especially with resetting passwords. Btw, hackers know that passwords are being reset at a record pace, as demonstrated by the massive uptick in phishing attempts (+667% since Feb. according to Forbes.)

With a myriad of IT projects and an ever-changing list of demands from the organization, setting priorities can be difficult. We’d suggest PeopleSoft customers prioritize a single sign-on for (4) key reasons:

PeopleSoft Passwords are a Security Liability

I eluded to this above, but the statistics speak for themselves. According the 2019 Verizon Data Breach Investigation Report, ‘91% of hacking attacks begin with phishing/spear phishing attacks.’ Organizations try to mitigate this by using a VPN. However, after the expense and potential disruption in service after a large percentage of your workforce is accessing critical business transactions using a VPN – there is little ROI in this strategy.

Might I suggest, requiring VPN access for ‘high privilege’ access only? Normal users that are accessing self-service can be secured by leveraging a Single Sign-On (and possible multi-factor authentication.)

IT Resources Need to be More ‘Focused’ Than Ever

We don’t need to belabor this point but suffice to say that changing your business operations overnight (in the case of COVID-19) causes complexity. Ensuring network/server availability and using help desk services to troubleshoot strategic issues is better than one-off password resets.

The ROI of an SSO Project (over time) is Very High

When you count up the hours spent managing passwords (80% of help desk calls), you quickly find that removing the complexity of PeopleSoft password management, is an ROI positive project. Add in the lost productivity of users not being able to access business transactions (because they’re waiting for their password to be reset), then the ROI increases. Bottom line, an SSO project will delight both users, IT teams, and your CFO alike!

This Project Can be Done Quickly (2-4 weeks.)

We’ve come to the (sort of) tricky part. Organizations have tackled SSO projects using customizations and home-grown solutions – all of which modify PeopleSoft code and create challenges down the line. Needless to say, if you’re looking for rapid deployment, with minimum complexity (today and in the future) – than a configurable approach is recommended.

This is where Appsian comes in, as we’ve developed the native SAML connector that can seamlessly integrate your Identity Provider (OKTA, ADFS, Azure, Shibb, etc.) with PeopleSoft – creating a configurable Single Sign-On. Thus, not effecting underlying PeopleCode or having an impact on future application upgrades.

Bottom line, if you’re looking to quickly alleviate a lot of the complexity around PeopleSoft identity and access management – Appsian can help! We have worked with hundreds of PeopleSoft customers around the world, helping them remove costly customizations and implement a SAML-configured Single Sign-On for PeopleSoft.

Let us show you! We can get you up in running in a couple of weeks!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Is a VPN Enough to Maintain ERP Data Security?

With the influx of remote access demands, VPN vendors are no doubt having their moment. This is 100% warranted, but organizations must be prepared for the avalanche of bad actors scanning these services, scrutinizing for vulnerabilities. Needless to say, these services must be patched and up-to-date, but relying on a VPN may have once been a source of comfort – but it’s no longer an adequate measure by itself.

Multi-Factor Authentication Has Become Table Stakes

Like any IT service, downtime and outages are inevitable. In the event of a system-wide vendor outage, this can spell catastrophe. VPN services have never been taxed more than now, resulting in nervous IT staff analyzing performance and availability metrics. The best way to ensure a proactive approach to application and data security is to enable multi-factor authentication (MFA). Given the expected increase in VPN phishing attacks, an MFA has become table stakes for ensuring authorized access. Even with valid credentials, a hacker will not be successful if an MFA is in place.

Controlling Access (Not Just Authentication) is Paramount

Authentication aside, a myriad of security risks can emerge from authorized users. Remote access is where data becomes most vulnerable, especially high privilege access. Many users may prefer to use their personal devices for work – in some cases, this may become a necessity (ex. how does your help desk fix a broken machine when the entire organization is remote?) The use of a personal machine means organizations must consider how secure that personal machine is and what data files can be accessed. Data exfiltration becomes a significant liability when access is via a personal machine.

Needless to say, (mandatory) remote access throws many unpredictable variables at IT teams, but if keeping data safe is important (not just keeping application access secure), than a VPN may be only one of many solutions to consider.

Appsian Enables you to Strengthen Authentication, Access Control, and Monitoring

The Appsian ERP Data Security Platform was designed to give organizations complete control and visibility over their ERP data. While the instinct might be to strengthen the authentication process via VPN, it should be noted that vulnerabilities still remain – and Appsian can help.

For PeopleSoft

We help by integrating solutions like Single Sign-On and Multi-Factor Authentication for PeopleSoft – along with access controls that dynamically change with various contexts of access (location, device, time-of-day, etc.) In addition, we provide granular logging and analytics that can help you quickly detect and remediate a security threat.

For SAP ECC & S/4HANA

We enable SAP customers to dynamically control access and enhance their visibility – along with execute and enforce transaction-level data policies. All designed to prevent financial losses due to fraud theft and error in high value transactions.

