Over the last two years, organizations had to move employees out of a secure office environment and provide them with access to corporate ERP applications from multiple remote locations — effectively creating an extensive remote and hybrid workforce. A recent report by Gartner predicts that 47% of knowledge workers will work remotely in 2022, compared to pre-pandemic levels of 27%. With this rise in hybrid working and network connections originating from outside the firewall, organizations are understandably prioritizing remote access security.

In this remote/hybrid work landscape, workers and organizations often struggle to replicate that 9 to 5 experience. An experience where employees commute to an office, sit at a desk, and securely access ERP systems behind the office firewall. The reality is that organizations end up facing the challenge of balancing securing ERP systems and critical data with the access demands of the hybrid workforce.

Let’s be clear about something: workers may work 9 to 5, but they have 24/7 access to your ERP applications. And just like you wouldn’t let employees have access to certain areas of a physical office (if it’s a big office space) at all times of the day and night, you shouldn’t grant them remote access to all areas of the ERP system any time they want. 

There isn’t a single technology that will secure remote access. Instead, organizations should leverage a variety of technologies that together provide the necessary remote access security when users are working “9 to 5” from home or other remote locations.

Implement Dynamic Access Controls 

Remote access security begins by giving users access to only the applications, transactions, and data needed to perform their jobs during the “9 to 5” workday. These dynamic access controls consider the different contexts of user access (i.e., location of access, time of request, device used, IP address, and others) to govern who can use specific applications, the types of transactions they can process, and when. For example, if you wouldn’t allow Ted from payroll to enter the office building at 1:00 AM to access employee bank account data when no one is around, why let him do it from home?  

Reauthenticate Users at the Data and Transaction Level

As we continue to follow Ted around his 9 to 5 workday in-office, he uses his security badge to access the accounting area. An area off-limits to most other employees. Essentially, Ted had to reauthenticate his identity before reaching his desk and executing a payroll run. Now that Ted is part of the hybrid workforce, it makes sense that he should reauthenticate his access with dynamic multifactor authentication (MFA) before changing sensitive data, like employee bank accounts, or running critical transactions, like payroll. Enforcing dynamic MFA allows organizations to implement challenges based on contextual attributes. For example, attributes like location, IP address, time, device type, etc. 

Gain Full Control of Data Access Using Dynamic Data Masking 

Controlling what information an employee can see is critical regardless of office location (on-premise or remote). For example, suppose Ted’s manager accesses his employee record to review his information or department settings. In that case, typically, his date of birth and social security number are on display. Data his manager doesn’t need to see to do their 9 to 5 job. Dynamic data masking leverages contextual access controls to ensure that sensitive data is only accessible by the people that need to see it to accomplish their job. Additional controls can ensure full or partial data masking. At the same time, click-to-view and MFA can create a record of data access for use in an audit. Dynamic Data Masking also means a hacker with compromised credentials will be unable to access or view sensitive data fields.   

Increase Visibility through User Activity Monitoring 

Even with remote access security in place, it’s vital that organizations understand who is accessing what, from where, and for what purpose. For example, a hacker compromises Ted’s credentials and starts accessing ERP applications outside of Ted’s regular 9 to 5 activity. With continuous monitoring of user behavior around data access and usage at a granular level, an organization can detect “Ted’s” suspicious activities and quickly apply an appropriate threat response. 

Appsian’s Approach to Remote Access Security  

As more employees take their 9 to 5 workday outside the confines of the corporate firewall and access ERP applications and data from nearly any location, Appsian can help organizations take a dynamic approach to remote access security. 

Contact Appsian today to learn how our context-aware access controls can anchor your remote access security policies and improve ERP data security for your remote teams. 

Like most state governments, the State of Kansas wanted employees and non-employees to access PeopleSoft self-service within and outside the corporate network. They encountered a common challenge: How do they roll out PeopleSoft self-service to a massive audience while still protecting their data and addressing compliance risks. To fortify their PeopleSoft environment and secure remote access and their data, the State approached Appsian for their dynamic data masking tools.  

Requirements for Dynamic Data Masking

Over a two-year period, the State expanded access to PeopleSoft from 12,000 to all 50,000 state employees, including contractors, truck drivers, police officers, and state police medical contractors who would be using iPads and various mobile and remote workstations.  

