In this two-part series, GreyHeller founders and former, early PeopleSoft Technical Strategists, Larry Grey and Chris Heller will discuss ERP trends and how they affect PeopleSoft customers. Part I will discuss Gartner’s recently published 2015 Strategic Road Map for Postmodern ERP and how the opportunities and challenges affect PeopleSoft customers.  Part II will be a demo-intensive session showing how GreyHeller customers are meeting these challenges today.

Part I
July 15  •   11am PST

According to Gartner, Monolithic ERP solutions are being deconstructed into postmodern ERP that will result in a more federated, loosely coupled ERP environment with much of the functionality sourced as cloud services or via business process outsourcers.  This direction is driven by a need to support strategic, organization-wide functionality that is more flexible, secure, integrated, and modern.

Where does this leave you as a PeopleSoft customer?  Do you need to replace PeopleSoft to achieve the architecture and benefits to drive your organization in the future, or do you have an option to leverage it along with other cloud-based solutions?

This session will answer these questions as well as describe how PeopleSoft can be part of a hybrid approach to utilizing PeopleSoft and the cloud:

• Where PeopleSoft fits
• Integration considerations, including data and security
• User experience modernization
• Lifecycle Management and compliance
• Control over functionality and infrastructure 

Part II
July 29   •   11am PST

This session will discuss how GreyHeller customers are utilizing our technology today to utilize PeopleSoft effectively in their postmodern ERP roadmap.  This demo-intensive session will include customer case studies and product demonstrations that illustrate how to flexibly and safely retain your PeopleSoft investment by evolving its role from being a monolithic application to a key component of your hybrid ERP architecture.

• Security:  how to protect your most sensitive data and processes in an ever-evolving cybercrime landscape

• Identity Management:  how to leverage multiple identity providers for your different constituents — Candidates, Vendors, Employees using solutions such as Facebook, LinkedIn, Azure, and on-premise resources

• User Experience:  how to provide a seamless solution that is modern, looks consistent across cloud and on-premise components, and is easy to use

• Flexibility:  how to evolve the functionality you deploy rapidly

• Lifecycle Management:  how to keep up with new updates (driven by regulatory or business value requirements) while keeping a low TCO

• Integration:  how to control all of the integrations between each of the component

If you weren’t in Amsterdam last week,  you missed out on a session at the Hack in the Box conference that is sure to be of interest to PeopleSoft customers. Presenters from ERPScan presented their latest findings in ERP vulnerability research and how PeopleSoft is affected.

Most critical to their findings is being able to brute force the PeopleSoft specific PS_TOKEN cookie to be able to recover the internal password used to sign the cookies.  This means that an attacker could be able to generate their own PS_TOKEN cookies at will for whatever user name that they choose.

Fear not though; there are ways to make sure that your PeopleSoft system is secure.

What is a PS_TOKEN cookie?

For those that aren’t familiar, the PS_TOKEN is what PeopleSoft uses to verify that someone has been authenticated by a PeopleSoft system.  It is not the same as the regular session cookie that identifies a given login session,  but is one of the mechanisms for establishing a new session.  For example,  someone might login to a PeopleSoft system for Financial data,  receive a PS_TOKEN cookie, and then when accessing a PeopleSoft system for Human Resource data, the PS_TOKEN cookie allows them access without needing to login again for the HR system.

This works by defining in the PeopleSoft configuration which nodes are considered to trust each other.  In the example above,  where someone logged in to the Financials system and was then given a PS_TOKEN cookie,  when they went to the HR system,  it would only allow that person to continue without authentication if 1) the node that created the cookie (the Financials system) is in the list of the nodes that the HR system trusts. 2) the PS_TOKEN cookie has not expired (the default expiration is 8 hours, but this is configurable) and 3) the user account that the PS_TOKEN cookie was issued for exists in the HR system.

How can you mitigate the risk?

Unfortunately,  generating a PS_TOKEN cookie when someone logs in is hard-coded into PeopleSoft.  Even if you don’t have multiple PeopleSoft systems.  In theory, you can remove all nodes from the trusted node table so that the generated PS_TOKEN can’t be used for establishing new sessions,  but this has an impact on some system level functionality as well (e.g. reporting functionality stops working),  which makes that impractical.

