Gartner recently released a report addressing the speculations around Oracle’s on-premise and cloud ERP applications. Focusing on Oracle ERP customers’ frequently asked questions, the report is aimed at helping CIOs make informed decisions on whether Cloud applications are a viable replacement for their on-premises suites. Here are the most important takeaways and highlights from the report:

On-premises ERP suites are not at the “end-of-life” stage.

From thousands of client interactions, Gartner concluded that Oracle’s ERP customers are unsure about Oracle’s commitment to its on-premises suite. To put their doubts to rest, Gartner highlighted several factors that reiterate Oracle’s continued investment in their on-premise applications:

Revenue from on-premise applications remains strong

“Oracle’s on-premises suites are not at the end-of-life stage” assures Gartner. “Oracle receives the majority of its software license revenue from customers paying for maintenance, and new sales of its on-premises products,” (68% and 65% in 2016 & 2017 respectively). According to Oracle’s co-founder Larry Ellison, “Oracle spends over $5 billion per year on research and development (R&D) and continues to invest in all its on-premises application products.”

Fluid symbolizes the future for (on-premise) PeopleSoft 

Specific to PeopleSoft, the report mentions that the “…extended Support timeline for PeopleSoft is stated through at least 2027,” and with the launch of enhancement features such as Fluid UI for PeopleSoft, Oracle continues to demonstrate its continued investment in their existing on-premise ERP applications.

Best Practice: Map Your Business Requirements Against the Maturity of Oracle’s Cloud Applications

According to Gartner, Oracle’s cloud applications are the inevitable future of ERP functions, but having been released to different timetables, cloud applications have differing levels of maturity and may not (at this time) offer true parity to Oracle’s legacy, on premise suite. As a best practice, Gartner recommends that decision-makers must consider the development roadmap of the respective cloud applications and avoid confusing the desire to source a new technology with the objective of fulfilling a specific business requirement. In other words, stating that “a full ‘rip and replace’ of your current applications may not be your best option.” Gartner goes on to urge customers to map business requirements carefully against the maturity of Oracle’s cloud applications and ensure that present day business objectives can be met so costly and unexpected change management can be avoided. In addition, the report offers a detailed outline of various situations and subsequent appropriate actions for ERP customers using Oracle’s on-premise suites.

Best Practice: “Take the postmodern approach”

Gartner emphasizes that the decision to move to the cloud must be based solely on the value proposition cloud applications offer over existing on-premises applications. While talking about moving to Cloud applications “as part of a business transformation initiative” Gartner asks decision makers to be aware of “the risks and limitations of recent releases.” Instead of a complete “rip and replace” Gartner suggests a “postmodern approach,” where an organization could decide to replace only parts of their on-premises footprint. Gartner also advises Oracle customers to not “assume that the level of expertise that exists for application support and implementation services for on-premises suites also exists for cloud applications.”

Summary

As stated above, while the future appears to be headed towards the cloud, the fact remains that a “look before you leap” approach is recommended. A cloud migration project must begin with a  thorough evaluation of your business objectives in order to ensure proper alignment between the cloud technology you are adopting and the expected results. Change management can add significant cost and disruption to a project, and while complete elimination of change management is impossible, the more evaluation you undergo prior to the start of a migration project – the more likely to avoid “budget busting” surprises.

So, consider the postmodern approach – what objectives do you need to achieve today vs. what do you need to achieve 5 years from now? Are there specific ERP functions that are working just fine today? If not, are there lightweight optimizations that can be done in the meantime to enhance current functionality? Gartner recommends a postmodern approach in order to avoid a scenario where you go “all in” on the cloud and are left to address an unexpected mess.

Appsian is here to help you make PeopleSoft exceptional. Email us at info@stgappsian.wpengine.com and let us know how PeopleSoft can be working better for you today!       

Access the full version of the report HERE

Stop me if you’ve heard this one…

“Do you want to get the most from your ERP? Then you must move to the cloud. Your bottom line will appreciate it, your users will appreciate it, and your IT security team will appreciate it.” Sounds like a pretty good deal, right?

In our upcoming blog series, we examine some of the most popular cloud adoption myths. By myths, we mean that there is a flipside to every story – and the cloud is no exception.

It’s important to note that we are not “anti-cloud.” Cloud HR functions serve an important purpose, and while there are undoubtedly benefits to moving some functions to the cloud –  it’s important to not get too caught up in the hype.  So, before you undergo a traumatic “rip and replace” of your core ERP and trade it in for that shiny cloud product – we invite you to stop and take a quick breath.

