SCHRUG 2019 HCM, FSCM, CS, and Portal Apps South Central ...

ERPAFormerly ERP Analysts

PeopleSoft Security Cleanup,

Automation, & Access Controls for

HCM, FSCM, CS, and Portal Apps

Jai Chitkara

Program Director

– Emerging Tech

July 22-23, 2019

SCHRUG 2019South Central Regional User Group Conference

Agenda• Introductions

• About ERPA

• PeopleSoft Services

• Security as a Service• PS Access 101; What’s a Good Security Model?

• Customer’s PSoft Security Needs

• Automation• Types of Access Controls

• Data Security

• Audit & Compliance Controls

• Separation of Duties

• Data Breach Prevention (2FA)

• Cleanup & Consolidation using Analytics

• Deliverables

• Use Cases

• Q & A

ERPA National Offices

• Founded in 1999 with Headquarters in Dublin, Ohio

• Satellite Offices in Florida, Nevada and Texas

• Oracle Platinum Partner specializing in Oracle Cloud,

PeopleSoft, Business Intelligence, and Big Data

• 500+ U.S. Based W2 Consultants

• 1500+ Successful Projects

• 250+ PeopleSoft Upgrades

• 22+ PeopleSoft 9.2 upgrades• 110+ PeopleSoft 9.2 upgrade passes

• 7+ OBIA (ODI) 11.1.1.10.2 Implementations• Human Resources, Financials, and Student Information Analytic

About ERPA

PeopleSoft Services

PeopleSoft

Services

PUM Management

Custom Development

Testing as a Service

PeopleSoft Fluid Service

PS Security as a Service

Disaster Recovery Services

PeopleSoft Implementations,

Upgrades, Module Add-on

PeopleTools Upgrade

Managed Projects

Consulting Services

Individual Subject Matter

Experts On-Demand

Managed Services

Application Hosting on AWS

SLA Driven Break-fix Support

Today’s Focus: Security as a Service

A Good Security ModelA Security Model that allows for minimal user

administration

PeopleSoft Security Layers

Application

Tools

• HCM – Department, T&L• FSCM-- BU, Chart Fields• CRM - Provider Groups & Worklists

• Application Designer• Processes & Reports• Components/Pages• Query Records• SignOn• User ID• Roles/Perm Lists

PeopleSoft Security Layout

User Authentication

-User ID

-Data Security

-Roles

Roles define what the

user can do?

-Role to Pages

(Permissions)

-Role to Tools (eg: Query)

Permissions which do

the real security work

-Role to Permissions

-Permission to Pages

-Type of Access

-Permissions to Query

tables

-Permissions to

Processes

Menus show you what is

written in Permissions.

Permissions point to

-Menu

-Folder

-Page (Fluid/Classic)

Reports/nVision

Data (Finance,

HCM, etc.)

Query (Trees,

Security Records)

Processes, Jobs

Types of Data SecurityHCM Department Security, Security Trees

HCM T&L Security, T&L Groups

Finance BU, Cost Center Security

BI or 3rd party (SciQuest) Security

Query Security (Details on the next slide)

Process Security

Data Privacy

Query Security

Pay Check Tables

Setup tables

Salary, Compensation Tables

GL tables

Vendor TablesPersonnel Tables

Voucher, AP transaction tables etc.

(e.g.: HIPAA data)

Query Trees – to restrict SQL

tables access

*Data security applies at run time

Objectives : Features Time Savings

• Define and document

procedures

• Define data owners and

approvers

• System integration

• Role/PL naming

convention

• Manage security from

primary application

(HCM / Portal)

• Predefined User Access

(ESS & MSS)

• Automated Predefined

User Access (Based on

Job Duties)

• User updates only

needed for new

modules and during a

ReOrg

• Accuracy, Quality, and

Efficiency

• Robust and Scalable

• Business Productivity

• Data Privacy

• Audit Requirements

Sustainable, Scalable Security Model

User Maintenance

Additional access on top of the basic access is requested through a request submitted via a ticketing system to the PeopleSoft Access team

