×
[searchandfilter taxonomies="search"]
Home / Blog / Why Contextual Access Controls are Essential for On-Premise ERP Applications

Why Contextual Access Controls are Essential for On-Premise ERP Applications

By Scott Lavery • October 11, 2019

Gartner describes context-aware security as the use of supplemental information to improve security decisions at the time they are made. “Context” meaning the location of access, time, device type, URL, etc. In today’s “always connected” environment, where access to business systems is expected to be ubiquitous – contextual variables have become the key driver behind uncovering suspicious activity that would have otherwise gone unnoticed. 

Mobile “Context” Has Expanded the Scope of Access

While mobile ERP access means added flexibility – this flexibility comes with a higher risk of exposure. It’s important to understand that the ever-changing “context of access” is where the risk of unwanted data exposure ultimately lies.

Context can take many shapes – for example: accessing from a Starbucks on an unknown network, accessing from a foreign country while on a business trip, accessing from your phone that you just left in the back of the Uber while on your way to the airport! (yes, guilty.) In a mobile world, context of access changes every minute – this creates significant risk, as it would be right to assume that you don’t want your high privilege users accessing sensitive company data from places where their session could be compromised.

Sadly, traditional ERP systems are not equipped to handle that variable risk. Why? Because ERP roles and permissions are static – meaning that if you’re a high privilege user in your office, you’re a high privilege user at Starbucks, in a foreign country and on that forgotten phone that could be scooped up by the next Uber rider.

Unintentional Data Leakage is a Threat in Mobile Enviornments

Even the most well-meaning insiders (employees) can leak data accidentally. For example, mobile access means the use of personal devices for work (this is inevitable.) Many personal devices are shared amongst family members and have automatic backup systems. Without even realizing it, sensitive data (accessed from a personal device) can be included in a cloud backup – now that data resides in personal storage and is completely outside an organization’s scope of visibility forever.

Why Contextual Access Controls are Necessary for ERP Systems Today

Many assume the greatest data risks are network-centric – that assumption isn’t wrong. The biggest, most headline-grabbing data breaches have typically been large scale incidents were millions of records were exposed. Organizations have implemented sophisticated firewalls and network access controls to keep themselves out of the headlines, but data risks are becoming increasingly ‘user-centric’ – phishing/spear-phishing being the most pervasive.

Phishing/Spear Phishing has proven to be most effective on users who are working outside the office – for example: quickly checking email in between offsite meetings, working from home late at night (or early morning), or any other scenarios where a user’s surroundings provide just enough distraction to fall for a phishing email.

This begs the question – if enabling mobile access increases risk, then shouldn’t organizations integrate controls that dynamically enforce policies when risk is deemed “high?” After all, your internet browser alerts you when you access a website that isn’t secure.

The addition of contextual controls allows organizations to align their business policies with their security policies – until the introduction of Appsian’s Security Platform these functions had been siloed, only interacting during threat remediation.

Conclusion

The idea of implementing contextual access controls is certainly not new. Cloud Access Security Brokers have been enabling organizations to have greater control and visibility into their cloud applications – however, traditional, on premise ERP applications have not been included in these strategies. ANY organization that is looking to expand access and expose ERP transactions to the open internet must adopt contextual access policies in order to combat the threats that mobile access creates. Contact us to learn how you can implement a contextual access policy in your organization.

Related Articles.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / Zero Trust Security: What it is and Where to Begin

Zero Trust Security: What it is and Where to Begin

By Scott Lavery • September 26, 2019

What is Zero Trust Security?

Zero Trust security is based on the principle of ‘never trust, always verify’. First introduced by Forrester Research, a Zero Trust approach requires all users to be properly authenticated before granting access, irrespective of the location or device being used to access.  

It’s easy to understand why Zero Trust is becoming increasingly popular. Organizations are adopting flexible policies like BYOD, remote access is becoming common and attempts to breach data are getting more sophisticated by the day. In a landscape where identity has become the new perimeter, organizations must accept that the concept of authentication has evolved beyond remembering a username and password.

Main Features of Zero Trust Security:

Verify Every User/Device

The Zero Trust model assumes that malicious actors can (and do) exist inside an organizations, as well as consist of hackers looking to breach systems from external locations. Hence, no device or user must be trusted by default.  

