On December 9, 2021, the Federal Trade Commission (FTC) published a final rule amending the requirements for safeguarding customer information under the Gramm-Leach-Bliley Act (GLBA) (the Safeguards Rule). The Safeguards Rule has long specified cybersecurity standards under which financial institutions must maintain customer information, including higher education institutions (thanks to their participation in the federal student financial aid program). This is a significant development for our Higher Ed customers because it effectively mandates any Title IV participating institution to follow the updated guidelines.

Obligatory disclaimer: This article isn’t legal advice. Instead, it is a high-level look at new security regulations that affect our higher education customers. Therefore, we recommend that you seek guidance from your legal department and other relevant experts.

Key Security Elements of the Updated Safeguards Rule

While the amendments still allow some flexibility, they now include detailed criteria that higher education institutions must implement. This includes more detailed requirements for developing and establishing an information security program. Here’s a brief look at some of the security elements from the updated Safeguards Rule that higher education institutions should be aware of:

• 314.4(c) Implement and maintain technical and physical access controls on customer information to limit access to authorized users and limit those users’ access to the scope of their authorizations.
• 314.4(c) Implement measures to “monitor and log the activity of authorized users” and to detect when they have accessed, used, or tampered with customer information outside the scope of their authorization.
• 314.4(c) “Implement multi-factor authentication for any individual accessing any information system.”
• 314.4(d)(2)—Implement continuous monitoring of “information systems” (as defined in 314.2) or annual penetration testing with vulnerability assessments at least every six months.
• 314.4(f)(3)—Periodically assess the information security risks that your institution’s service providers present and the adequacy of the safeguards they deploy to ensure that they are following the provisions of the Rule.
• 314.4(f)(3)—Periodically assess the information security risks that your institution’s service providers present and the adequacy of the safeguards they deploy to ensure that they are following the provisions of the Rule.

Appsian can help organizations with these requirements. Here’s how:

• Implementing fine-grained, dynamic (ABAC) controls while continuing to leverage the role-based controls that are already defined and in-use across the organization.
• Implementing dynamic MFA, not just at the perimeter but also at the application, transaction, and data level (inline.)
• Granular Activity Logging to provide visibility into data access and usage trends
• Real-time user activity monitoring to ensure that security controls are properly enforced
• Audit trail to aid investigation and remediation efforts

What Else is Included in the Updated Safeguards Rule

In addition to specific security controls, the amendments also include new requirements for risk assessments and new accountability and reporting requirements to boards of directors. We encourage you to review the revised regulations because some parts of the amendments may be more relevant to your institution’s needs than others. (pages 109–128 of this PDF document specifically cover the new rule)

Effective Date of the Updated Safeguards Rule

Due to the time required to implement many of the described provisions, the effective date of most above-described elements is December 9, 2022.

Next Steps

You don’t want to wait until the last minute to implement any of these security mandates. Contact us today to learn how we can help ensure that your information security program meets these new federal requirements.

Sources, References, and Further Reading: 

• “Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule,” by Jarrett Cummings, EDUCAUSE 
• “FTC Updates to “Safeguards Rule” Has Impacts for Higher Education Institutions,” by Sarah Pheasant & Jonathan Tarnow Faegre, Drinker Biddle & Reath LLP 
• Standards for Safeguarding Customer Information (PDF) by The Federal Trade Commission 

Following up on last year’s Executive Order to help improve the nation’s cybersecurity posture, the White House released a 30-page zero trust strategy document outlining several measures federal agencies must enact to secure systems and limits the risk of security incidents. 

The White House noted that the growing threat of sophisticated cyberattacks (for example, SolarWinds, ransomware, and Log4j vulnerability) underscores that the Federal Government “can no longer depend on conventional perimeter-based defenses to protect critical systems and data.” 

And neither should you. 

Instead, the Federal Government will focus on multifactor authentication as a critical part of its security baseline. In fact, strong authentication, as provided by a strong and dynamic MFA, is a necessary component of any zero trust strategy.  