- Payroll, T&L- Central HR- Benefits- Budget- Finance, - AFR- Procurement- IT

PS Access Admin or Automated Process

Receives Request

Review SOPs, Obtain Approvals,

Assign Needed Access

User Validates the NewUpdates Meet Job Duties

System Integration

HCM or CRM

Finance

3rd Party

PortalOr HCM

LDAP/AD

MIM/OIM

Integration is designed to leverage existing systems/data to automate a users authentication and basic access

Identity Management

Active Directory (AD)

Data Messaging:

Data Link:

BI

Purchasing

Role Design & Maintenance

When designing roles ERPA thinks through compartmentalizing the functionality based on common job duties and PeopleSoft functionality

• This will assist the Access team in building up users and roles

At ERPA, we create role names starting with Client’s abbreviation and typically follow that with the module. It is followed by a meaningful name that helps the functional team identify what the role supports. For example:

• ERPA AP Analyst – Owned by Accounts Payable, for their analysts• ERPA ESS TL Entry – Owned by T&L, for all employees to submit Time• ERPA PY Specialist – Owned by Payroll, for their specialists

This also provides the building blocks to deploy new access/functionality to specialized groups of users.

Auditing & Audits

The baseline for audits should be determined by state, federal, internal audit requirements, and should be conducted periodically

On top of these requirements, organization should identify additional auditing needs such as:

• SoD (Segregation of Duties); Define SoD rules, create SoD reports and mitigate risks.

• Table Auditing and review of captured data

• Periodic reviews of users with access to specific pages and data

• Periodic reviews of users and roles to keep it current with job duties

PS Security Assessment/Cleanup DeliverablesSecurity Cleanup Services

Silver Gold PlatinumBasic Technical Review

Technical and most of the functional items review

Full Review

1 Review Security Administrators, PS Admins, DBAs Access ✓ ✓ ✓

2 Review Developers Access ✓ ✓ ✓

3 Review Tools/Non-Migratable Access ✓ ✓

4 Review Batch ID Access ✓ ✓

5 Review Integration Broker Access ✓ ✓

6 Review Backend Database Access ✓ ✓ ✓

7 Review PS Home Access ✓ ✓ ✓

8 Review Tree Access ✓

9 Review Query and Access Tree Access ✓

10 Review Non-Prod (Copy of Prod) Access ✓

11 Review/Assess current security procedures, and SLAs ✓ ✓

12 Review SOPs such as naming standards, requisitions, approvals, and assignments ✓ ✓

13Review/Define Data Owners and delegates for PS Modules/sub-modules based on organization structure

✓ ✓ ✓

14 Assess Security Team Skills ✓ ✓

15 Review and Reduce Redundant Access (Collaborate with Data Owners) ✓ ✓ ✓

16 Review and Reduce Not-Needed Access (Collaborate with Data Owners) ✓ ✓ ✓

17 Review Access by Risk (Collaborate with Data Owners and IT) ✓ ✓

18 Review Correction Access by job duties (Collaborate with Data Owners) ✓ ✓ ✓

19 Review Update Access by job duties (Collaborate with Data Owners) ✓ ✓ ✓

20 Review Run Access by job duties (Collaborate with Data Owners) ✓

21 Review View Access by job duties (Collaborate with Data Owners) ✓

22 Cleanup and Consolidation (Collaborate with Data Owners and IT)Based on job titles, job roles, and current reorg

Based on scalability, job titles, job roles, and current reorg

Based on normalization methods, future reorgs, future growth, return on investment, scalability, job titles, and job roles

23 Repeat steps 17-22 as needed ✓ ✓ ✓

** Setup automation code in Client’s PeopleSoft for following deliverables. Collaborate with IT and data owners **

A. Access Controls Automation24 Review and setup/revise automated User Creation process25 Review and setup/revise automated User Termination/Transfer process