Principle of Least Privilege (POLP)

The POLP model requires that a user is provided only the minimum set of privileges to perform their task. This way, an organization can minimize the risks of two primary data threats – privilege abuse and credential compromise. 

Privilege abuse is the second most common data threat in an organization. Typically, it is a result of inadequate access controls being in place. Users are granted “more-than-necessary” access rights, and the organization fails to monitor the activity of these accounts.

Meanwhile, credential compromise is known to be the root cause behind 74% of all data breaches. A hacker gains access to user accounts through a brute force attack, or phishing, and can then steal data.   

Additional Security Steps

One of the main principles of the Zero Trust model is to include additional authentication steps to limit the possibility of a successful “credential-based” attack.

Today, organizations have increased the adoption of additional, stepped-up authentication layers (apart from ID/password) to securely grant access to users. For instance, the 2019 Duo Trusted Access Report, states that over the last four years (2015 to 2019), customers are more often using biometrics as a second authentication factor to access applications.

Leverage Context When Granting Access to Data

Securing data is as crucial as controlling the access to enterprise applications. A Zero Trust policy ensures data access is granted to users on a contextual basis. This could include a variety of factors – location of access, the device used, time of the request, and such others. 

Zero Trust: Where to Begin?

Monitor User Activity  

Organizations need to monitor and record user activity constantly. With the help of detailed records, security professionals will be better equipped to detect possible threats.

Granular, real-time logging solutions can help achieve this objective. Logging what data is being accessed and capturing the contextual parameters of access (ex. user IDs, the device of access, location, IP address, and more) can help make the response to a security incident faster and more accurate.

Such a solution would help achieve two goals – mitigating the risks of a data breach and establishing a compliance strategy around specific access use cases – as opposed to static, roles-based permissions.

Contextual Access

Contextual access requires the use of supplemental information to improve data security decisions. Often, these include – the time of access, location, device used, and such other factors. A contextual policy allows users to access based on these parameters. For instance, an employee tries to access sensitive company data outside the corporate network – even though the employee may have the desired privileges, access may be denied because of the unsecure network.  

An effective contextual access policy ensures users are granted privileges, at the right place and at the right time.  

Multi-Factor Authentication (MFA)

Credential theft is becoming increasingly common. According to a report, more than 80% of hacking-related data breaches happen because of stolen passwords. Hence, the traditional ‘password-only’ ways of authentication are no longer adequate. 

Organizations are gradually moving to Multi-Factor Authentication (MFA) – a more reliable way to secure data. MFA combines the use of two more of the following: 

  • Something that the user is (biometrics) 
  • Something that the user knows (password)  
  • Something that the user has (a one-time password – OTP, or a security token). 

Micro Segmentation

Securing a corporate network can be a challenging task; especially given the wide range of users and access points. To make this easier, organizations are dividing the network into smaller, manageable segments. Network segmentation allows limiting data access to a set of users within a segment, where a set of access rules governs each segment. Generally, users within the segments would be allowed the minimum required privileges to perform their tasks.

In case of a security incident, micro-segmentation ensures the risk is contained in a small part of the network, and does not spread beyond.    

Conclusion

Zero Trust was founded on the principle that any user or device can be compromised. However, an absolute zero level of trust is also not practical.  To perform efficiently, organizations have to strike a balance between granting and restricting access selectively. Leveraging context as your dynamic variable is recommended.

A Zero Trust security system is not just about implementing individual security technologies – it involves a systematic approach to data security. Contact us to get started on your Zero Trust security preparation. 

Related Articles.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / Evaluating a PeopleSoft Single Sign-On (SSO) Solution: 6 Questions to Ask your Vendor

Evaluating a PeopleSoft Single Sign-On (SSO) Solution: 6 Questions to Ask your Vendor

By Scott Lavery • September 6, 2019

What is Single Sign On in PeopleSoft?

PeopleSoft, an ERP application designed by Oracle, lacks native Security Assertion Markup Language (SAML) support. This makes it challenging for IT teams to include PeopleSoft under the umbrella of applications users can access via the enterprise’s Single Sign On (SSO) solution. However, SSO can be enabled in PeopleSoft with the help of a third-party integrator like Appsian. The SAML integration allows PeopleSoft customers to fully leverage SSO solutions like OKTA, Azure AD, Ping Identity, and more to deliver ease of access.

