Remote Access Vulnerabilities In Peoplesoft And Tips To Deal With Them

By Author: appsian
Total Articles: 115
Comment this article

Security consequences are significant concerns, considering the benefits of mobilizing and opening remote access applications for PeopleSoft. Expanding access to sensitive information outside the corporate network's secure perimeter increases the risk of threats and more successful data breaches. The rise of user-centric threats also adds to the danger as hackers are targeting individual users and devices using the human-error factor to their advantage.

Lack Of Native Support For SAML

PeopleSoft applications lack native SAML support. They cannot, therefore, connect to SAML-supporting ID providers and are likely to be alienated from other business applications. For most off-the-shelf SSO suppliers, this restriction is not understood, and they often recommend custom development, which is costly, time-consuming, and typically requires the purchase of additional hardware.

Static Access Controls

PeopleSoft helps organizations apply role-based access controls (RBACs) based on static rules. With extended remote access from within a secure network, organizations need more flexibility to track ...
... and control what resources users can access based on contextual information. RBAC cannot use dynamic information such as device type, company code, project ID, IP address, location, etc., when authorizing access.

MFA Limitations On Login Page

PeopleSoft's traditional security model of username & password authentication is restricted to an application's login - a limitation that still exists with third-party MFA add-ons. After a user passes a login, you have no way of preserving the data with your PeopleSoft applications. This security control gap means that a malicious insider with high privileges can log in and have access to your PeopleSoft systems and information.

Insufficient Visibility

PeopleSoft offers high-level logging, especially designed for debugging and troubleshooting, out of the box. These logs, however, do not provide information about what data has been accessed, nor do they provide any access background information, such as who, where, or when it was obtained. In addition, at a granular level, PeopleSoft does not monitor, register, or regulate user behavior.

Limited Data Masking

The current functionality of data masking from PeopleSoft is limited and relies on role-based static rules. This means that anything can be viewed by users who have the privilege of accessing sensitive data, regardless of where they use the application. Consequently, when user privilege credentials are stolen or when privileged users download data using personal / home device requests, sensitive data fields are exposed.

Some Steps Toward An Effective Solution

Over its lifespan, your ERP investment provides significant ROI. The best way to ensure that your users remain effective in order to maximize your investment is to expand remote access and allow mobile transactions. With a data protection solution that provides a robust suite of access controls and fine-grained security functionality, organizations can protect their ERP data. Ideally, such a solution needs to deliver the following capabilities:

Location-Based Security

It should allow you to take advantage of the context of access and execute the permissions accordingly. You can decide exactly what users can view and what transactions they can conduct if they enter a secure network or the open internet.

Multi-Factor Authentication

Based on the access context, you can have Multi Factor Authenticationchallenges dynamically deployed with such a security solution. For example, customers may request an MFA challenge when a user accesses PeopleSoft from a remote IP address or after business hours. This versatility will minimize the disruption of the MFA, as the risk level can be matched with the threat profile.

Analytics And Logging

The optimal solution should allow granular logging and user behavior monitoring for PeopleSoft. It should allow customers to collect user activity data, including location, device, IP address, etc., along with contextual user information. Information at the transaction level should be collected in a structured format that can explain malicious events, provide actionable information needed for incident response, and provide ready-to-use audit and compliance reports.

Appsian One of the leading ERP data security,compliance,implementation solutions provider that gives organizations to complete control and visibility over their ERP data.