However, they did not have any third-party data masking tool for their production or non-production environment. Additionally, the masking capability in their existing PeopleSoft environment presented the following challenges –  

• Masking was incomplete  
• It offered no flexibility  
• The feature only worked on select delivered pages  

The native masking functionality was not working sufficiently for their HCM and FSCM power users. In addition, as their roles were getting more complex, access control became a critical requirement that out-of-the-box PeopleSoft features could not fulfill. 

The State Of Kansas Enhanced PeopleSoft Security With Dynamic Data Masking 

The State deployed MFA capabilities, contextual data masking, and dynamic access controls to fill the security gaps in access control and usage. The State also used the Appsian Security Platform to improve remote access control, manage risk exposure, and increase the visibility of user activity in their FSCM and HCM pillars.  

Following the implementation of Appsian’s Dynamic Data Masking tools and capabilities, the State of Kansas is now able to achieve the following –  

• Leverage existing static data masking to challenge users to reconfirm identity at a page level  
• Location-based security to protect access to certain pages for users outside the State’s network  
• Better visibility into the activities of privileged users while allowing them to access sensitive data to perform their roles efficiently  

Appsian is a Key Enabler For PeopleSoft Data Security & Compliance    

Appsian’s PeopleSoft customer base includes multiple organizations in the government sector like the State of Kansas looking for a single platform to strengthen remote access management, data security, and compliance, including:   

• Native SAML/ADFS Compatibility And PeopleSoft MFA Integration: Integrating single sign-on and multi-factor authentication natively with PeopleSoft and your identity provider improves security and convenience. Integrated MFA also enables step-up authentication, so users can be forced to re-authenticate when accessing highly sensitive transactions.   
• Contextual Access Control For Greater Security: Reduce the attack surface with dynamic data masking tools that take into account the contextual variables of a user’s access and define privileges in real-time. Implement least privilege to limit access to modules/transactions, dynamically mask sensitive data, enforce step-up MFA, and more.   
• Real-Time Analytics For Improved Response Times: Enhanced PeopleSoft logging capabilities capture all user activity at the field, page, and component levels and combine them with contextual user data. Real-time visualized dashboards allow you to quickly spot suspicious activity and drill down to root out issues.   

Contact Appsian’s PeopleSoft experts today to learn how the Appsian Security Platform can help you establish a dynamic data masking solution. 

Customer Profile: 

The State of Kansas administrative office comprises over 100 state agencies to provide exceptional community, family, health, education, security, transportation, and more services to the citizens of Kansas.  

Related Reading: State of Kansas Case Study 

If 2020 was the year of hastily enabling secure remote access to ERP applications, then 2021 will be the year when organizations realize that remote ERP access is here to stay – and long-term data privacy, security, and access governance strategies will be mission–critical. Securing ERP data has always been important in principle, but the mass migration to requiring remote access (in perpetuity) has kicked off a heightened emphasis on the topic. 

Amongst a sea of learnings from the pandemic is that 2020 was the “coming of age” for ERP data privacy and the challenges it created. Many organizations were forced to learn the hard way that sensitive ERP data (business data and PII) are top targets for malicious activity and some of the most difficult assets for organizations to secure. Especially data in legacy business applications. 

Let’s look back at the Year of the Pandemic and examine some of the data privacy events and trends we observed that will serve as guideposts for making ERP data privacy a mission-critical priority in 2021.   

Variations in Access Presents Greater Data Privacy Challenges 

It’s clear that working remotely is here to stay. A Gartner HR survey reveals that 41% of employees are likely to work remotely at least some of the time post-pandemic. Tech giants like Facebook, Salesforce, Twitter, and more, announced that they would continue to offer remote work and possibly move to entirely remote models permanently.  

A key challenge uncovered when the pandemic forced a rapid transition to remote workforces was most organizations had data privacy and governance policies that didn’t account for variations in user access. Especially those using legacy ERP applications like SAP (ECC & S/4HANA), PeopleSoft, and Oracle EBS. After all, these applications were originally designed so users could get easy access to data inside the firewall. They were never designed for a dynamic access environment.  