Single Sign-On (SSO) solutions have emerged as the gold standard in identity management. While poor password practices continue to prevail, the effectiveness of the ‘username and password’ as the main authentication model has deteriorated.

Password management can be a nightmare for IT, as it reduces department productivity and increases service costs. However, SSO solutions allow administrators to centralize identity management, as end-users utilize a single set of credentials to access every enterprise application.  

Establishing an SSO for PeopleSoft 

PeopleSoft applications are a vital part of an organization’s enterprise architecture, and unfortunately, integrating PeopleSoft into an enterprise SSO can present challenges. This has lead administrators to look to the market for help – and as you evaluate an SSO solution for PeopleSoft, you should ALWAYS ask these 6 questions – the answer will be the difference between project success and failure:

How does your product interact with PeopleSoft?   

To successfully implement an SSO solution, organizations first need to integrate all applications with a centralized ID provider. Most popular ID providers such as: Microsoft Azure Active Directory, OKTA, etc. use SAML – the open federation standard that allows identity providers (IdP) to communicate with enterprise applications.  

Many off-the-shelf SSO vendors claim to support PeopleSoft. However, they ignore the fact that PeopleSoft applications do not natively support SAML. With a conventional SSO solution, PeopleSoft applications are likely to stay alienated from the rest of the organization’s business applications. Organizations must ensure that their SSO provider addresses the SAML problem upfront. Or it can lead to a ripple of problems with the implementation (ex. inflated budget, time lines, complexity, etc.) 

Is there a need for customizations?   

Exclusive to PeopleSoft, most SSO providers are required to build an extensive framework of customizations. Customizations demand extra resources and prolong the implementation timeline – thus, increasing the project liability. Even after that, custom SSO solutions can be insecure, fragile, lack functionality for some transactions and be prone to problems that are difficult to troubleshoot. Moreover, building and maintaining a customized framework requires both coding and PeopleTools expertise – which is a rare skill combination. Alternatively, PeopleSoft customers can seek a configurable SSO based on logic workflows built outside of the PeopleCode. 

Are there additional hardware/server requirements?   

In most cases, organizations will be required to purchase additional hardware to support the customizations designed to simulate communication between PeopleSoft and their respective Identity Provider. The procurement of new infrastructure (reverse proxy servers) is not ideal and can result in unexpected project budget overruns. 

Does the solution support deep embedded links? 

One of the primary benefits of an SSO solution is allowing users to bypass login with the use of deep links or embedded links. These links, when sent to a user, can take them to a specific transaction using the previously authenticated SSO session. Thus, saving time and increasing user satisfaction and productivity. However, most off-the-shelf SSO providers don’t support this functionality. With increasing remote access on mobile devices, deep-link navigation can be important to usability and engagement. For instance, a user can go straight to an intended transaction by following a link (sent via email, text, etc.) even if they are required to authenticate an SSO session on a device they don’t use frequently.  

How does the solution impact PeopleTools Lifecycle Management? 

PeopleSoft’s native functionality is continuously evolving with every single image released via the PeopleSoft Update Manager (PUM). These updates include frequent changes in the authentication model, which means that a customized solution would demand excessive upgrade and alteration with each update. The constant need for upkeep can adversely affect the adequate use of customer resources and time, making room for an increased scope of errors and subsequent troubleshooting. 

What if we decide to switch an ID provider? 

One of the most important decisions organizations need to make while choosing an SSO solution, is the flexibility of adaptation if and when they decide to switch IDPs. Ideally, organizations must look for a configurable SSO instead of a coded (customized) one. Reason being, when an organization plans to switch to a new ID provider, a custom solution would require building a whole integration framework. Therefore, a custom SSO can prove to be tedious and time-consuming, unlike a configurable SSO that can allow a seamless switch. 

