Embed Size (px)
Citation preview
Implementing Security and Controls
in PeopleSoft – Best Practices
Lewis Hopkins – Applications [email protected]
Reminders
A recording of today’s session will be sent to all
registrants shortly after the webinar.
Phone lines/mics are MUTED.
There will be a Q & A section at the end of today’s
session. Please use the GoToWebinar “Questions”
feature (not the “Chat” feature) from your control panel
to post a question at any time during the presentation.
Agenda
• About Smart ERP
• Managing Super User Access
• Access Definitions
• Data Security
• Productions Do’s and Don’ts
• Solutions
About SmartERP
Achieve Best-In-Class PerformanceOur mission is to provide innovative, configurable, flexible, cost-effective solutions
to common business challenges, enabling our clients to save time,
increase productivity, minimize costs, and maximize their return on investment.
SolutionsBusiness applications that
offer organizations an
end-to-end solution
providing the right design
and implementation from
start to finish.
ServicesA 24/7 seasoned and
experienced staff of
experts to help you
implement your business
solutions efficiently and
effectively at a cost-
effective rate.
CloudCloud applications
provide solutions built on
proven enterprise class
architecture that enable
high configurability and
ease of monitoring.
About SmartERP
Oracle Platinum Partner
Best practices and expertise in strategic planning, implementation, upgrade and add-on / customization services
Unique blend of Solutions and Services
‘Clients for Life’ – High level of client satisfaction and loyalty
200+ Clients across various industries
350+ Employees
Global Locations:Headquarters in Pleasanton, CAOffices in Atlanta GA, Hyderabad, Chennai and Bangalore (India)
Founded in 2005 by former Oracle Architects, Executives and Consultants
Security and Control Points
Managing Super User Access
Communication – Typically Business Users don’t understand the Application’s Security design.
Business Users Technical Users
Responsibility and Ownership
“Foxes watching the
Hen House”
‘Super User’ Access
• Don’t rely on PSADMIN or VP1 generic logins without controls
Options for management:
• Break Glass
• Individual User Logins
BreakGlass
Employee requests access to
investigate/resolve a
Production issue
In an IDM Solution:
Automate the creation and
assignment of Roles
Either through timeout or
manual process,
Change the User
credentials so this
Employee cannot log back
in
Individual User Logins
Employee’s request access to
Production, Sys Admin unlocks
their account and grants the
Roles required for diagnosis.
At the end of the process,
the User’s account is locked again.
Break Glass Vs Individual User Logins
Pros Cons Pros Cons
Tight Control Can be slow to respond to incidents
Quick – User accounts already exist
More User accounts to track potentially
Limit the User Accounts with privileges
Costly to implement, especially if you don’t have IDM already.
Free to implement Manual process
Most IDM solutions have audit tracking and other features to track who accessed Prod – even record sessions.
Cant track User sessions unless auditing is switched on
More Compliant solution No control over User Profiles (unless customized)
Break Glass Individual User Logins
One more thing…
Always worth Auditing User Profiles, Roles/Permission
Lists in PeopleSoft.
Low transaction, high impact
Access Definitions
Too many Roles = too many Risks/too difficult to answer who has access to what
We’ve seen:
160+ Roles per User
12-24 months before Security is regarded as a
mess
Are Role Assignments going through a change request?
Access Definitions
Security too complex – not ‘Business friendly’
Ensure new/copied Security is easy to read
Re-Use where possible, for example: Sign on process
Delivered Roles have Security issues and please secure ALLPAGES!!
Segregation of Duties
Access Definitions – find the Navigation
Data Security
• Row Security limited in PeopleSoft
• What to do about PCI or PII?
• Field Security, Tokenization, restrict Fields in the Pages, Database Level Security?
Is this a good or a bad thing to have?
Opportunities for Securing Data
For Query:
Create Roles/Permission Lists for accessing this Data
Secure them against the Fields you use & the Queries for accessing this information
• Pros: Accountability – track the Roles that have access
• Cons: Can leave out other data required from a table
For Access:
Use Database level Security to Secure or Obfuscate the Data
• Pros: Total Security at the Data level
• Cons: May need each User to have a DB level User
If one DB User, what about Self Service Users?
Production Do’s and Don’ts
• Data Mover and Configuration/Development processes–secure them!
• Submission of Jobs
• Copy of Production for testing and simulation
– Who wants to refresh every day?
• Don’t rely on Auditing
– The Horse may have bolted already!
Production Do’s and Don’ts
• Separate Configuration from Transactions
• Segregation of Duties and Access Analysis
– OMB
– NIST
– SOX
Compliance is forcing Organizations to change their Approach to ERP Security and Controls
Smart ERP Solutions
Access and SoD Reporting
• Abilities contain the Security required to perform a task or duty – wrapped into an easy to read container
• Allow for Roles, Permission Lists, Components, Pages and User Preferences
• Incorporate Authorities – can the User update records or not?
Abilities for Reporting
Data Security
• Secure specific Fields such as SSN, Credit Cards are more
• Create Contexts: Row Security at the User, Permission List, Role and Tree Level
• Open up Data Security possibilities
Apply Data Security to any Field on any Page
Benefits
• Report on who has access to what in plain ‘English’
• Identify and Remediate Users with too much access
• Enforce strong Data Security Policies
• Comply with legislation and reduce costs
Reporting and Data Security as it should be..
Achieve Best-In-Class Security and Controls
Solutions• Segregation of Duties/Access
Reporting
• Access Provisioning
• Transaction Monitoring
• Configuration Monitoring
Services• Security and Configuration ‘Scans’
• Security Design and
Implementation
• Training & Review
For more information:[email protected]