What’s Good for the Feds is Good for the States 

If you’re a state or local government, I recommend that you review the White House’s zero trust strategy document. You won’t be bound by their mandated timelines, but the document is full of best practices and sound advice. Briefly, the security goals are based on the maturity model developed by the Cybersecurity and Infrastructure Security Agency. CISA’s zero trust model describes five complementary areas of effort (Image Source: White House):  

Again, all good advice. I want to point out two key actions mandated by CISA related to multifactor authentication: 

1. Federal Agencies “must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.”
2. MFA must be enforced at the application layer instead of the network layer.

Unfortunately, the majority of our clients in the government sector use ERP applications like PeopleSoft, SAP ECC, and Oracle EBS whose native architecture does not allow for the seamless integration of MFA solutions that can be A) integrated at the field/transaction levels of workflows or B) deployed dynamically with each unique context of access.  

These traditional ERP applications use static security controls to govern access. These controls fail to provide protection beyond the traditional perimeter-based security because they do not leverage contextual attributes. Put another way, these ERP systems do not allow a seamless integration of MFA solutions and make it challenging to achieve strong authentication for zero trust. 

Centrally Managed MFA to Enable Zero Trust Security with Appsian 

Fortunately, requiring dynamic MFA that is integrated inside ERP applications is one of the most common use cases our Appsian Security Platform solves.  

The platform can enforce zero trust security policies that can dynamically secure data and regulate access based on contextual attributes (e.g., IP address, time of day, location, user security clearance, data classification, device used, max dollar amounts, etc.). Additionally, Appsian can help bring your zero trust strategy to life with: 

• Context-Aware Access Controls (with ABAC) – Fine-grained controls help you set dynamic access permissions for users down to the transaction and field level 
• Step-Up Authentication – Integrate enterprise MFA at field level for re-authentication when a user requests access to sensitive data 
• Transaction Monitoring & Control – Monitor high-risk transactions and automatically remove privileged access rights to stop potentially high-risk user activity
• Data Masking – Enforce full, partial, or click-to-view data masking to obscure sensitive data and protect against unnecessary data exposure
• Logging & Analytics – Capture detailed logs to get real-time visibility and insights into user access, IP address of frequent transactions, asset inventory, and other vital data.

Contact Appsian today for a demo to learn how we develop native integrations between Oracle and SAP ERP applications and some of the top MFA providers in the market. 

Over the last two years, organizations had to move employees out of a secure office environment and provide them with access to corporate ERP applications from multiple remote locations — effectively creating an extensive remote and hybrid workforce. A recent report by Gartner predicts that 47% of knowledge workers will work remotely in 2022, compared to pre-pandemic levels of 27%. With this rise in hybrid working and network connections originating from outside the firewall, organizations are understandably prioritizing remote access security.

In this remote/hybrid work landscape, workers and organizations often struggle to replicate that 9 to 5 experience. An experience where employees commute to an office, sit at a desk, and securely access ERP systems behind the office firewall. The reality is that organizations end up facing the challenge of balancing securing ERP systems and critical data with the access demands of the hybrid workforce.

Let’s be clear about something: workers may work 9 to 5, but they have 24/7 access to your ERP applications. And just like you wouldn’t let employees have access to certain areas of a physical office (if it’s a big office space) at all times of the day and night, you shouldn’t grant them remote access to all areas of the ERP system any time they want. 

There isn’t a single technology that will secure remote access. Instead, organizations should leverage a variety of technologies that together provide the necessary remote access security when users are working “9 to 5” from home or other remote locations.

Implement Dynamic Access Controls 

Remote access security begins by giving users access to only the applications, transactions, and data needed to perform their jobs during the “9 to 5” workday. These dynamic access controls consider the different contexts of user access (i.e., location of access, time of request, device used, IP address, and others) to govern who can use specific applications, the types of transactions they can process, and when. For example, if you wouldn’t allow Ted from payroll to enter the office building at 1:00 AM to access employee bank account data when no one is around, why let him do it from home?  

Reauthenticate Users at the Data and Transaction Level

As we continue to follow Ted around his 9 to 5 workday in-office, he uses his security badge to access the accounting area. An area off-limits to most other employees. Essentially, Ted had to reauthenticate his identity before reaching his desk and executing a payroll run. Now that Ted is part of the hybrid workforce, it makes sense that he should reauthenticate his access with dynamic multifactor authentication (MFA) before changing sensitive data, like employee bank accounts, or running critical transactions, like payroll. Enforcing dynamic MFA allows organizations to implement challenges based on contextual attributes. For example, attributes like location, IP address, time, device type, etc. 

Gain Full Control of Data Access Using Dynamic Data Masking 

Controlling what information an employee can see is critical regardless of office location (on-premise or remote). For example, suppose Ted’s manager accesses his employee record to review his information or department settings. In that case, typically, his date of birth and social security number are on display. Data his manager doesn’t need to see to do their 9 to 5 job. Dynamic data masking leverages contextual access controls to ensure that sensitive data is only accessible by the people that need to see it to accomplish their job. Additional controls can ensure full or partial data masking. At the same time, click-to-view and MFA can create a record of data access for use in an audit. Dynamic Data Masking also means a hacker with compromised credentials will be unable to access or view sensitive data fields.   

Increase Visibility through User Activity Monitoring 

Even with remote access security in place, it’s vital that organizations understand who is accessing what, from where, and for what purpose. For example, a hacker compromises Ted’s credentials and starts accessing ERP applications outside of Ted’s regular 9 to 5 activity. With continuous monitoring of user behavior around data access and usage at a granular level, an organization can detect “Ted’s” suspicious activities and quickly apply an appropriate threat response. 

Appsian’s Approach to Remote Access Security  

As more employees take their 9 to 5 workday outside the confines of the corporate firewall and access ERP applications and data from nearly any location, Appsian can help organizations take a dynamic approach to remote access security. 

Contact Appsian today to learn how our context-aware access controls can anchor your remote access security policies and improve ERP data security for your remote teams. 

According to PwC’s Global Economic Crime and Fraud Survey 2020, 47% of companies experienced fraud in the past 24 months. The survey found that the most common types of fraud were cybercrime, customer fraud, and asset misappropriation. The total cost of these crimes reached a staggering $42 Billion. Considering that most large enterprises deploy ERP applications to run their financial and purchasing operations, greater visibility and control of transactions that are executed within ERP applications is crucial. Adaptive authentication at the transaction level can provide a simple yet effective control mechanism to detect and prevent financial fraud. 

What is Adaptive Authentication? 

Also known as dynamic multi-factor authentication (MFA), adaptive authentication allows you to implement MFA challenges based on the user’s risk profile. It allows you to orchestrate security policies that can trigger an MFA challenge based on attributes like location, IP address, time, device type, etc. While most MFA solutions do this when a user logs into the application, implementing MFA at the transaction level for sensitive transactions creates an additional security layer based on the perceived risk of access. 

How Transaction Level Adaptive MFA Detects and Prevents Fraud 

Layered Security: Implementing multi-factor authentication at the transaction level creates a preventive control layer within your ERP applications. For example, sensitive transactions like approval of purchase orders, vendors, or payments can be secured in the event of a breach or stolen user credentials. 

Monitoring and Detection: One of the major challenges in ERP applications is gaining visibility into the thousands of transactions that take place every day. With transaction-level MFA, security and audit teams can monitor sensitive, high-value transactions with detailed logs of who is approving what and when. This leads to faster detection of suspicious user activity that could lead to fraud. 

Risk Mitigation: With users logging in remotely and through personal devices, adaptive MFA at the application access and transaction-level can be triggered based on contextual risk. This allows organizations to implement multiple control layers to mitigate their overall security and financial risk. 

Adaptive Authentication with Appsian Security 

The Appsian Security Platform enables organizations to take a risk-based adaptive approach to ERP security. The platform allows you to implement Dynamic Multi-Factor Authentication at the transaction level, creating a logged record of sensitive transactions. Using an attribute-based access control (ABAC) security model, every authentication request is first analyzed for level of risk, and MFA challenges are deployed accordingly. Security teams can also centrally enforce strict identity and device zero-trust policies across multiple ERP applications. 

Schedule a demo to find out how Appsian’s enterprise MFA solutions can enhance your fraud prevention and detection capabilities.  

Protecting and maintaining the integrity of data, especially sensitive data, is one of the core objectives of any security strategy. Since a majority of this data is stored and accessed using ERP applications, access to ERPs presents a significant risk to data security. To mitigate this risk, organizations have been deploying multi-factor authentication (MFA). While MFA re-confirms user identity and provides a layer of security at the time of login, it does nothing to reduce the exposure of sensitive data inside the ERP applications. This leaves a majority of the sensitive data unnecessarily exposed and at risk.

Why Sensitive Data Needs Additional Protection

Businesses collect, store, and process huge volumes of data every single day. This data includes sensitive information like Personally Identifiable Information (PII), financial information, intellectual property, healthcare records, and business intelligence. The value of this data puts it at constant risk from both external attacks and insider threats.

According to a 2019 IDC survey, 64% of ERP systems have been breached in the last 24 months. In addition, the 2021 Ponemon Institute Cost of a Data Breach Report pegs the average cost of a data breach at $4.24M, and the 2020 Cost of Insider Threat Report found that negligent employees or contractors were the biggest cause (63%) of insider threats. These findings are a clear indicator that many enterprises still struggle to control access to sensitive ERP data.

How Step-Up Authentication Protects Data

One of the most common challenges across industries is user over-provisioning. It basically means that users have more authorizations and privileges than they require granting them access to sensitive data even when it’s not needed. This not only increases access risk but also could lead to privacy violations and audit failures.

Step-up authentication allows security teams to implement an MFA challenge in-line with sensitive data fields like Social Security Number, Credit Card Information, bank accounts details, or any other sensitive field inside your ERP applications. It puts a control mechanism at the data field level creating an additional layer of security within your ERP systems to protect data, minimize exposure, and mitigate risk.

The Need for Dynamic Step-Up Authentication

Step-up authentication is a simple and effective solution to protect sensitive data. However, the number of MFA challenges a user has to complete to access data can increase significantly when implemented. To overcome this challenge, organizations need to take an adaptive security approach by shifting to an attribute-based access control security model. This allows security teams to implement step-up MFA challenges only when the context of access is considered risky.

For example, a step-up authentication challenge can be triggered when a user is logging into the ERP application from another country or with a personal device. Based on the organization’s security policy and compliance regulations, MFA challenges can be implemented dynamically at the field level after determining the risk posed by a specific access.

Other Benefits

Implementing dynamic step-up authentication at the field level enables enterprises to take their Zero Trust framework beyond the gate and deeper into applications. It also helps security teams to monitor access to sensitive data and detect unusual user activity. From a compliance perspective, step-up MFA protects sensitive data from unauthorized access and provides an audit trail.

Though all data within the enterprise network is considered private, sensitive data assumes greater significance due to its inherent value and compliance regulations applicable for its protection. The adaptive security capabilities of the Appsian Security Platform protect sensitive ERP data by implementing attribute-based access control to reduce the overall access risk and dynamic MFA at the field level that offers a layered security control.

Schedule a demo with our ERP experts to learn how you can deploy step-up authentication for sensitive data access.

In the previous article of this series, we talked about data field-level controls and how you can resolve a data field-level control weakness with security best practices. This article goes one level deeper from ERP data fields to ERP transactions. Sensitive transactions like approving payments, adding vendors, and modifying contracts have a direct impact on the business. Without the necessary transaction level controls, they could create red flags during an audit, leading to discovering a material weakness. 

What is a Transaction Level Control? 

Transaction level controls are intended to detect and/or prevent errors, misappropriations, or policy non-compliance in a financial transaction process. Effective transaction-level controls help organizations achieve their mission and strategic objectives for a given business process transaction by appropriately mitigating inherent risks. Weak transaction controls could lead to fraud, mishandling of payments, or financial errors that eventually impact the company’s annual or interim financial statements. 

How to Resolve Transaction Level Control Weaknesses 

Resolving transaction level control weaknesses requires implementing specific solutions that enable you to create a security layer at the transaction level of your ERP application. A simple and direct method of achieving this is implementing Multi-factor Authentication (MFA) at the transaction level. While many organizations use MFA to secure ERP access, the authorization granted during login gives the user unlimited access to transactions related to the user’s role. 

However, by deploying step-up MFA for sensitive transactions, you can re-authenticate identity and monitor and create an access log for these transactions. This also helps security teams flag suspicious transaction activity by the user, thereby adding a preventative and detective control at the transaction layer of your ERP application. 

Implementing Transaction Control with Appsian 

The Appsian Security Platform allows you to force MFA challenges at the transaction level to ensure Zero Trust, not just at the initial access but also deeper within your ERP applications. Appsian also enables you to go beyond Role-Based Access Control (RBAC) security models to a dynamic security model like Attribute-Based Assess Control (ABAC). The platform considers a user’s contextual attributes like access location, time of the request, device type, etc., before establishing trust and granting access to data or transactions. Your security teams can use these dynamic user privileges to enforce multi-factor authentication for partial or full access to sensitive data and transactions 

The Appsian Security Platform natively integrates into your ERP web server without requiring customizations or additional servers. Security teams can use their existing MFA Vendors like Duo Security, Okta, SafeNet, Microsoft Authenticator, and more to force MFA challenges at the ERP transaction level.  

Schedule a demo with Appsian ERP experts to understand how you can implement layered security controls inside your ERP applications to protect sensitive transactions. 

In the first article of our material weakness series, we addressed what a material weakness is and how an ineffective access control weakness can be resolved. This article will look at another critical control weakness that can occur at the data field level. 

What are Data Field Level Controls? 

Field-level security settings, or field permissions, are intended to control whether a user can see, edit, and delete the value for a particular field on an object. These are the ERP data security capabilities that allow organizations to protect sensitive fields such as a candidate’s social security number without having to hide the candidate object. However, when these field-level controls are not configured correctly, users may be able to see sensitive personally identifiable information required by compliance regulations like CCPA and GDPR to be safeguarded.  

How to Resolve Data Field Control Weaknesses 

Protecting data at the field level is crucial from a data integrity and data privacy point of view. Here are six steps you can take to enhance field-level controls within your ERP applications: 

1. Implement the Zero-Trust security model that enforces the principle of never trust, always validate. 
2. Effectively using Multi-Factor Authentication (MFA) and enforcing MFA at various layers – login, critical transaction level, and critical data field level to enable layers of security. 
3. Implement layered security, also known as defense in depth (DiD), in overlapping layers of controls that typically provide the three control capabilities needed to secure assets: prevention, detection, and response. While no individual security control is guaranteed to stop 100% of the cyber threats, layered security provides mitigations against a wide variety of threats while incorporating redundancy or compensating controls in the event of a control failure. 
4. Transition from static security found in Role-Based Access Control (RBAC) security models to a dynamic security model like Attribute-Based Assess Control (ABAC) that enables the enforcement of policy requirements into the access controls at the transaction and data level.   
5. Design dynamic security controls capabilities to improve their ability to identify, detect, prevent, and respond to anomalies and threats. 
6. Perform periodic control assessments to validate the effectiveness of the existing controls. 

Protecting Data Fields with Appsian Security 

The Appsian Security Platform has been designed specifically to address security and governance challenges that companies face within their ERP ecosystem. Appsian offers a range of solutions that enable you to implement Zero Trust security. From multifactor authentication at the login level to masking of sensitive data fields with the ability to reveal data only after authentication, Appsian provides complete control over data access and data exposure that goes beyond the initial access.  

Appsian’s attribute-based access control also ensures that authorizations are not absolute. It considers the context of access when allowing or restricting data access even at the field level. For example, the click-to-view feature provides access to data while also maintaining a log of what sensitive data was accessed when and by whom. The Appsian Security Platform takes a layered approach to security within your ERP ecosystem to enable field-level controls that prevent, restrict, and monitor access and modification of any field data. 

Take a first-hand look at how Appsian can enable field-level controls in your ERP applications without disrupting business operations. Schedule a demo with our ERP experts.  

Next in the Series: Ineffective Transaction Level Controls 

Organizations that use ERP applications like SAP, PeopleSoft, Oracle EBS, etc., manage thousands of users. Most of these users have limited roles that only allow them to perform their job-related tasks. But there exists a subset of users/accounts who are granted a wide spectrum of authorizations because their role entails managing the application itself: privileged users.

From an operations point of view, these roles are essential for the day-to-day functioning of the application to support the business. However, from a security perspective, the level of access and authorization granted to these privileged user accounts increases the overall risk exponentially. In fact, Forrester estimates that 80% of data breaches have a connection to compromised privileged credentials, such as passwords, tokens, keys, and certificates.

Who are Privileged Users?

Privileged users are users who are assigned roles and authorizations to perform functions that go beyond regular business transactions. These users include database administrators, network engineers, application developers, or third-party consultants. Their user accounts possess enhanced permissions that allow them to access sensitive data or modify key system functions. Also referred to as Superusers, some of the overarching privileges extended to them include:

• Full authorization to read, write and execute
• Creation or installation of files or software
• Modification of files and settings
• Deletion of users and data

Security Implications of Privileged User Accounts

Privileged users have a high level of access which means they will always be a target for attackers. If these accounts are compromised, it will lead to attackers gaining the same level of access.

Once inside, attackers can move from system to system undetected without leaving any digital footprint, making it harder to detect and stop. In addition, the attackers could gain access to an organization’s sensitive and confidential data, including company trade secrets.

If misused, either because of an error or with malicious intent, privileged user accounts can also inflict grave damage to a system or organization. Companies may have adequate security to prevent external threats, but privileged users are already inside the system. They can create backdoors, delete or modify data, override security settings, and more without detection.

According to the IBM 2020 Cost of Insider Threat Report, the average cost of an insider threat almost triples from $3M to $8.7M if the incident involves an imposter or thief who steals credentials and the costliest type of credential theft involves the theft of privileged users’ credentials.

Mitigating Privileged User Risk

Privileged users are granted greater access rights for a reason. They maintain and update applications that are critical for business operations. They are also responsible for a range of functions that require access to multiple servers, modules, and/or databases. This access also significantly increases the organization’s overall risk. However, this “privilege” can be counterbalanced with security measures that do not overly restrict them from performing their tasks.

Enforce Least Privilege Access

Many ERP applications provide role-based access controls and role-based authorizations. This means any user who logs in with valid credentials is granted all roles and authorizations assigned to that account. Thus, when a privileged user’s credentials are compromised, the attacker essentially becomes a privileged user giving them unchecked access.

However, by implementing attribute-based access controls (ABAC) through a dynamic policy engine, access can be allowed based on contextual attributes like location, time range, days, security clearance level, IP address, and more. For example, restricting privileged users to access only via your secure network ensures attackers cannot log in through an unknown network – significantly mitigating your risk while alerting you to failed access attempts.

Enforce Segregation of Duties (SoD)

Privileged user roles and authorizations should be regularly audited to ensure that they only have authorizations that are needed to perform their jobs. If the privileged user has not utilized a particular role within a specific timeframe, organizations should consider removing those privileges from the user. Since the user has never performed such functions before, they would not miss those privileges.

Even in cases where special privileges have been granted to perform specific tasks, a time limit should be set after which access is automatically revoked. These steps ensure that privileged users only have the necessary access at any given time and limit the organization’s overall risk.

Implement Step-Up MFA For Privileged Users

While your organization may have MFA at the login level, deploying step-up authentication for sensitive transactions at the page and data field level ensures that access to data and transactions is allowed only after the user has re-authenticated themselves.

Adding additional layers of authentication not only improves your security posture but also creates logs that can be monitored for suspicious activities. For example, a privileged user who is authorizing payment transactions can be easily identified during an audit since the user does not belong to the payroll or procurement team.

Behavior-based Profiling

Monitoring administrator accounts can help identify when one is compromised. However, large organizations may have hundreds of privileged users, and manual monitoring is virtually impossible. This is why Appsian Security’s unique algorithm combines multiple data sources to create a joint profile for each employee, including privileged users. The solution uses this business profile as the basis for optimization and as the behavior baseline.

This method is subsequently used to analyze irregular behavior, unused activities and authorizations, recommended authorizations for roles, and unoptimized license types. Privileged users who deviate from their normal usage can be easily monitored. For example, an anomaly is created when an SAP administrator who never accessed the customer database before tries to access it. Even though the user has the authorization to access the database, a deviation in behavior can be an indication of compromised credentials, giving security teams an impetus to check user behavior.

The IBM 2020 Cost of Insider Threat Report states that 29 percent of all credential thefts involve the theft of privileged users’ credentials. This proves that privileged users are primary targets for attackers because of their access privileges. Appsian Security mitigates the risk of high privilege credentials and sessions being exploited by bad actors by enabling you to implement multiple security measures like attribute-based access controls, step-up authentication for sensitive transactions, segregation of duties, and behavior-based profiling.

Schedule a demo with our security experts to find out how privileged user risk can be mitigated across your ERP ecosystem.

Since 2008, the University of Oklahoma Health Sciences Center (OUHSC) has successfully used the Appsian Security dynamic MFA solution to secure the ERP data on its instance of PeopleSoft. OUHSC initially selected Appsian Security because of its ability to directly integrate its multi-factor authentication (MFA) solution with PeopleSoft without added customizations, hardware, or complexity. 

What Challenges Made OU Enable Dynamic Access Controls?  

OU’s main campus in Norman had its own PeopleSoft system, which was separate from the OU Health Sciences Center’s system. Recently, the University decided to consolidate the Financials and Human Capital systems along with information technology of the University’s three campuses, including uniting the unique instances of PeopleSoft into a single one. 

In 2020, the University began the consolidation project. In addition to requiring secure access to the HRMS pillar for the nearly 15,000 faculty and staff members on the unified instance of PeopleSoft, the University wanted to leverage dynamic access controls to enforce MFA at login and inside the application at the field, page, and component levels. 

As a unified system, OU wanted to – 

• Reduce unwanted exposure of sensitive data 
• Improve visibility into user activity across applications  
• Limit access to sensitive transactions  

Oklahoma University Enhanced PeopleSoft Data Security With Dynamic MFA 

Appsian Security’s native integration with PeopleSoft allowed OU to successfully deploy their MFA solution for the HRMS pillar. The University uses MFA at login for both off-campus (remote) and on-campus users. The combined platform for all three campuses applies dynamic access controls to grant access to sensitive information and gate high-value transactions, such as direct deposit, based on contextual attributes like device, geolocation, time, and more. Additionally, OU uses Appsian Security to monitor and log high privileged user activity within PeopleSoft. The system captures all user activity at the field, page, and component levels. 

The University completed its system upgrades and merger and is now live using the Appsian Security Platform in all three of its PeopleSoft pillars, namely Financials, Human Capital, and Campus Solutions. 

Appsian Security Platform As A Key Enabler For End-To-End PeopleSoft Data Security & Compliance  

Appsian’s PeopleSoft customer base includes multiple colleges and universities like Oklahoma University looking for a single platform to strengthen Identity and Access Management, Data Security, and Compliance, including: 

• Native SAML/ADFS Compatibility And PeopleSoft MFA Integration: Integrating single sign-on and multi-factor authentication natively with PeopleSoft and your identity provider improves security and convenience. Integrated MFA also enables step-up authentication, so users can be forced to re-authenticate when accessing highly sensitive transactions. 
• Contextual Access Control For Greater Security: Reduce the attack surface with a dynamic rules engine that applies the contextual variables of a user’s access and defines privileges in real-time. Implement least privilege to limit access to modules/transactions, dynamically mask sensitive data, enforce step-up MFA, and more. 
• Real-Time Analytics For Improved Response Times: Enhanced PeopleSoft logging capabilities capture all user activity at the field, page, and component levels and combine them with contextual user data. Real-time visualized dashboards allow you to quickly spot suspicious activity and drill down to root out issues. 

Contact Appsian’s PeopleSoft experts today to learn how the Appsian Security Platform can help you establish a dynamic MFA solution and a strong ERP data security posture. 

Customer Profile: 

Founded in 1890, the University of Oklahoma is a public research university located in Norman, Oklahoma, just 20 minutes south of Oklahoma City. With three campuses in Oklahoma, OU also offers study abroad opportunities at several locations and OU campuses overseas. The OU Health Sciences Center serves approximately 4,000 students in more than 70 undergraduate and graduate degree programs on Oklahoma City and Tulsa campuses. 

Related Reading: OU Case Study