SCHRUG 2019 HCM, FSCM, CS, and Portal Apps South Central ...
Transcript of SCHRUG 2019 HCM, FSCM, CS, and Portal Apps South Central ...
ERPAFormerly ERP Analysts
PeopleSoft Security Cleanup,
Automation, & Access Controls for
HCM, FSCM, CS, and Portal Apps
Jai Chitkara
Program Director
– Emerging Tech
July 22-23, 2019
SCHRUG 2019South Central Regional User Group Conference
Agenda• Introductions
• About ERPA
• PeopleSoft Services
• Security as a Service• PS Access 101; What’s a Good Security Model?
• Customer’s PSoft Security Needs
• Automation• Types of Access Controls
• Data Security
• Audit & Compliance Controls
• Separation of Duties
• Data Breach Prevention (2FA)
• Cleanup & Consolidation using Analytics
• Deliverables
• Use Cases
• Q & A
ERPA National Offices
• Founded in 1999 with Headquarters in Dublin, Ohio
• Satellite Offices in Florida, Nevada and Texas
• Oracle Platinum Partner specializing in Oracle Cloud,
PeopleSoft, Business Intelligence, and Big Data
• 500+ U.S. Based W2 Consultants
• 1500+ Successful Projects
• 250+ PeopleSoft Upgrades
• 22+ PeopleSoft 9.2 upgrades• 110+ PeopleSoft 9.2 upgrade passes
• 7+ OBIA (ODI) 11.1.1.10.2 Implementations• Human Resources, Financials, and Student Information Analytic
About ERPA
PeopleSoft Services
PeopleSoft
Services
PUM Management
Custom Development
Testing as a Service
PeopleSoft Fluid Service
PS Security as a Service
Disaster Recovery Services
PeopleSoft Implementations,
Upgrades, Module Add-on
PeopleTools Upgrade
Managed Projects
Consulting Services
Individual Subject Matter
Experts On-Demand
Managed Services
Application Hosting on AWS
SLA Driven Break-fix Support
Today’s Focus: Security as a Service
A Good Security ModelA Security Model that allows for minimal user
administration
PeopleSoft Security Layers
Application
Tools
• HCM – Department, T&L• FSCM-- BU, Chart Fields• CRM - Provider Groups & Worklists
• Application Designer• Processes & Reports• Components/Pages• Query Records• SignOn• User ID• Roles/Perm Lists
PeopleSoft Security Layout
User Authentication
-User ID
-Data Security
-Roles
Roles define what the
user can do?
-Role to Pages
(Permissions)
-Role to Tools (eg: Query)
Permissions which do
the real security work
-Role to Permissions
-Permission to Pages
-Type of Access
-Permissions to Query
tables
-Permissions to
Processes
Menus show you what is
written in Permissions.
Permissions point to
-Menu
-Folder
-Page (Fluid/Classic)
Reports/nVision
Data (Finance,
HCM, etc.)
Query (Trees,
Security Records)
Processes, Jobs
Types of Data SecurityHCM Department Security, Security Trees
HCM T&L Security, T&L Groups
Finance BU, Cost Center Security
BI or 3rd party (SciQuest) Security
Query Security (Details on the next slide)
Process Security
Data Privacy
Query Security
Pay Check Tables
Setup tables
Salary, Compensation Tables
GL tables
Vendor TablesPersonnel Tables
Voucher, AP transaction tables etc.