It turns out though that you don’t even need a PS_TOKEN cookie to work in PeopleSoft.  Who knew?!?  You can test this yourself by logging in to a PeopleSoft environment with a browser that allows deleting individual cookies,  such as Google Chrome,  and remove the PS_TOKEN cookie after you have logged in.  Everything will continue working properly.

Deleting the cookie manually is not viable either though.  This is something that you can do with the Appsian Security Platform for PeopleSoft.  You can remove the PS_TOKEN for just the public browsing sessions or for all users if you don’t rely on the PS_TOKEN cookie to transfer users between different PeopleSoft systems.

You can also create rules in the Security Platform that allow you to allow usage of the PS_TOKEN on your internal network,  but block it from external users.

How about external authentication such as Kerberos/Shibboleth/OAuth2?

If you already have PeopleSoft configured for external authentication, then you definitely don’t need the PS_TOKEN cookie to pass users between different PeopleSoft systems.  Once the person crosses from one system to the other,  your external authentication kicks in and automatically log them in to the other environment.

Doesn’t Two Factor Authentication fix this?

If you require two factor authentication each time someone logs in to PeopleSoft,  then this greatly reduces the exposure from an attacker being able to generate their own PS_TOKEN cookies.  They would be able to start a session,  but then would be immediately challenged for the second factor of authentication.

The Appsian Security Platform for PeopleSoft supports requiring a two factor challenge at authentication time,  but one issue is that usability suffers dramatically when constantly requiring a second factor at login time.   In fact, what we typically see with Appsian customers implementing the Security Platform is that it is preferred to wait until someone accesses sensitive data/actions before requiring the additional factor of authentication.  This hits a balance between locking things down and the user experience.

What about using a stronger hashing algorithm?

A stronger hashing function will help,  but less than you think.  If you look at tools like oclHashcat,  they show that breaking an SHA-256 hash runs at about 40% of the speed of breaking an SHA-1 hash. Breaking an SHA-512 hash runs at about 14% of the speed of breaking an SHA-1 hash.

So if it would have taken someone 8 hours before to break an SHA-1 hash,  now they have to wait overnight in order to break an SHA-256 hash.  Or they have to wait a few days to break an SHA-512 hash.  Not a big deal if full access to a PeopleSoft environment as any user is the prize.

The other thing to keep in mind is that you can now rent GPU instances from Amazon with over 1500 cores in them and breaking hashes is something that is, as they say, embarrassingly parallel.

For additional information on the Security Platform or Appsian visit www.appsian.com.

At GreyHeller we speak with hundreds of ERP systems customers every year across all industries. Because we develop and license enterprise-class software products that modernize and secure PeopleSoft, we work closely with them on whether they should stay with their current, older system or migrate to a newer, more modern ERP system.

In order to help ERP customers understand what their peers are doing, we surveyed over 12,000 ERP customers – across all major platforms – about their degree of customization as well as their plans to upgrade.

• 75% of survey respondents have moderately or highly customized their ERP systems
• 57% of survey respondents have no plans to upgrade their ERP systems in the next 2 years or ever

ERP systems are designed to suit a broad range of industries. The 75% with moderately or highly customized ERP systems built those customizations to specifically address their unique requirements with the key benefits being efficiency/cost savings, competitive advantage, user adoption and security against cyber crime. Considering that an average ERP implementation costs over $7 million, takes nearly 17 months to complete and delivers less than 50% of expected benefits (Panorama Consulting), it makes total sense that 57% have no plans to upgrade their systems in the next 2 years, or ever.

Let’s consider this: according to Cedar Crestone’s 2013-14 HR Systems survey, the #1 reason organizations switch to a modern ERP system is to improve user experience.

Let’s also consider this: according to FBI Director James Comey, there are 2 types of organizations in the US – those that have been breached and those that don’t know they’ve been breached.