The fact of the matter is the roles and privileges that governed access to these systems depended on managed devices, corporate firewalls, and in many cases – 9:00 to 5:00 access demands. Remove those variables and enable access from anywhere, on any device, and at any time – and those strict privacy and governance policies were replaced by “wild west” levels of access risk. 

Instead of needing to be in a specific physical location, users can access an organization’s sensitive data from anywhere. The physical and network controls that protected IT infrastructures and data privacy no longer provide the same level of confidence. Changing how companies do work requires them to change how they secure data and re-evaluate their data privacy and access governance strategies.  

When it Comes to ERP Data Privacy – Identity is the New Perimeter 

With organizations continuing to support remote access to ERP applications, they need to design policies and practices that define how data is accessed, viewed, and used – as well as the technology they’ll need to implement and enforce those policies.   

A key investment is implementing dynamic capabilities to already established identity and access management (IAM) solutions. In other words, providing the ability to minimize risk by dynamically providing access based on the context of a user’s access.   

Applying dynamic IAM and access governance supports traditional role-based controls but accounts for the variations in a user’s access that may indicate risk.  

Further examples would be: 

• Integrating an MFA on a sensitive transaction or data field and requiring a user to re-authenticate 
• Deploying MFA if a user is accessing from an unmanaged device. Also known as zero-trust authentication 
• Reducing levels of access privilege for super users if their access is coming from an unknown IP range. Also known as applying the principle of least privilege 
• Applying dynamic data masking that masks all PII, account numbers, etc., if access is coming from an unmanaged device, unknown IP range, or outside typical working hours. 

 The sooner organizations realize that their perimeter is only as strong as their ability to manage user access – the better off they’ll be! 

Data Privacy Regulations Mixed with Remote Access Will Only Make Compliance More Challenging 

Today’s ever–changing data privacy landscape is a reminder that organizations should always be diligent about what kinds of data they are collecting, how it’s being stored, and most importantly – have the visibility to understand exactly how that data is being accessed. For example, is access suddenly coming from a hostile foreign country, or are certain data records/reports being accessed at a higher-than-normal frequency? Ask yourself, just because someone can access sensitive data, does it mean they should? 

Successful organizations will invest in technologies that monitor user behavior around data access and usage, capturing contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting and effectively responding to audit findings. 

Hodgepodge of State-Level Data Privacy Regulations Sow Confusion 

Up to now, the standard-bearer for data privacy regulations in the United States was California’s CCPA. In 2021, the number of state-level data privacy regulations is likely to increase, which is bound to further complicate matters by creating multiple compliance requirements.  

Virginia is poised to become the second state to enact a data privacy bill, while lawmakers in Washington state, New York, Oklahoma, and Utah are currently weighing proposals. Meanwhile, Californians voted to approve the California Privacy Rights Act (CPRA), a series of changes made to the existing California Consumer Privacy Act (CCPA). 

This hodgepodge of domestic data privacy regulations should motivate organizations to get data privacy, security, and access governance strategies in place, ensure documentation, and prepare for both financial penalties and civil actions. If 2020 was any indication (GDPR fines rose by nearly 40%), companies are likely to see more frequent and more significant fines for non-compliance in 2021. 

Having Weak ERP Data Privacy Policies Will Become Expensive 

COVID raised the awareness of ERP data privacy as companies struggled last year to continue with normal business operations in a remote environment. These struggles forced many leaders to establish privacy and compliance frameworks and implement the technology to support them. However, this is just the beginning.  

With 2020 being a record year for data breaches – along with an ever-growing list of data privacy regulations that carry monetary fines for non-compliance – the writing is on the wall. Organizations will not be able to call themselves victims if their decades of accumulated PII and business data get exploited or breached. The monetary consequences that come from these incidences can have catastrophic effects—both against your bottom line and reputation.   

Contact Appsian to learn how we can help you align your legacy ERP applications with today’s data privacy and compliance demands. Effectively scale your efforts for future mandates.

California State University, the largest four-year public university system in the country, made headlines when it announced Tuesday that it intends to continue with remote teaching in the fall term at all 23 CSU campuses, affecting most of its 482,000 students. This was a bold move, but I applaud the CSU system, or any college or university, as the rapid shift to online instruction amidst COVID-19 has been an undertaking of historic proportions. 