Hybrid as a Best Practice

From Gartner in their 2016 report, “…the extreme of having nothing cloud-based will largely disappear with Hybrid being the most common usage of the cloud.” As organizations determine specific business cases that are best served by a cloud solution, the corporate “no cloud” policy will become increasingly obsolete. This approach is fully supported by GreyHeller and we contend that using specific business cases to guide your cloud migration initiatives is a best practice. With that being said, the business case for a “rip and replace” of your core HR function is rare and can come with many negative implications. This blog series serves to examine just some of those implications and discuss the negative consequences that can occur.

Stay tuned as we release additional blogs in our upcoming “Adopting Cloud: Fact or Myth” blog series, where we address the truths behind:

• Cloud as a platform for Innovation
• Improving security via the cloud
• Offloading operational costs
• Market trends towards cloud adoption

After the PS_TOKEN threat vector was announced at Hack in the Box Amsterdam in May 2015, security organizations started adding specific tests for PS_TOKEN into their penetration test portfolio. Find out what this means to your organization.

Phishing and spear phishing attacks are specifically targeting PeopleSoft systems. Monthly organizations lose money to fraudulent direct deposit transactions.

Layered security within your PeopleSoft application is a must to protect against the known threats of today and the unknown threats of tomorrow.

In this session, Greg Wendt, Executive Director, Security Solutions, talks about numerous takeaways learned from GreyHeller’s PS_TOKEN assessments and how a layered security model keeps you protected. Topics include:

• Mitigation options
• Best practices
• Lessons learned
• Incident Response
• Defense-in-depth for PeopleSoft

Since many PeopleSoft customers utilize weblogic for their PeopleSoft environment, we wanted to highlight yesterday’s security alert. Oracle released an out of band security update (more information) for issues within Oracle Weblogic Server. Recommendations are to apply the patch and mitigation steps as soon as possible. While out of band security updates are rare, they are not unheard of. PeopleSoft customers need to review the update as soon as possible.

The CVSS (Common Vulnerability Scoring System) score of this update is 7.5 (more information). For reference, vulnerabilities are ranked from 0-10 based upon numerous factors like ease of execution for example. CVSS score ranges are Low (0 – 3.9), Medium (4.0 – 6.9) and High (7.0 – 10.0). The high base score of this update most likely led to the out of band patch being released.

As always if you ever have security questions, remember our assessment opportunity.

Stay safe and keep secure!

Security professionals are generally most concerned with outside hackers, malicious insiders and accidental data loss.  However, if they don’t focus on internal processes around their organization’s employees’ changing roles and responsibilities, organizations are missing a key area of risk.

Manual processes within IDM could introduce mistakes and open the door to both privilege creep and account latency.  Automation of new employee onboarding, promotions or transfers, administrative requests and terminations reduces risks and implements processes that alleviate these mistakes.

New employee onboarding

If done manually, the security implications of hiring a new employee can be daunting and prone to error.  The provisioning process starts: computer access, id and password, network access, and application access are all just the tip of the iceberg.  HR processes have to be followed; FERPA or HIPAA tests need to be passed.  Automation of this process guarantees new employees base system access and allows security teams to focus on the more challenging processes below.

To accomplish this, the hiring event starts the automated process of providing least privileged access.  By providing this,  new employees should only have access to the initial set of self service functions such as enrolling in benefits.  This allows the account provisioning to be triggered automatically from other IDM solutions that may be in use without introducing institutional risks.  Granting higher privileged access is covered in the next section.

Newly hired, promoted or transferred workers

When a person starts new job functions or his/her job changes, it is imperative that the PeopleSoft privileges are accurate, made in a timely manner and can be monitored. Automating this procedure guarantees access changes don’t go unnoticed and lowers a company’s risk of data breach and privilege creep. Privilege creep occurs when employees move from job to job inside of an organization and system access no longer matches their role within the organization.

To accomplish this, job codes should be mapped to privileges so that automated processes can be built to modify privileges upon changes in job responsibilities.  That way the system naturally mitigates privilege creep through job migrations.

Administrative access requests

Some administrative functions are very specialized and cannot be automatically assigned based on job codes in the HR application.  Therefore, tracking the systems is absolutely critical.  These high privileged users have access to the institutions most prized data or intellectual property.

Organizations should establish a change control process over administrative privileges that may be project related or on going. Tracking and understanding what access a user has within each application, network device and computer is critical to managing their movement throughout the organization or out of the organization.

Terminations – there goes the data!

Termination is a critical security event.  When an employee is terminated (whether involuntarily or involuntarily) the clock is ticking on restricting their access.  An article from the Wall Street Journal suggests 50% of employees take data with them upon termination.

To address this concern, access must be removed from numerous systems precisely and efficiently especially for high privileged users.  When an employee gives a two-week notice, data security requirements should log or remove all access besides base HR self-service functions to ensure data loss is kept to a minimum.

Automating this process involves tying the termination request to the modification of the users privileges. To accomplish this, the termination will trigger a removal of all roles and permissions other than base self service HR functions. This has to be done immediately upon the termination event and logging all access for these users is critical.

Back by popular demand, join GreyHeller for its Fall Customer Focus Webinar Series to learn more about our customers’ Security and Mobile projects.  Learn how:

• 9/30 UNC Chapel Hill Thwarts Cybercrime with ERP Firewall
• 10/13 Verizon Makes PeopleSoft HCM Responsive with PeopleMobile®

Check out the details below!

---

SECURITY

---

9/30 UNC Chapel Hill Thwarts Cybercrime with ERP Firewall Presenter:  Sharron Bouquin, Auxiliary Applications Manager, Enterprise Applications 11am PST / 2pm EST

The University of North Carolina at Chapel Hill utilizes the GreyHeller Application Firewall to enhance application security and protect valuable data assets.  The intelligence provided by the GreyHeller Application Firewall enabled an invaluable shift in mindset from being reactive to proactively planning security measures. 

This webinar will focus on the steps the university took to:

• Stop administrative users from insecurely accessing sensitive data
• Protect against specific browser flaws like cross-site scripting and URL spoofing
• Protect high profile departments
• Increase actionable intelligence about end users behavior allowing knowledgeable business decisions
• Lower their risk profile by implementing critical data protection rules across all development and production systems
• Increase ROI by enabling increased end user satisfaction by securely delivering self-service and mobile access

---

MOBILE / USER EXPERIENCE

---

10/13 Verizon Makes PeopleSoft HCM Responsive with PeopleMobile® Presenter:  David Kelly, Director Systems Architecture at Verizon 11am PST / 2pm EST

This session will discuss how Verizon was able to provide mobile / responsive self service access to its 170,000+ workforce within a 4 month implementation timeframe.  This presentation will cover:

• Overview of Verizon’s highly customized environment
• Key Use Cases
• Types of mobile access
• UI standards and requirements
• Implementation methodology
• Lessons learned

---

For more information or to schedule a private demo, please contact us.

Designed to intelligently move functionality based on available real estate, transforming the user experience.

What is True Responsiveness? Your employees and constituents expect to be able to do everything on their mobile device that they would on their desktop without compromising functionality: finding a contact, applying for a job, reviewing their pay stub, enrolling in a class, enrolling in benefits, or make a payment.

Read on to see examples of true responsiveness in action.

iPhone in portrait view vs. iPad

Let’s look at the weekly class schedule in Campus Solutions on two form factors: iPhone in portrait view vs. iPad.

In the header bar the “Week of” identification moves below on the mobile device because there isn’t enough real estate. On the iPad it extends across the page based on the same logic.

In the example above, the real estate allows for 2 columns of the class schedule on the iPhone while displaying 4 columns on tablet. Responsiveness design is not dependent on device type and instead flows intelligently based on available real estate.

Indicator dots appear when the entire week is not visible. The reason for this is because responsive design is not about making content smaller to fit on a page, but instead, to rearrange it and present it in a useful manner to the end user.

In both of these examples the action buttons are fixed to the bottom of the screen, and visible at all times, to minimize vertical scrolling.

As you’ll notice, new device size doesn’t matter because breakpoints move fluidly based on the content.

iPhone vs. Desktop

This is how the desktop view changes based upon available real estate on a desktop computer.

As the screen becomes larger, you are able to see more at one time so the action buttons are relocated to the bottom right hand side of the screen. Additionally, in the desktop view, the navigation is expanded

The “Week of” identification reflows based on real estate.

The hamburger menu is collapsed when there is lesser real estate, but ever present when there is more space.

The action buttons are fixed to the bottom of the screen to minimize vertical scrolling on smaller devices.

Indicator dots appear when the entire week is not visible. With larger views the entire week is visible and therefore the indicator dots and arrows are not present.

Bringing back the submenu navigation

True responsiveness is not stripping out functionality for smaller form factors.

For example, earlier versions of our Campus Solutions user experience eliminated the navigation tabs that are present throughout PeopleSoft Campus Solutions to save real estate.

Due to feedback from our customers, we reintroduced this functionality in a way that moved it out of the way but made it available when desired.

Appsian has been offering security assessments to both customers and non-customers around the potential of a PS_TOKEN configuration vulnerability. Over the past month, we have posted to our blog that PeopleSoft is arguably the most secure ERP platform on the market. The blog contains links to the PeopleSoft red paper and additional information about proper configuration of PeopleSoft to mitigate potential vulnerabilities of PS_TOKEN configuration.

In this session, Greg Wendt, Executive Director, Security Solutions, talks about numerous takeaways learned from our PS_TOKEN assessments. Topics include:

• Mitigation options
• Best practices
• Lessons learned
• Incident Response
• Defense-in-depth for PeopleSoft