Appsian’s PeopleSoft SSO Connector  

Designed to create a simple, extensible, and easy-to-maintain approach to the implementation of modern authentication, Appsian’s PeopleSoft SSO Connector is the only turnkey solution for native SAML-compatibility in PeopleSoft – enabling customers to:

  • Leverage existing investment in SSO solutions with PSFT 
  • Authenticate PSFT sessions via SAML-based Identity Providers 
  • Access PeopleSoft via deep link navigation  
  • Support multiple IdPs concurrently 
  • Deploy SSO for PeopleSoft in as quick at 7 days  
  • Implemented without additional hardware or custom coding  

To learn more, Request a Demo with a PeopleSoft security expert or write to us at info@stgappsian.wpengine.com 

Related Articles.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / How to Make ERP Compliance Audits Cheaper and Faster

How to Make ERP Compliance Audits Cheaper and Faster

By Scott Lavery • August 20, 2019

Organizations are facing growing challenges in order to meet the data privacy compliance requirements associated with mandates like The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) (taking effect in 2020.) Apart from these, several U.S state-specific regulations are expected to go into effect in the coming months.

The impact of these regulations is significant. Organizations must now keep track of where and how they obtain personally identifiable information (PII) from the moment they obtain, through the life of retention. They are also required to maintain records of data processing, consent forms and many other documents. All of these factors are naturally increasing the time to successfully complete an audit – all while new mandates are simultaneously minimizing the time allotted to complete the same audit. This new regulatory environment is putting pressure on organizations to find new strategies for managing and reporting on PII access and usage. Needless to say, the PII once gathered with precision and coveted as a valuable asset has now become a liability with a distinct holding cost.

Are companies truly equipped to handle Data Privacy Compliance requirements?

The answer is, no. Recently, many companies have come under fire for data breaches.

Marriott is facing a hefty fine of $123 million for a data breach in 2018. British Airways too faces a $230 million under GDPR (for weak data security policies resulting in a breach.) While this accounts for 1.5% of British Airways’ annual revenue, regulatory fines can go up to 4% of an organization’s annual revenue.

How to Manage ERP Audits when the Deck is Stacked Against You  

Traditional, on-premise ERP systems were not built with logging capabilities that aligned to understanding PII usage. Logs were meant to troubleshoot, find system errors and ensure applications were running properly. The PII inside the system was not a factor and understanding access and usage was irrelevant.

Now that organizations will be forced to perform audits more frequently, in a more precise manner and leveraging ERP systems that require the triangulation of multiple reports (exponentially increasing audit times) to just get a basic understanding of usage – the overall cost of an audit has skyrocketed.

ERP Compliance Audits Can Actually be Cheaper and Faster than Once Believed

With this new data regulatory landscape in mind, organizations must look to enhance their audit capabilities by turning their attention to logging strategies dedicated to data usage (not just system performance.)

Appsian’s Security Platform for PeopleSoft and SAP takes data access into account, by adding granular logging capabilities that track user behavior and data access and then aggregates trends into easy-to-consume analytics dashboards. All designed to provide the same snapshot into usage that once took weeks to aggregate manually with traditional logging capabilities – but with Appsian, can now take a matter of minutes.

With Appsian, your ERP audit strategies can now scale to match the time and resource allocation demanded by new and upcoming data privacy mandates. And because these strategies can be integrated into traditional ERP systems, that may (at one time) been viewed as an audit liability, the life of your legacy ERP system can be extended – thus, maximizing your ROI and not being forced into an expensive and resource-draining rip and replace project.

To learn more about Appsian and how our Security Platform can help your organization prepare for data compliance audits, Contact Us.

Related Articles.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / BYOD & Allowing Mobile ERP Access: Evaluating Potential Risks

BYOD & Allowing Mobile ERP Access: Evaluating Potential Risks

By Scott Lavery • August 8, 2019

Organizations are rapidly shifting to workplaces without boundaries – teams are globally dispersed and companies are adopting work-from-home and BYOD (Bring Your Own Device) policies. This desired flexibility has become table stakes for organizations looking to recruit and retain top talent.

Because this means employees are accessing company data outside of the company’s secure network – traditional measures to secure data (ex. firewalls, perimeter network security, etc.) are no longer adequate. According to a survey conducted by Black Hat, 73% of respondents said that conventional perimeter security firewalls and anti-viruses are now obsolete.

As such, the role of the CISO has become more complex. They now face the task of securing data on networks and devices outside their traditional scope of control.

BYOD & PeopleSoft Fluid UI

The PeopleSoft Fluid user interface was introduced as Oracle’s strategic initiative to deliver a modern, mobile user experience. Once enabled, users can access PeopleSoft applications on a smartphone, tablet, (along with) desktop. However, enhanced mobility and usability have ushered in new concerns related to maintaining data security, as users are accessing self-service applications away from their corporate networks.