(e.g.: HIPAA data)
Query Trees – to restrict SQL
tables access
*Data security applies at run time
Objectives : Features Time Savings
• Define and document
procedures
• Define data owners and
approvers
• System integration
• Role/PL naming
convention
• Manage security from
primary application
(HCM / Portal)
• Predefined User Access
(ESS & MSS)
• Automated Predefined
User Access (Based on
Job Duties)
• User updates only
needed for new
modules and during a
ReOrg
• Accuracy, Quality, and
Efficiency
• Robust and Scalable
• Business Productivity
• Data Privacy
• Audit Requirements
Sustainable, Scalable Security Model
User Maintenance
Additional access on top of the basic access is requested through a request submitted via a ticketing system to the PeopleSoft Access team
- Payroll, T&L- Central HR- Benefits- Budget- Finance, - AFR- Procurement- IT
PS Access Admin or Automated Process
Receives Request
Review SOPs, Obtain Approvals,
Assign Needed Access
User Validates the NewUpdates Meet Job Duties
System Integration
HCM or CRM
Finance
3rd Party
PortalOr HCM
LDAP/AD
MIM/OIM
Integration is designed to leverage existing systems/data to automate a users authentication and basic access
Identity Management
Active Directory (AD)
Data Messaging:
Data Link:
BI
Purchasing
Role Design & Maintenance
When designing roles ERPA thinks through compartmentalizing the functionality based on common job duties and PeopleSoft functionality
• This will assist the Access team in building up users and roles
At ERPA, we create role names starting with Client’s abbreviation and typically follow that with the module. It is followed by a meaningful name that helps the functional team identify what the role supports. For example:
• ERPA AP Analyst – Owned by Accounts Payable, for their analysts• ERPA ESS TL Entry – Owned by T&L, for all employees to submit Time• ERPA PY Specialist – Owned by Payroll, for their specialists
This also provides the building blocks to deploy new access/functionality to specialized groups of users.
Auditing & Audits
The baseline for audits should be determined by state, federal, internal audit requirements, and should be conducted periodically
On top of these requirements, organization should identify additional auditing needs such as:
• SoD (Segregation of Duties); Define SoD rules, create SoD reports and mitigate risks.
• Table Auditing and review of captured data
• Periodic reviews of users with access to specific pages and data
• Periodic reviews of users and roles to keep it current with job duties
PS Security Assessment/Cleanup DeliverablesSecurity Cleanup Services
Silver Gold PlatinumBasic Technical Review
Technical and most of the functional items review
Full Review
1 Review Security Administrators, PS Admins, DBAs Access ✓ ✓ ✓
2 Review Developers Access ✓ ✓ ✓
3 Review Tools/Non-Migratable Access ✓ ✓
4 Review Batch ID Access ✓ ✓
5 Review Integration Broker Access ✓ ✓
6 Review Backend Database Access ✓ ✓ ✓
7 Review PS Home Access ✓ ✓ ✓
8 Review Tree Access ✓
9 Review Query and Access Tree Access ✓
10 Review Non-Prod (Copy of Prod) Access ✓
11 Review/Assess current security procedures, and SLAs ✓ ✓
12 Review SOPs such as naming standards, requisitions, approvals, and assignments ✓ ✓
13Review/Define Data Owners and delegates for PS Modules/sub-modules based on organization structure
✓ ✓ ✓
14 Assess Security Team Skills ✓ ✓
15 Review and Reduce Redundant Access (Collaborate with Data Owners) ✓ ✓ ✓
16 Review and Reduce Not-Needed Access (Collaborate with Data Owners) ✓ ✓ ✓
17 Review Access by Risk (Collaborate with Data Owners and IT) ✓ ✓
18 Review Correction Access by job duties (Collaborate with Data Owners) ✓ ✓ ✓
19 Review Update Access by job duties (Collaborate with Data Owners) ✓ ✓ ✓
20 Review Run Access by job duties (Collaborate with Data Owners) ✓
21 Review View Access by job duties (Collaborate with Data Owners) ✓