We invite you to learn more about these solutions and discover how the Appsian platform is the perfect complement to your enterprise security and GRC strategy. If you’re using a VPN, enterprise SSO and/or MFA (ex. OKTA, Duo, etc.), or SAP GRC module(s) – we can bolster your security posture and limit your risk during these unpredictable times.

Request your Demonstration Today!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Protecting Remote Users From the Latest Barrage of Social Engineering Attacks

The rapid acceleration from on-location to remote workforce as part of the Coronavirus Pandemic response opened the door to malicious actors accelerating their phishing and social engineering attacks. Cybercriminals prey on user anxiety by embedding malicious files in COVID-19 themed emails. Remote work layered with user anxiety increases credential theft attack success rates, leaving organizations’ mission-critical applications and data at risk.

Start with Identity and Zero Trust

For years, security professionals have said that the perimeter is shifting away from traditional controls like firewalls and focusing on enforcing user access. As many organizations shift to fully remote. The Coronavirus shift toward a fully remote workforce for many organizations heightens the urgency over maintaining access governance controls that protect information.

Many organizations moved from partial remote workforce to fully remote workforce in the span of a week, or in some cases nearly overnight. This means more devices accessing an organization’s systems and software, but many without the required firewall protections or forced security patch updates done on-premises. Any one of those devices, if compromised by malware, can lead to a system-wide attack.

To rapidly accelerate security, organizations need to find a way to move towards a Zero Trust model, one that verifies and never trusts. This means knowing all the devices, users, applications, and data across the organization. Then, working towards creating the appropriate controls for each of those categories.

For organizations that have a matured cybersecurity posture, identifying people, hardware, and data may be faster since that information is already contained within risk assessments. To accelerate a Zero Trust strategy, organizations can leverage current identity and access controls and add context such as location, time of day, and application to limit user activity. By doing this, organizations can limit the impact of malware installed as part of a social engineering attack.

Embrace Adaptive Multi-Factor Authentication (MFA)

After setting contextual controls, organizations using adaptive MFA can apply those controls to modules within applications. MFA acts as the key that unlocks access to applications, but even within that access, organizations need to provide additional layers of access protection.

Organizations can use context, such as time of day or location, to trigger inter-application MFA. For example, if a user is trying to access a payroll module within an application from an anomalous location, adaptive MFA uses that context and requires the user to provide additional authentication information to prove their identity. By forcing this additional authentication, the adaptive MFA ensures that the user is who they say they are, rather than implicitly trusting the user.

This additional level of access security prevents malicious actors from leveraging stolen credentials throughout the organization’s Software-as-a-Service (SaaS) application. Cybercriminals may be able to gain entrance to the application itself, but the additional layer of security around sensitive data and applications that comes from using adaptive MFA means that the organization is adding another “gate” that needs to be unlocked, thus protecting the information by restricting abnormal access.

Incorporate Data Masking

Organizations often assume that encryption acts as an unfailing security technology. An incorrect implementation or attacker who can crack the algorithm puts the data at risk.

Incorporating data masking by applying contextual controls to what information is visible to a user acts as another layer of defense against stolen credential use. For example, assume a remote worker lives on the west coast of the United States. Incorporating geolocation as part of the user’s access and data visibility would give the user access and visibility into sensitive information as long as the person is in that geographic location. Applying data masking based on geographic location protects sensitive data even if a cyber attacker gains entrance to an application by making the sensitive data “invisible” to them. If a cybercriminal on the east coast of the United States gains entrance to the application with stolen credentials, then the cybercriminal would have access but not visibility to the information.

Many organizations may consider data masking a way to “protect from over-the-shoulder” risk when users are in public locations. However, even with the workforce nearly fully remote as a social distancing strategy, data masking can provide a much-needed additional level of defense.

Appsian Provides Defense in Depth at the Identity Perimeter

As organizations look to protect data from social engineering attacks, they need solutions that help protect the Identity perimeter. Adding additional layers of security at the network level may no longer work as more companies turn to remote work either as a preventative Coronavirus measure or in the longer term, to cut costs.

Appsian’s suite of solutions enables organizations to accelerate their identity and access defense in depth strategies and secure their mission-critical ERP applications. Appsian delivers the control and visibility that traditional ERP applications like PeopleSoft and SAP (ECC or S4) inherently lack. With our Security Platform, organizations can create contextual access policies and fine-grained data security controls then monitor user access as a way to detect potential credential theft.

For more information about how Appsian can increase security at your identity perimeter, contact us today or schedule a demo.

This article was originally published at TechSpective.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Remote Access: You Can’t Fight the Trend

In September of 2001, I was conducting a comprehensive security audit of a major health care insurer. They were dealing with the early days of the HIPAA regulations and needed to assess data and application controls in their environments.

Then 9/11 happened. All air travel was suspended and major city centers such as NYC, Chicago, and Los Angeles removed all but essential personnel from many corporate offices.

The health care insurer, as well as many other organizations, decided to employ a rapidly evolving set of technologies around Virtual Private Networks (VPN), such as Citrix Remote Desktop, to support employees working from home. They had to focus on protecting the network perimeter because most of their applications were not designed with exposure to the outside world in mind.

We called it the “tootsie pop” defense. A hard candy shell (well, at the time anyway) represented by the network perimeter controls and the soft, chewy center were the applications and data storage platforms inside.

It was all they had available, and it worked to varying degrees. VPN technology was new and had yet to be as explored and exploited as it can be today.

Eventually, those remote workforce controls were relaxed, and employees started going back into the office. In fact, it was in the early to mid-2000s when companies like Yahoo and Microsoft began to require employees to be onsite. This was primarily a productivity initiative, but, as VPN use was reduced, it did serve to insulate many of those sensitive applications again.

Flash forward to today.

There are many factors driving the need to increase support of remote access. In our world, mobility is king. If I can watch movies or play games on my phone, why can’t I do my job from the same device? Another key factor is this new normal of social distancing and isolation in the face of the current medical environment.

Companies are sending everyone home. But they still have to maintain some semblance of business continuity.

So, are we better prepared to meet these remote access challenges than we were in 2001?

Absolutely.

Network protections are still a part of the solution. VPN platforms and their associated support for complex encryption can provide that relatively hard candy shell around the organization’s infrastructure.

However, today, in the mobile world we live in, identity is the new perimeter. Requiring users to authenticate at the network can be a costly and maintenance-intensive approach. Especially for organizations that support large and/or external user bases such as students or partners.

The ideal is to provide direct access to the applications they need. But, that’s not a very good idea if we maintain an application infrastructure that is truly a chewy center.

The great thing is that application security controls have evolved since 2001. Controls such dynamic data masking, targeted multi-factor authentication, and selective access based on use cases such as role, location of access, etc. have allowed us to harden up that chewy center. Another key evolution is in the area of access logging.

The trend towards remote access will only evolve as we recover from the current crisis. I believe organizations will focus on establishing the necessary network and application-level controls to create a “jolly rancher” defense versus “tootsie pop.”

I’m dating myself, so substitute “jolly rancher” with your favorite hard candy.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Request a Demo

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others

Platforms

Features

Register for an Upcoming Webinar

SAP

PeopleSoft

Appsian360

Review

Webinars

Persona

Register for an Upcoming Webinar

Customers

Video Testimonials

Featured Case Studies

Why Appsian

Management Team

Careers

Press Releases

Partners

Contact Us

Customers

Partners

Home / Blog / Happy World Password Day! Celebrate By Adopting Passwordless Authentication (for PeopleSoft)

Happy World Password Day! Celebrate By Adopting Passwordless Authentication (for PeopleSoft)

Why Organizations are Adopting Passwordless

Why PeopleSoft Passwords are a Challenge

The Fastest Path toward Adopting Passwordless for PeopleSoft

Establish an SSO through your existing SAML Identity Provider (IdP)

Implement Adaptive Multi-Factor Authentication (MFA) at App & Transaction levels

Appsian Supports Passwordless with Data-Centric Security

Conclusion

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Oracle Extends PeopleSoft Support to 2031. Now’s the Time to Invest in PeopleSoft Data Security Projects

Oracle Extends PeopleSoft Support to 2031. Now’s the Time to Invest in PeopleSoft Data Security Projects

Three “Home Improvement” PeopleSoft Data Security Projects

Integrate your SAML Identity Provider (IdP) for Single Sign-On (SSO)

Strengthen IAM with Adaptive Multi-Factor Authentication (MFA)

Real-Time Visibility for User Activity Monitoring and Transaction Logging

Invest in Today and Plan for Tomorrow

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / How to Streamline the SAP Segregation of Duties Exception Process Using Attribute-Based Access Controls

How to Streamline the SAP Segregation of Duties Exception Process Using Attribute-Based Access Controls

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Why VPN is Not Enough – and why Investing in ERP Data Security is Critical

Why VPN is Not Enough – and why Investing in ERP Data Security is Critical

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / User Behavior Analytics are Critical in Remote ERP Environments. Here’s Why…

User Behavior Analytics are Critical in Remote ERP Environments. Here’s Why…

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Looking for a PeopleSoft ‘Quick Win’? Integrate SAML for Single Sign-On (SSO)

Looking for a PeopleSoft ‘Quick Win’? Integrate SAML for Single Sign-On (SSO)

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Is a VPN Enough to Maintain ERP Data Security?

Is a VPN Enough to Maintain ERP Data Security?

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Protecting Remote Users From the Latest Barrage of Social Engineering Attacks

Protecting Remote Users From the Latest Barrage of Social Engineering Attacks

Start with Identity and Zero Trust

Embrace Adaptive Multi-Factor Authentication (MFA)

Incorporate Data Masking

Appsian Provides Defense in Depth at the Identity Perimeter

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Remote Access: You Can’t Fight the Trend

Remote Access: You Can’t Fight the Trend

Related Articles.

Put the Appsian Security Platform to the Test

US Office

India Office

Start your free demo

Register
for an Upcoming
Webinar

Register
for an Upcoming
Webinar