26 Review and setup/revise data driven security using data rules27 Implement automated access by job responsibilities (job code/position)28 Implement workflow based automated access by Data Owners/Delegates

B. Separation of Duties, Audit, and Compliance Monitoring Controls29 Create Access Reviews procedure and execute on a periodic basis

30 Daily Monitoring Alerts (High Profile Roles)31 Daily Monitoring Alerts (Database Backend)

32 Review and define Audit tables for critical business functions33 Create Audit reports and reviewing procedure

34 Review and define Server, VPN access by job responsibility 35 Identify top 10 risks, create RAMP (Risk Access Monitoring Plan) and execute RAMP on a periodic basis

36 Setup Separation of Duties rules by high risk, job functions (Collaborate with data owners)37 Implement separation of duties (SOD) access

38 Create Separation of Duties automated reports and remove/mitigate/accept risks (Collaborate with Data Owners)

C. 2-Factor Authentication, Alerts and Management Reports39 Smart 2-factor authentication by Administrative User, User with Sensitive data access40 Identity Access Management integration; Single Signon-AD/LDAP/Shibboleth/OIM/IAM41 Trusted Single sign on within PS

42 Intelligent Access firewall for preventative controls; Dashboards by application, module, data, and Geo Location; Security Alerts if security threat detected

D. Ongoing Manual Maintenance43 Get requirements from Client’s PS-Security Administrator and create new PLs, Roles per Client-ERPA standards44 Create new IB security services as needed

45 Monitor the automation and report results; Modify the automation as needed46 Execute Access Reviews with Client’s PS-Security Administrator and ISO on a periodic basis

47 Execute audit/compliance functions with Client’s PS-Security Admin and ISO on a periodic basis and report results to data owners and IT48 Execute RAMP with Client’s PS-Security Administrator and ISO on periodic basis and report results to executives

49 Execute SOD reviews with Client’s PS-Security Administrator, ISO and data owners on a periodic basis and mitigate/remove/accept risks50 Assist the Client during internal/external audits

PS Security Deliverables after the Cleanup

Time Saving Benefits – ERPA’s Security Model

Automated Security Services Savings Other REST Lab Services (manual)-User Access creation 14% -Periodic Access Reviews with sign offs

-IB setup, sync 15% -Define Access by Job Responsibilities

-Security by Dept/Jobcode/Position 7% -Access Controls

-Data Driven security 5% -Security mapping with other enterprise apps

-Workflow and Role Ownership based security 35% -Cleanup and Consolidation; Design, Standardizations

-Access terminations & transfers 14% -Workflow Security

-Audit & Compliance Daily Alerts – PSoft 3% -One time production changes

-Audit & Compliance Daily Alerts – PS Database 3% -Assist in periodic internal and external audit activities

-Audit - Separation of Duties 4% -RAMP: Risk Assessment and Monitoring Plan, periodic execution

-Intelligent Two Factor Authentication 9% -Portal Access Administration (optional)

-Analytical Usage Security reports by App, by module, by department, by user type, by location, by time, etc.

8%-Integration Broker, integrations (optional)

-Activity Guides/Pivot Grids/Forms (optional)

Customer’s PeopleSoft Security Needs

Security as a

Service

1

3

4

2

5

6

7

8

9 PS 2 Factor Authentication

Integration Broker Security

PS Database Security

Application Access

Database/Server/VPN Access

Query Security

PS Access Firewall

Data Encryption, Data Masking

Developer, Tree, Object Security

Analytical Access ReportsDept Name User Name Role Name Page Function Access Type ERPA Recommendation Customer Decision

xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access from user & from role

xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access for this user




xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access for this user



xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Access is appropriate; Reduce the number of roles

xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Access is appropriate; Reduce the number of roles

xxxxxxxxxx yyyyyyyyy Zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role

xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role

xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access for this user






xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access for this user



Transfer (Job Based new access)