22 Cleanup and Consolidation (Collaborate with Data Owners and IT)Based on job titles, job roles, and current reorg
Based on scalability, job titles, job roles, and current reorg
Based on normalization methods, future reorgs, future growth, return on investment, scalability, job titles, and job roles
23 Repeat steps 17-22 as needed ✓ ✓ ✓
** Setup automation code in Client’s PeopleSoft for following deliverables. Collaborate with IT and data owners **
A. Access Controls Automation24 Review and setup/revise automated User Creation process25 Review and setup/revise automated User Termination/Transfer process
26 Review and setup/revise data driven security using data rules27 Implement automated access by job responsibilities (job code/position)28 Implement workflow based automated access by Data Owners/Delegates
B. Separation of Duties, Audit, and Compliance Monitoring Controls29 Create Access Reviews procedure and execute on a periodic basis
30 Daily Monitoring Alerts (High Profile Roles)31 Daily Monitoring Alerts (Database Backend)
32 Review and define Audit tables for critical business functions33 Create Audit reports and reviewing procedure
34 Review and define Server, VPN access by job responsibility 35 Identify top 10 risks, create RAMP (Risk Access Monitoring Plan) and execute RAMP on a periodic basis
36 Setup Separation of Duties rules by high risk, job functions (Collaborate with data owners)37 Implement separation of duties (SOD) access
38 Create Separation of Duties automated reports and remove/mitigate/accept risks (Collaborate with Data Owners)
C. 2-Factor Authentication, Alerts and Management Reports39 Smart 2-factor authentication by Administrative User, User with Sensitive data access40 Identity Access Management integration; Single Signon-AD/LDAP/Shibboleth/OIM/IAM41 Trusted Single sign on within PS
42 Intelligent Access firewall for preventative controls; Dashboards by application, module, data, and Geo Location; Security Alerts if security threat detected
D. Ongoing Manual Maintenance43 Get requirements from Client’s PS-Security Administrator and create new PLs, Roles per Client-ERPA standards44 Create new IB security services as needed
45 Monitor the automation and report results; Modify the automation as needed46 Execute Access Reviews with Client’s PS-Security Administrator and ISO on a periodic basis
47 Execute audit/compliance functions with Client’s PS-Security Admin and ISO on a periodic basis and report results to data owners and IT48 Execute RAMP with Client’s PS-Security Administrator and ISO on periodic basis and report results to executives
49 Execute SOD reviews with Client’s PS-Security Administrator, ISO and data owners on a periodic basis and mitigate/remove/accept risks50 Assist the Client during internal/external audits
PS Security Deliverables after the Cleanup
Time Saving Benefits – ERPA’s Security Model
Automated Security Services Savings Other REST Lab Services (manual)-User Access creation 14% -Periodic Access Reviews with sign offs
-IB setup, sync 15% -Define Access by Job Responsibilities
-Security by Dept/Jobcode/Position 7% -Access Controls
-Data Driven security 5% -Security mapping with other enterprise apps
-Workflow and Role Ownership based security 35% -Cleanup and Consolidation; Design, Standardizations
-Access terminations & transfers 14% -Workflow Security
-Audit & Compliance Daily Alerts – PSoft 3% -One time production changes
-Audit & Compliance Daily Alerts – PS Database 3% -Assist in periodic internal and external audit activities
-Audit - Separation of Duties 4% -RAMP: Risk Assessment and Monitoring Plan, periodic execution
-Intelligent Two Factor Authentication 9% -Portal Access Administration (optional)
-Analytical Usage Security reports by App, by module, by department, by user type, by location, by time, etc.