Expanding access to sensitive data beyond the secure network increases the risk of a data breach – and hackers are well-aware. Hackers are researching and targeting key stakeholders, knowing that a username and password is all they need to gain access to data.

With this in mind, below are some of the threats associated with implementing BYOD policies:

Unauthorized Access

The downside of a BYOD policy is that access cannot be controlled or managed centrally by an administrator. When access is ultimately controlled by the mobile device itself, the theft or compromise of a mobile device can increase risk exponentially. In the case of a device theft (ex. a phone or laptop stolen out of a coffee shop or vehicle, etc), the organization would have no defense if an ERP password were saved in the device’s password manager – and you know it always is!

Solution:

Organizations can minimize the risk of unauthorized access attempts by implementing a multi-factor authentication system. A single device no longer becomes the gateway to an application, as an MFA dictates that there are three forms of authentication: something you know (user name and password, typically), something you have (a phone that can receive app-based or SMS confirmation requests, for example) and something you are (the rapidly evolving arena of biometrics). MFA requires the use of at least two of these authentication methods before allowing access.

Accidental Data Leakage:

Carelessness and negligence by users are some of the leading causes of accidental data leakage. The BYOD trend can potentially multiply these risks, as users are continually using their devices to send and receive information over email, text, IM, and other means. Data becomes more vulnerable to hackers when shared over a non-secure network.

Collaboration tools that leverage mobile apps, like Slack are becoming common in the workplace, meaning communication amongst employees is becoming more frequent, rapid, and (generally) more casual – all of which differ from the style adopted by traditional email correspondence. This casualness can lead to employees sharing sensitive information across an unknown network – leading to opportunities for data to leak out inadvertently.

Corporate email solutions can scan for credit card numbers, social security numbers and other data formats that can be indicative of sensitive information – however, these mobile collaboration tools lack the same capability.

In addition, devices purchased for personal use (ex. a personal laptop or desktop) and used on occasion for professional work tasks – many of which have automatic cloud back-up mechanisms – can lead to information inadvertently leaking away from the originating device and into a content management system. Cloud storage systems are frequently hacked, so a sensitive report getting into the wrong hands can lead to damaging results.

Solution:

Enabling contextual access controls can differentiate the privileges of a user when they are working away from a secure, corporate network. Using this solution, users are granted limited access to sensitive transactions based on their location or privileges. As a best practice, leveraging the principle of ‘least privilege’ can limit the risk of users accidentally leaking data.

Summary

Enabling BYOD has inherent benefits – employees are happier, more productive, and an organization is able to expand the reaches of their business practices – but enabling a BYOD strategy should come with caution.

It is important to understand that ERP applications like PeopleSoft and SAP were designed long before BYOD practices existing and do not have the native controls to keep up with the evolving security risks that accompany BYOD strategies.

If you’re interested in learning more about enhancing your ERP data security posture in the wake of expanded access and BYOD, you can Contact Us and we’d be happy to walk you through how you can fills these security gaps.

Related Articles.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / Data Security Penalties Get Real….Real Expensive

Data Security Penalties Get Real….Real Expensive

By Scott Lavery • August 5, 2019

How companies approach data security controls is changing. Segregation of Access (SoAx) is now just as critical as Segregation of Duties (SoD). Who sees sensitive data is just as important as who changes it.

And just to make sure organizations take access controls seriously, regulations such as GDPR are inflicting major penalties for breaches of private data. And soon, it won’t just be about breaches, it’ll also be about fines being levied for data security audit failures.

When GDPR was enacted, there was alot of confusion around the penalties that would be associated with the exposure of sensitive data. Many companies took a wait and see approach in lieu of enacting data protection measures. Especially around legacy applications, such as ERP systems, where the keys to a company’s kingdom are typically stored.

Why?

Couple of reasons. Most companies don’t even have a handle where their sensitive data is even stored. And, in addition, most companies don’t focus on regulatory controls until the penalties are real.

GDPR penalties are real. The penalties associated with many of the state-driven data privacy regulations are real. And now we have some guinea pig companies that show just how real they are.