Lost in the headlines is the amount of work that IT teams must do to enable remote access for nearly the entire university staff and faculty. For Cal State University (an Appsian customer – 17 campuses), that’s more than 53,000 faculty and staff who need access to key information and systems. Along with student users, in total, that’s 535,000 (mostly remote) users accessing the university’s ERP systems from all over the world. 

The implications of this decision are wide-reaching. Beyond answering questions like, how will you be able to keep students engaged or how will you be able to provide parity to classroom learning, there are a myriad of implications placed squarely on the enterprise systems that support these institutions (ex. PeopleSoft and SAP ECC.) With millions of students, faculty and staff depending on these applications to keep operations running smoothly, how will campuses look to adapt these systems to their new normal? How can they ensure these systems can meet these new demands?

Universities Must Focus on (2) Key Areas: User Experience and Data Security 

Remote and distance learning means operations will be extremely dependent on self-service. Universities using PeopleSoft Campus Solutions face a double-whammy. Maintaining strict authentication and data security policies create challenges on their own. In addition, many campuses require additional UX/UI solutions that enable a unified mobile user experience. Without additional UX solutions in place, PeopleSoft’s mobile user experience can be challenging for students to navigate – especially as they’re trying to access self service via mobile devices. Several colleges and universities use the full suite of Appsian’s technology to address these issues.  

For Students, User Experience is EVERYTHING 

Today, student’s primary method for communication is through their mobile devices. A common problem for universities is that PeopleSoft Campus Solutions’ primary interface is PeopleSoft Classic. This UI is not mobile responsive and has a look and feel that doesn’t necessarily align with Millennial and Gen Z. expectations. As tens of thousands of students register for classes in the fall, this user experience could prove to be problematic, as students are so used to intuitive experiences. Without UX/UI enhancements, campuses run the risk of flooding their support desks or having students abandon self-service transactions – not meeting key enrollment deadlines. 

PeopleUX by Appsian turns the Classic interface of PeopleSoft Campus Solution into a visually engaging user experience. Students can easily navigate through transactions like add/drop/swap courses, view grades, class schedules, search for classes, access advisor information, and financial aid details from their mobile device. Giving students the proper tools to execute the majority of their tasks through self-service will alleviate your staff’s workload. It will also provide one less hurdle students (especially new students) will have to get over before class begins in the Fall. 

For EVERYONE, Data Security is EVERYTHING 

Colleges and universities face the same challenges as businesses that had to transition entire workforces from office-based to work-from-home. Remote access is now a requirement, and IT departments should have the ability to dynamically control access to sensitive transactions and maintain granular visibility into user behavior – something ERP systems like PeopleSoft and SAP ECC inherently lack.  

Campuses are turning to VPN to ensure secure authentication, but VPNs have plenty of vulnerabilities. In many cases, adding Multi-Factor Authentication via Duo Security® has been a top choice – one that Appsian couldn’t recommend more. However, integrating an MFA like Duo with PeopleSoft or SAP ECC presents significant challenges. Integration is necessary, especially if you’re looking to apply step-up MFA at the transaction level. This is recommended because application-layer authentication is good, but transaction level authentication is ultimately the best way to ensure data isn’t unnecessarily exposed.  

Integration also allows you to leverage adaptive MFA. This can enable you to deploy MFA challenges (at the application layer) based on the context of access, such as business hours, location of the device accessing the system, and type of device. This flexibility can reduce the disruption of MFA challenges on the user and ultimately provides significantly better data security. 

Additionally, campuses must consider how they can maintain visibility over the data in their transactions. After all, when you consider the sheer volume of sensitive data in a student information system like student records, student financial information, parent financial information, etc. it becomes clear that the implications of a breach could be catastrophic. This is not lost on hackers who are now aware that large university systems are moving to 100% remote learning. These are data security implications that are not simple to solve, but the focus must be on visibility, control, oversight, and accountability. How detailed is your view of data access and usage? If there was a potential security threat, how long would it take you to detect and remediate it?

Conclusion 

It’s too early to tell how many colleges and universities will follow Cal State University’s lead and announce remote learning plans for the Fall semester. Regardless, now is the time to prepare for a school year that still has many variables and unknown factors that can influence a decision. 

Request a demonstration so you can get to know the many ways that Appsian can help your university and college tighten your PeopleSoft data security and deliver a mobile-responsive and visually compelling user experience to students. 

Analytics have always been necessary for informing ERP data security policies. This has never been more relevant than today, in this everybody-works-from-home environment where function leaders are scrambling to attain oversight and accountability. With whole departments spending 8 hours a day in business applications like PeopleSoft and SAP, establishing strong ERP user activity monitoring strategies is mission-critical. We also touched on this topic a few weeks ago, but now that organizations are adopting visibility solutions, the question becomes – what are the most important details to capture?

Always Capture the Who, Where, When, What, and How 

Remember the good old days of February 2020 when articles touted the growing trend of working from home and that remote access to your ERP system and making transactions available on the internet will one day become the “new normal?” Ah, good times.  

Then COVID-19 happened, and remote work went from growing trend to hard-core reality in a matter of days. System administrators scrambled to collaborate with managers to create new or updated work-from-home polices that determine who, what, where, when, and how workers can access ERP data – and what transactions they’re allowed to perform. Good times, indeed. 

Let’s break down these different details… 

1. Who – Details of the User Accessing the Data 

Even if your user authentication strategies are strong (ex. leveraging multi-factor authentication), you’re still going to have security concerns – especially with high privileged user accounts. Narrowing your visibility efforts on high privilege user activity allows you to focus on the accounts that can cause the most damage (if corrupted or misused.) For example, your organization may be global (with ERP access coming from multiple countries) but your high privilege users may primarily reside near your domestic HQ. High privilege access coming from outside this IP range may be an early sign of unauthorized activity.

2. What – Details of the Data Being Accessed 

What are those Tier 1, highly sensitive data fields you want to closely watch? I’m talking about C-suite salary information, social security numbers, bank account information, etc. Application level logging falls short in showing exactly what a user accessed. However, these details are ultimately the most important. If you do not have visibility into exactly what a user accessed, then you are missing a significant part of the data security puzzle. In many instances, field level logging can show you how much “over access” users may have. After all, least privilege is a best practice – especially in remote environments.

3. Where – Location Where the User is Accessing the Data 

As mentioned above, location can be a leading indicator of unauthorized activity. This strategy can be expanded, especially if you’re operating in a vertical that typically doesn’t require global access (ex. higher education, healthcare, state & local government, etc.) Whether it is a sudden influx of authentication requests from China or one-off access from a European country, having location data is an essential component of ERP user activity monitoring.

4. When –Time of Day When User is Accessing Data 

Thanks to stay-at-home orders, normal 8 to 5 work hours don’t apply when users must (potentially) deal with kids or other distractions. Simply enacting policies that restrict certain transactions from being executed outside of business hours is a quick way organizations can enhance oversight – but how can you really enforce it at scale? Either way, monitoring after hours activity, while not an obvious indicator of a problem, is a solid baseline. Especially if most ERP processing activities are being executed by hourly employees.

5. How – Type of Device Accessing Data 

One of the difficult aspects of rapidly deploying remote ERP access is getting an inventory of all the devices they’ll use. Corporate-managed vs personal devices have a large impact on how you want sensitive business data accessed. Even if every employee has a company-issued device, you’re bound to see unauthorized devices (mobile phone, tablet, personal workstation or laptop, etc.) accessing your system. Knowing exactly what these devices are accessing (or possibly downloading) is extremely important for data loss prevention.

Real-Time User Activity Monitoring Leads to More Informed ERP Data Security Decisions 

Using the Appsian Analytics Console, you get a 360-degree view of what is happening around your ERP data. From there, you can map out a targeted incident response before damages become catastrophic and influence your ERP data security policies.

Some additional examples of ERP data security measures you can deploy include: 

1. Enabling adaptive authentication policies that deploy additional authentication challenges based on the context of access 
2. Restricting the availability of specific transactions (partial or full) when access is coming from unwanted geographic locations 
3. Masking any data field (partial or full) 

Appsian enables organizations to enhance their level of control and visibility over business data. To ease the anxiety of allowing remote ERP access, Appsian can help you make the rapid changes (avg. go-live in 2 weeks) necessary to manage and mitigate risk.

Request a demonstration of the Appsian Analytics Console today.