Eureka! If the 75% could modernize and secure while maintaining their customizations, and the 57% could offer their users a more modern, secure user experience, organizations could avoid costly migrations to new ERP platforms and eliminate the risk of a failed or underwhelming project…would that not be the most desirable outcome?

We think so.

Of course, our software does exactly that. We focus on modernizing and securing PeopleSoft. We help PeopleSoft ERP customers deliver a richer, more modern user experience while protecting their PeopleSoft assets from cyber crime. Our customers save millions of dollars by not replacing PeopleSoft. Their users are happy. Their customizations remain intact. Cyber criminals are thwarted from stealing sensitive data.

Fore more information, or to schedule a private PeopleMobile® demo contact us.

Click here to take part in our Annual ERP Security Survey. Your input is valuable and can help protect organizations from internal and external threats.

Is is ignorance? The ostrich strategy? Breach fatigue?

Whatever, the data are mind-boggling.

In a recent Raytheon-Ponemon survey of 1006 CIO, CISO’s and senior IT leaders, 78 percent said that their boards of directors hadn’t received a briefing on their companies’ cybersecurity strategy in the previous 12 months and 66 percent think that leadership doesn’t see cybersecurity as a strategic priority.

Whatever the cause, this signals a huge disconnect between CISOs and other C-level executives around investing in security technology.

Even as reports of attacks make headlines almost daily, executives struggle to view security investments as prudent. As a result, a lot of security technology ends up sitting on a shelf.

To answer my own questions – I believe it’s all three but that the tide is slowly turning in our favor (even as Auburn University reports more than 364k student records were breached).

There isn’t a one-size-fits all security solution. CISO’s are challenged with stitching together a security fabric while convincing CEO’s and Boards that their organization hasn’t spent enough on security.

As for GreyHeller, we’re out there slaying the dragons one PeopleSoft customer at a time, implementing the most robust set of security solutions available to protect ERP sensitive data….Data Masking. 2-Factor Authentication. Location-Based Security. High Privileged User Access Control. VIP Access Protection. Delegate Access Control. Logging. Analytics.

Bam!

GreyHeller is thrilled to showcase our Mobile and Security solutions at Collaborate 2015. From announcing new partnerships, to launching your institution’s mobile strategy, to practical ways to protect your ERP systems, we’ll be available to demo our solutions and answer your questions.  

Turn your employees into fans of your PeopleSoft application. PeopleMobile® provides a modern, easy to use experience that your employees will love.

• Provide a beautiful mobile and desktop experience that matches your brand identity
• “Plug and Play” your PeopleSoft content with mobile applications and portals
• Transform any of PeopleSoft’s 6,000 pages, including customizations
• Implement quickly and easily using your existing PeopleSoft version and infrastructure
• Leverage your employees’ existing PeopleSoft skills for implementation and support

Key Features

• Responsive Design
• Automatically transforms any PeopleSoft page
• Adapts to customizations and new PeopleSoft releases
• Compatible with PeopleTools 8.45 and greater

Protect and secure your organization and your PeopleSoft investment. ERP Firewall mitigates internal and external risks while lowering total cost of ownership.

• Control access outside the perimeter
• Reduce or eliminate data leakage
• Protect against compromised credentials
• Empower security administrators with visibility into system use including incident response
• Protect against misuse of personal information for high profile students by administrators

Key Features

• Data Masking
• 2-Factor Authentication
• Location Based Security
• VIP Data Protection
• Delegate Access
• Logging & Analysis

Visit booth 636 at Collaborate 2015 for more information on our Mobile and Security solutions and to check out how our products work with our partners’ solutions: GreyHeller + Modo Labs and GreyHeller + Duo Security.

GreyHeller is thrilled to showcase our Mobile and Security solutions and our customers’ sessions at Alliance 2015.  From announcing new partnerships, to launching your institution’s mobile strategy, to practical ways to protect your ERP systems, there’s a session that fits your needs.

Also joining us, Shelley Nelson, VP, Services and Greg Wendt, Executive Director of Security Solutions.  Shelley is responsible for Customer Implementation and Support and will be available in our booth to discuss ongoing customer projects and answer questions about implementation best practices for our Mobile & Security products. Greg was past Chairman of the TAG and will be available in our booth to discuss Security and best practices to protect your institution from cybercrime.

3/16 ERP Security Analytics & Intrusion Prevention Session: 34465 Time: 2:15p – 3:15p Presenter: Larry Grey, President and Greg Wendt, Executive Director Description:  ESAIP – based on our ERP Firewall technology – secures your PeopleSoft data with prebuilt dashboards, alerts, and analytics based on automated, enterprise-wide event data collection.

3/17  Modo Labs + GreyHeller: Together, Making the Impossible, Possible Session: 34467 Time: 1:00p – 1:30p Presenters: Larry Grey, President and Andrew Yu, Founder & CTO, Modo Labs Description: GreyHeller and Modo Labs have partnered to deliver powerful mobile solutions to PeopleSoft customers. Join us for a brief demonstration of the deep integration between PeopleMobile® and the Kurogo™ Mobile Campus. The demonstration will include Student/Faculty and HCM use cases and disclose how your organization can benefit from our groundbreaking partnership.

3/16  Mobile My Madison – PeopleSoft Mobile at James Madison University Session: 34402 Time: 2:15p – 3:15p Presenter: Tariq Rabie, Applications Development and Support, James Madison University Description: JMU recently implemented mobile access to self-service components of PeopleSoft Interaction Hub,Campus Solutions and Human Capital Management in a short timeframe, implementing GreyHeller’s PeopleMobile® product. Learn how in approximately 2 months, JMU provided a pilot mobile deployment and then turned around in approximately 2 additional months to provide full access of its customized PeopleSoft environment to its students.

3/17 Mobilizing the Student Service  Experience – UT Dallas and PeopleMobile® Session: 34141 Time: 03:15 p – 4:15p Presenter: Ryan Meyers, Business Analyst/Developer IV, University of Texas at Dallas Description:  UT Dallas recently implemented the first component of its overall mobile strategy. At this session we will present UTD’s overall mobile strategy and how UTD is delivering PeopleSoft on mobile devices to its students and faculty. This session will include a demonstration of UTD’s mobile system. It will include a discussion on UTD’s technology evaluation, implementation best practices and lessons learned during the project.

3/16 GreyHeller Application Firewall – enhance security! Session: 34635 Time: 3:45p – 4:45p Presenter: Sharron Bouquin, Auxilary Services Development Manager, University of North Carolina at Chapel Hill Description:  UNC-CH  implemented the GreyHeller ERP Firewall, providing an enhanced level of security to its applications. At this session UNC-CH will present how they implemented the product, provided additional levels of security and filled some unique gaps!  They will also cover ‘next steps’ with their implementation plans.

3/17 Protect your Users and Data in PeopleSoft with 2 Factor Authentication Session: 34388 Time: 1:45p – 02:45p Presenter: Ryan McDaniel, Assistant Director of Identity and Access Management, University of Colorado Description:  The UC has successfully implemented 2 factor authentication using ERP Firewall and Duo Security.  Come by for an overview of their implementation, demonstration of functionality, and plans for the future.

Naturally, we’re pleased that our products address 2 of the most strategically important technologies per this 2015 CEO survey by PwC: Mobile & Cybersecurity.

Now we’re getting somewhere…

Obama recently signed Executive Order 13636 to much fanfare at Stanford University. Of particular interest to us is encouragement of the creation of information-sharing groups, called hubs, built around vertical industry sectors. 

We’re getting ready to release Phase 1 of our ERP Security Analytics & Intrusion Prevention platform (ESAIP) to our Early Adopter customers. As an extension of our ERP Firewall product (currently in use at more than 30 customers), ESAIP includes a Big Data component that aggregates anonymized data across all ESAIP customers, essentially creating a “common denominator” foundation for sharing of ERP event data.

You can think of ESAIP as a “neighborhood watch” for ERP – a cyber threat at one ESAIP customer is automatically shared with all ESAIP customers.

Therefore, ESAIP offers a real-world platform that supports Executive Order 13636’s directive for organizations to share cyber threat data.

Think NORAD for ERP. Stay tuned…..