1. User Profile

Creation

2. Job Based

Access

3. Job Duty Based

Data Security

4. Termination

(Retiree)

Automated

End to End Automation – User Access

End-to-End Automation

01

03

02

04

05

10

08

09

07

06

User ProvisioningCreation, Termination, Enhanced Access, Transfers

Job Duty Based Security Access by job duties, job code, position

Workflow Based Security Auditable Data Owners workflow approvals

Identity & Access Mgmt IntegrationOIM, MIM, FIM, AD, LDAP, Single Sign-on

Cleanup & ConsolidationUser Access, Role and PL Cleanup, Consolidation

ERPA’s SECaaS

Automated, Auditable, Monitored, and

Maintained

Data SecurityDept, T&L, Cost Centers, User Preferences, BUs

Audit & Monitoring ControlsAutomated alerts, Access Reviews, Auditable modifications and access

RAMPRisk Access Monitoring Plan; Pen Test

Separation of DutiesMitigate risks and Fraud; Auditable SOD

2 Factor Authentication & PS FirewallDetect unauthorized access attempts; avoid breach

User SOD Conflict example - HCM

User-Role SOD Conflict example - HCM71 % of Users with Conflicts

54 Conflicts Area Benefits Compensation/Budget/Job Data Payroll

76 Users Function Benefits Compensation/Budget/Job Data Payroll

User ID User NameSOD

Analysis

ER

PA

Payr

oll

Adm

in

ER

PA

Payr

oll

Analy

st

ER

PA

HR

Data

Specia

list

ER

PA

HR

Adm

in

ER

PA

Payr

oll

Analy

st

Vw

ER

PA

Benefits

Adm

in

ER

PA

HR

Managem

ent

ER

PA

HR

Benefits

Adm

in

ER

PA

HR

Benefits

Analy

st

ER

PA

Tra

inin

g A

dm

in

ER

PA

EE

Rep

ER

PA

Em

plo

yee S

erv

ices

ER

PA

Tre

asury

Specia

list

ER

PA

Payr

oll

Adm

in

ER

PA

Payr

oll

Analy

st

ER

PA

Budget A

dm

in

ER

PA

HR

Data

Specia

list

ER

PA

HR

Adm

in

ER

PA

Benefits

Adm

in

ER

PA

Park

ing S

pecia

list

ER

PA

HR

Managem

ent

ER

PA

HR

Benefits

Adm

in

ER

PA

HR

Benefits

Analy

st

ER

PA

Tra

inin

g A

dm

in

ER

PA

Budget A

naly

st

ER

PA

EE

Rep

ER

PA

Tax C

om

plia

nce

ER

PA

Em

plo

yee S

erv

ices

ER

PA

HR

Repre

senta

tive

ER

PA

HR

Modify P

ers

on

ER

PA

Identify

PR

ER

PA

Batc

h J

obs

ER

PA

Payr

oll

Adm

in

ER

PA

TL A

dm

in

ER

PA

Payr

oll

Analy

st

ER

PA

Budget A

dm

in

ER

PA

HR

Data

Specia

list

ER

PA

HR

Adm

in

ER

PA

Benefits

Adm

in

ER

PA

HR

Adm

in

ER

PA

HR

Benefits

Adm

in

ER

PA

Tra

inin

g A

dm

in

ER

PA

Budget A

naly

st

ER

PA

EE

Rep

ER

PA

Tax C

om

plia

nce

ER

PA

TL A

naly

st

ER

PA

HR

Rep

erpa00000001 Adam Smith Conflict X X X X

erpa00000002 Asheley Smith Conflict X X X

erpa00000003 Amy Gray Conflict X X X X X X X

erpa00000004 Amber Saylor Conflict X X X X X

erpa00000005 Ambra Flicker Conflict X X X

erpa00000006 Allan Murray Conflict X X X

ERPA’s Intelligent Two factor authentication (i2FA)