GDPR was enacted in May of 2018. It took a year before the Information Commissioner’s Office (ICO) nailed a company for a breach of sensitive data.

In 2019, British Airways was hit with a proposed fine of $230m for the exposure of sensitive information. Less than a week later, a second culprit was reported. The ICO has proposed a $124m fine to be assessed to the Marriott hotel chain related to the exposure of sensitive data in over 339 million guest records.

But that’s a European regulation that doesn’t apply to us.

We hear that alot. So, let’s talk about some of the recent US-based breaches and their associated penalties.

In 2013, Yahoo was fined $35m by the SEC and paid an additional $50m in a class action suit for a major exposure of customer data.

In 2015, health insurer Anthem was fined $16m for violating HIPAA regulations and allowing the breach of over 79 million customer records. And that was in addition to the $112m they paid to settle a national class action suit.

In 2017, a breach of Target’s customer information was settled for a $18m fine.

Uber, in 2018, was fined $148m for a major breach of driver and rider records. An unusually large fine for that time that was increased due to their efforts to cover up the breach.

The key takeaway is that, while some of those US fines are relatively low when compared to the GDPR offenders, that is changing. With the introduction of the California Consumer Privacy Act and other state initiatives, fines are being structured to follow the GDPR model. That is they will be calculated as a percentage of an organization’s revenue.

All of sudden that $18m that Target paid blows up to hundreds of millions of dollars.

Still want to take a wait and see approach?

Contact us to see how Appsian can help you address your data security controls.

Related Articles.

How Often Should You Perform PeopleSoft User Access Reviews And Why
How Often Should You Perform PeopleSoft User Access Reviews And Why
PeopleSoft teams often face threats caused by excess privilege, malicious insiders, and access misuse. Most of these can be mitigated…...
May 27, 2022
Learn More
How to Detect PeopleSoft Security Threats with Real-Time Analytics
How to Detect PeopleSoft Security Threats with Real-Time Analytics
PeopleSoft applications process and store vast amounts of customer, employee, and financial data that are constantly accessed by an increasing…...
April 12, 2022
Learn More
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
The financial, reputational, and regulatory impact of a data breach can be catastrophic. Data exfiltration, whether malicious or accidental, typically…...
April 8, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / PeopleSoft RECONNECT 19 Recap: Fluid Remains the HOTTEST Topic

PeopleSoft RECONNECT 19 Recap: Fluid Remains the HOTTEST Topic

By Scott Lavery • August 2, 2019

As the premier deep-dive PeopleSoft-focused event of the year, PeopleSoft Reconnect (presented by Quest Oracle User Group) has always touted itself as “created for PeopleSoft users… by PeopleSoft users.” This year’s conference (held in Rosemont, Illinois) did not disappoint.

Appsian was proud to be a conference sponsor, along with provide content, as our PeopleSoft User Experience experts presented sessions on improving PeopleSoft Security and Creating a Modern User Experience Across all PeopleSoft versions. The sessions were hugely successful, with an estimated 75% of conference attendance. During the session, many of the questions pertained to security concerns and the meeting of user experience expectations, as organizations continue to upgrade to PeopleSoft 9.2 and adopt Fluid UI – all in service to staying on Oracle support and maximizing their current ERP investment.

According to Scott Hirni, Director of User Experience Strategy and Solutions at Appsian (who has previously worked with PeopleSoft for 18+ years), “Fluid adoption and on-going enablement was among the top concerns for attendees.” While Fluid adoption is a top project in the PeopleSoft community, it was clear that not all PeopleSoft customers are able to leverage Fluid to its full potential.

Here are a few observations:

  • 75% of organizations we spoke to at RECONNECT haven’t attempted to roll out Fluid – despite being on version 9.2
  • 25% have started, but have required ongoing guidance
  • Most attendees expressed that they were in the process of identifying the key business drivers for implementing Fluid
  • Many questions arose about what to do with existing customizations while implementing Fluid

Inspired by Scott’s presentation at RECONNECT 19, here’s a quick look at the roadmap for customers looking to roll out Fluid.