8%-Integration Broker, integrations (optional)
-Activity Guides/Pivot Grids/Forms (optional)
Customer’s PeopleSoft Security Needs
Security as a
Service
1
3
4
2
5
6
7
8
9 PS 2 Factor Authentication
Integration Broker Security
PS Database Security
Application Access
Database/Server/VPN Access
Query Security
PS Access Firewall
Data Encryption, Data Masking
Developer, Tree, Object Security
Analytical Access ReportsDept Name User Name Role Name Page Function Access Type ERPA Recommendation Customer Decision
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access for this user
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access for this user
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Access is appropriate; Reduce the number of roles
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Compensation Correct historical data for all EEs Access to be reduced; 10 roles & 65 users have access Access is appropriate; Reduce the number of roles
xxxxxxxxxx yyyyyyyyy Zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access for this user
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access for this user
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role
xxxxxxxxxx yyyyyyyyy zzzzzzzzzzz Modify Password Correct Data Access to be reduced; 5 roles & 2,000+ users have access Remove the access from user & from role
Transfer (Job Based new access)
1. User Profile
Creation
2. Job Based
Access
3. Job Duty Based
Data Security
4. Termination
(Retiree)
Automated
End to End Automation – User Access
End-to-End Automation
01
03
02
04
05
10
08
09
07
06
User ProvisioningCreation, Termination, Enhanced Access, Transfers
Job Duty Based Security Access by job duties, job code, position
Workflow Based Security Auditable Data Owners workflow approvals
Identity & Access Mgmt IntegrationOIM, MIM, FIM, AD, LDAP, Single Sign-on
Cleanup & ConsolidationUser Access, Role and PL Cleanup, Consolidation
ERPA’s SECaaS
Automated, Auditable, Monitored, and
Maintained
Data SecurityDept, T&L, Cost Centers, User Preferences, BUs
Audit & Monitoring ControlsAutomated alerts, Access Reviews, Auditable modifications and access
RAMPRisk Access Monitoring Plan; Pen Test
Separation of DutiesMitigate risks and Fraud; Auditable SOD
2 Factor Authentication & PS FirewallDetect unauthorized access attempts; avoid breach
User SOD Conflict example - HCM
User-Role SOD Conflict example - HCM71 % of Users with Conflicts
54 Conflicts Area Benefits Compensation/Budget/Job Data Payroll
76 Users Function Benefits Compensation/Budget/Job Data Payroll
User ID User NameSOD
Analysis
ER
PA
Payr
oll
Adm
in
ER
PA
Payr
oll
Analy
st
ER
PA
HR
Data
Specia
list
ER
PA
HR
Adm
in
ER
PA
Payr
oll
Analy
st
Vw
ER
PA
Benefits
Adm
in
ER
PA
HR
Managem
ent
ER
PA
HR
Benefits
Adm
in
ER
PA
HR
Benefits
Analy
st
ER
PA
Tra
inin
g A
dm
in
ER
PA
EE
Rep
ER
PA
Em
plo
yee S
erv
ices
ER
PA
Tre
asury
Specia
list
ER
PA
Payr
oll
Adm
in
ER
PA
Payr
oll
Analy
st
ER
PA
Budget A
dm
in
ER
PA
HR
Data
Specia
list
ER
PA
HR
Adm
in
ER
PA
Benefits
Adm
in
ER
PA
Park
ing S
pecia
list
ER
PA
HR
Managem
ent
ER
PA
HR
Benefits
Adm
in
ER
PA
HR
Benefits
Analy
st
ER
PA
Tra
inin
g A
dm
in
ER
PA
Budget A
naly
st
ER
PA
EE
Rep
ER
PA
Tax C
om
plia
nce
ER
PA
Em
plo
yee S
erv
ices
ER
PA
HR
Repre
senta
tive
ER
PA
HR
Modify P
ers
on
ER
PA
Identify
PR
ER
PA
Batc
h J
obs
ER
PA
Payr
oll
Adm
in
ER
PA
TL A
dm
in
ER
PA
Payr
oll
Analy
st
ER
PA
Budget A
dm
in
ER
PA
HR
Data
Specia
list
ER
PA
HR
Adm
in
ER
PA
Benefits
Adm
in
ER
PA
HR
Adm
in
ER
PA
HR
Benefits
Adm
in
ER
PA
Tra
inin
g A
dm
in
ER
PA
Budget A
naly
st
ER
PA
EE
Rep
ER
PA
Tax C
om
plia
nce
ER
PA
TL A
naly
st
ER
PA
HR
Rep