Feature 2FA – in Market ERPA's i2FALogon Level X X

User Level X XRole Level X X

Page Level X XField Level X XBy IP Address X X

Remember 2FA setting (e.g.: 30 minutes, 1 day) X

Exclude by IP Address X XExclude by User X XExclude by Role X X

No 3rd party app needed (DUO) X

Intelligent 2FA (detects new IP Address). Prevention and Notification XLess Maintenance needed with PT upgrades XNo Maintenance needed with platform changes XEasy to Deploy, configure, and maintain XEasy to disable X

Affordable X

ERPA’s i2FA example

By Role, User, Sensitive Data, IP, etc.with built-in intelligence

Use Case – Higher Ed

• No. of Users –5000+ (HCM, FSCM),

25000+ (CS), 3rd party integrated

apps

• No. of Security Roles – 1500+

• No. of Tickets – 6,000+ annually

• No. of Terms – 1200+ annually

• No. of New Users – 1,200 annually,

800+ interns

Statistical Info

• Secured enterprise

• Identified and closed all risk and loopholes

• Prepared systems to meet compliance and audit regulations

• Access within minutes with SLAs, 90% time savings

Benefits

• Distributed Security model

• Large ticket volume, Large turnover

• Too much Correction access

• Cloned User/PL/Role type of Access

• Ambiguous access

• One Action, one page type of access

Challenges

Solution

• Analytical & Normalization Methods

• Bottoms up analysis and cleanup

by Risk

• Full cleanup (Access, Backend,

Dept Tree, IB)

• Separation of Duties (SOD)

• Audit Controls, Detective &

Monitoring Controls

• End to end automation

• Automated Access by job duties, org

relationship

• Integrated access from Portal

• Consolidation of PLs, Roles

• Analysis of redundant and not-needed

access

Use Case – Public Sector (Phase-2 in progress)

• No. of Users – 25000+

• No. of Security Roles – 525+

• No. of Permission List – 14,000+

• No. of Tickets – 9,600 annually

• No. of New Users – 1,600 annually

• No. of access modifications – 3,700

annually

Statistical Info

• Phase -1, Cleanup by Risk:

• Analysis of redundant and not-needed access

• Analytical & Normalization Methods

• Bottoms up analysis and cleanup by Risk

• Correction & Update access

Solution

• Phase 2 – Redesign:

• View access to sensitive data,

Query Trees

• Full cleanup (Access, Trees,

Backend, Server, VPN)

• Separation of Duties (SOD)

• Audit Controls

• Granular Security model

• Large number of Permission

lists/users

• Cloned User/PL/Role type of Access

• Ambiguous access

Challenges

• Identification and closing major risk items

• Goals: Preparing the systems to meet compliance and audit regulations

• Goals: Faster Access Assignments with SLAs

• Goals: Clean data for security automation

Benefits

Free up your

security resources

by 75%

Free up your security

related users’ time by

90%

Benefits of Automation

Why ERPA?Automation Benefits

➢ Reduction of ticket volume

➢ Fewer complaints

➢ Error Reduction

➢ Productivity. Security team can focus on:

➢ Quality designs,

➢ Access reviews,

➢ Assist in audits/compliance,

➢ Pen testing,

➢ SOD,

➢ Integrating with 3rd party and IDM, etc.

Cleanup Benefits

➢ Sustainable, Scalable Security Model

➢ Minimal User Administration

➢ Fewer changes during Re-Orgs

➢ Faster Access Assignments/Modifications

Secure your enterprise

➢ Intelligent 2FA; Prevent data breach

➢ Separation of Duties

➢ Audit & Compliance Monitoring Controls

Affordability

➢ Approximately 1/3rd cost vs internal labor cost

Conclusion Thoughts

For demos and deep dive sessions, please reach out to us at

[email protected]

SCHRUG 2019 HCM, FSCM, CS, and Portal Apps South Central ...

Documents

Transcript of SCHRUG 2019 HCM, FSCM, CS, and Portal Apps South Central ...