  • Identify business drivers i.e. key functional areas that need optimization and would benefit from a Fluid implementation project
  • Review the list of already delivered Fluid screens and Classic retirement dates to prioritize rollout accordingly
  • Assess the version perquisites of to handle your existing PeopleSoft customizations
  • Prepare for UX changes and user adoption challenges that come with the new UI

The bottom line is, Appsian absolutely recommends upgrading to 9.2 and adopting Fluid as the best way to fully leverage your PeopleSoft investment. Staying current with Oracle maintenance and embracing the many advantages that come with a 9.2/Fluid adoption are critical, but we certainly understand that large-scale projects come with uncertainty and questions. With that in mind, Appsian has developed a strategic UX transformation plan that helps PeopleSoft customers analyze their business needs and assess how Fluid UI can help achieve their efficiency goals.

Not sure where to start? Leverage Appsian’s FREE PeopleSoft Fluid Assessment that includes:

· Complementary Onsite Workshop

· Strategic Analysis/Transaction/Use Case Mapping

· Fluid Rollout Plan

· Business/Institutional Alignment

To claim your FREE Fluid assessment you can also write to us at info@stgappsian.wpengine.com

Related Articles.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / Data Security: What Steps Can You Take?

Data Security: What Steps Can You Take?

By Scott Lavery • June 20, 2019

We’ve talked extensively about Segregation of Access (SoAx) and how data security threats have evolved to include a range of application authentication attacks. These include sophisticated phishing campaigns, automated brute force password attacks and the targeting of legacy applications that were not designed or implemented with these modern threats in mind.  In addition, the increasing demand from users to extend application access, from both inside and outside the network, is opening up a variety of potential entry points for bad actors to exploit.

And it is frequently these legacy applications, such as ERP systems, that maintain an organization’s most sensitive data including user personal and financial information, corporate proprietary data and financial accounting records.

How is an organization that maintains these legacy applications supposed to combat these modern security threats?

It all comes down to data protection. And not only keeping bad actors away, but also limiting access to sensitive data for legitimate users that don’t need to access it – until they do.

Let’s talk about some capabilities that can help bolster the data security of your applications. Let’s talk about how Appsian’s ERP Security Platform can provide many of those capabilities.

And let’s talk about it in the form of a hypothetical business justification in which Acme Industrial Dynamite (yes, I’m a big Road Runner fan) recognizes the vulnerabilities in their legacy ERP applications and is evaluating solutions.

Challenge

Acme Industrial has been struggling with bringing their legacy ERP platform into alignment with both the current access threat landscape and the evolving compliance environment, where regulations like GDPR and the CCPA are expanding the need to support data privacy well beyond the historical breach notification responsibilities.

Acme has identified some key areas where supplementing built-in ERP security capabilities will be required to meet these evolving challenges. These key areas fall into the following capability sets and all should be evaluated:

Multi-Factor Authentication (MFA)

The traditional application security mechanism of requiring a user name and password to authenticate is dated and increasingly insecure. Why?

1. Phishing schemes have become very sophisticated. Most recent studies show that between 4%-10% of phishing targets will click on that fraudulent link and give up their credentials for the targeted application. Result: there is a better than decent chance that any given user login that relies on user name and password is coming from a bad actor. Data such as bank account numbers and PI for that user are now exposed. And if it is a high privileged user, data for multiple users is exposed and the integrity of business operations could be compromised.

2. Typical users are expected to maintain access to multiple applications in a corporate environment. Remembering user names and passwords for all of them can be onerous. So, post-it notes under the keyboard, or worse, simple-but-easy-to-remember passwords lead to insecure authentication controls.

3. With the increase in computing power capabilities and the sophistication of current hacking tools, brute force attacking user names and passwords has become an effective mechanism for bad actors to gain access to sensitive applications.

How does MFA mitigate these risks?

By requiring an additional layer of identity validation before allowing access to sensitive data and processes. With an effective MFA implementation at the application level, stolen credentials would limit what a bad actor could see or do.

Appsian’s MFA capabilities allow for a variety of use cases to match an organization’s definition of risky behavior. Whether it’s to protect sensitive data, such as bank account numbers or PII, at the field or navigation level, or to restrict access to privileged functionality, such as Query Manager, MFA can provide that additional level of identity validation.

Application Activity Logging

Legacy ERP logging typically focuses on system operations and can be very performance intensive. Because the application was designed in a time when internet access and exposure and data privacy were not a major concern, access management and logging capabilities were not built into the core functionality.