erpa00000001 Adam Smith Conflict X X X X
erpa00000002 Asheley Smith Conflict X X X
erpa00000003 Amy Gray Conflict X X X X X X X
erpa00000004 Amber Saylor Conflict X X X X X
erpa00000005 Ambra Flicker Conflict X X X
erpa00000006 Allan Murray Conflict X X X
ERPA’s Intelligent Two factor authentication (i2FA)
Feature 2FA – in Market ERPA's i2FALogon Level X X
User Level X XRole Level X X
Page Level X XField Level X XBy IP Address X X
Remember 2FA setting (e.g.: 30 minutes, 1 day) X
Exclude by IP Address X XExclude by User X XExclude by Role X X
No 3rd party app needed (DUO) X
Intelligent 2FA (detects new IP Address). Prevention and Notification XLess Maintenance needed with PT upgrades XNo Maintenance needed with platform changes XEasy to Deploy, configure, and maintain XEasy to disable X
Affordable X
ERPA’s i2FA example
By Role, User, Sensitive Data, IP, etc.with built-in intelligence
Use Case – Higher Ed
• No. of Users –5000+ (HCM, FSCM),
25000+ (CS), 3rd party integrated
apps
• No. of Security Roles – 1500+
• No. of Tickets – 6,000+ annually
• No. of Terms – 1200+ annually
• No. of New Users – 1,200 annually,
800+ interns
Statistical Info
• Secured enterprise
• Identified and closed all risk and loopholes
• Prepared systems to meet compliance and audit regulations
• Access within minutes with SLAs, 90% time savings
Benefits
• Distributed Security model
• Large ticket volume, Large turnover
• Too much Correction access
• Cloned User/PL/Role type of Access
• Ambiguous access
• One Action, one page type of access
Challenges
Solution
• Analytical & Normalization Methods
• Bottoms up analysis and cleanup
by Risk
• Full cleanup (Access, Backend,
Dept Tree, IB)
• Separation of Duties (SOD)
• Audit Controls, Detective &
Monitoring Controls
• End to end automation
• Automated Access by job duties, org
relationship
• Integrated access from Portal
• Consolidation of PLs, Roles
• Analysis of redundant and not-needed
access
Use Case – Public Sector (Phase-2 in progress)
• No. of Users – 25000+
• No. of Security Roles – 525+
• No. of Permission List – 14,000+
• No. of Tickets – 9,600 annually
• No. of New Users – 1,600 annually
• No. of access modifications – 3,700
annually
Statistical Info
• Phase -1, Cleanup by Risk:
• Analysis of redundant and not-needed access
• Analytical & Normalization Methods
• Bottoms up analysis and cleanup by Risk
• Correction & Update access
Solution
• Phase 2 – Redesign:
• View access to sensitive data,
Query Trees
• Full cleanup (Access, Trees,
Backend, Server, VPN)
• Separation of Duties (SOD)
• Audit Controls
• Granular Security model
• Large number of Permission
lists/users
• Cloned User/PL/Role type of Access
• Ambiguous access
Challenges
• Identification and closing major risk items
• Goals: Preparing the systems to meet compliance and audit regulations
• Goals: Faster Access Assignments with SLAs
• Goals: Clean data for security automation
Benefits
Free up your
security resources
by 75%
Free up your security
related users’ time by
90%
Benefits of Automation
Why ERPA?Automation Benefits
➢ Reduction of ticket volume
➢ Fewer complaints
➢ Error Reduction
➢ Productivity. Security team can focus on:
➢ Quality designs,
➢ Access reviews,
➢ Assist in audits/compliance,
➢ Pen testing,
➢ SOD,
➢ Integrating with 3rd party and IDM, etc.
Cleanup Benefits
➢ Sustainable, Scalable Security Model
➢ Minimal User Administration
➢ Fewer changes during Re-Orgs
➢ Faster Access Assignments/Modifications
Secure your enterprise
➢ Intelligent 2FA; Prevent data breach
➢ Separation of Duties
➢ Audit & Compliance Monitoring Controls
Affordability
➢ Approximately 1/3rd cost vs internal labor cost