In the current threat and compliance environments, being able to track who has accessed sensitive data and processes is critical. And it is not just about breaches anymore. It’s also about being able to respond to audit requests that require you to show reports on who has accessed any given user’s sensitive data.

Appsian’s logging capabilities supplement PeopleSoft’s system logging by providing a wide range of additional transactional tokens that can be captured and provide a very granular and contextual capability to track and report on what users are doing in the system.

Data Masking

As described above, it is critical to implement a multi layered security approach to the accessing of sensitive data and processes. It is not just about keeping that data from bad actors, but also limiting access to legitimate users to only those individuals who need to see it, and only when they need to see it.

Data masking allows for the ability to redact sensitive data.

Appsian’s approach to data masking allows for that redaction to be very dynamic and customizable based on use case. It also expands static masking to include the ability provide selective hyper-link enabled masking to limit access to sensitive data or processes to only those individuals who make a conscious (and logged) decision to access it.

And like MFA, Appsian’s masking can be applied in a variety of use cases:

  • What can a user access or see if they, regardless of role, are coming in from outside the network versus inside?
  • Should a high privileged user be allowed to high privileged data or process access if they are coming in at midnight from an IP registered in China?
  • Should lower test and development environments, which depend on real data to be effective, be allowed access to the sensitive data fields in those environments?

The keys to maintaining an effective data protection strategy are:

  • Catalog and classify your sensitive data and process across all applications
  • Apply controls around that data and those processes to limit access to only those who need to see it.  And only when they need to see it.
  • Implement an effective logging strategy that provides granular access activity reporting and alerting.

Contact us to see how Appsian can help inventory and address your sensitive data exposure in ERP applications.

Related Articles.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / Sensitive Data Security: It’s All About the Logging

Sensitive Data Security: It’s All About the Logging

By Scott Lavery • April 19, 2019

Well, in today’s post it is all about the logging.  In a future post it will be all about the alerting

Sensitive data.  What is it?

While there are some obvious types of data that should be considered sensitive (bank account information, social security numbers, dates of birth, private health records), most companies are expanding that population of classified sensitive data to include financial information, intellectual property records and other designated data that would represent a risk if exposed.

Sensitive data is typically managed and stored in applications.  In our new connected world, users are connecting to those applications from a variety of devices that may or may not be inside the corporate network.  And they are typically connecting via a web browser.  Literally the most common application available in our internet driven world.

Bottomline, those applications are now open to a much larger population of users . They are also exposed to any potential bad actor with a web browser.

And adding to the challenge, many of those applications that house sensitive data were designed and deployed back in the pre-internet days, when access was limited to a few select individuals behind the walls of the corporate network.  Security controls back then didn’t account for opening those applications to the world.

But the end goal hasn’t changed. Data needs to be protected. Sensitive data really really needs to be protected. 

The key to protecting that population of sensitive data is applying controls that limit access to that data to only those individuals that need to see it, and only when they need to see it.

The question becomes, how do you monitor the effectiveness of those controls?  And how do you respond in a timely manner when those controls are subverted or bypassed?

This is where effective logging comes into play.  And by effective, I mean comprehensive and tailored to formats that enable easy searching and investigation.

Let’s focus on access activity logging.  What are some key components of an effective application access logging strategy?

  • Utilize an easily configurable logging framework that 1) contextually understands all components of the access transactions, and 2) offers a comprehensive set of capturable tokens representing all those components.
  • Utilize a framework that offers flexible output options that allows for specific and granular logging around definable access activities such as high privilege logins, failed login attempts and sensitive data exposure.
  • Utilize a framework that allows for log storage in customizable formats to support designated SIEM (Security Information Event Manager) platforms such as Splunk, ArcSite and/or QRadar.  In the absence of a SIEM, the framework should support storage in SYSLOG or CSV formats.

Introducing an effective logging framework is a key component in an application security strategy.  It is especially critical when dealing with legacy applications where the built-in logging capabilities are limited and not very configurable.

Reach out to info@stgappsian.wpengine.com and let us show you how Appsian can help bolster your application logging capabilities.

Related Articles.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

  1. Pages:
  3. 1
  4. ...
  5. 11
  6. 12
  7. 13
  8. 14
  9. 15
  10. 16
  11. 17
  12. ...
  13. 34
Request a Demo

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands