SHAPING SECURITY TAKING PEOPLESOFT SECURITY TO NEXT LEVEL

SPEAKER: Jarmanjit Singh CISSP CISA PeopleSoft Security Expert

DATE: 23 June 2015

Introduction

Problem Statement

Problem Summary

PeopleSoft Security

Dynamic Security - Solutions

Online Access Request Process

Solutions Summary

Questions

AGENDA

PeopleSoft Security Implementation, Redesign

and Support Services Value Added solutions (Bolt-

ons) to automate Security

Speaker: Jarmanjit Singh CISSP CISA Founder and PeopleSoft Security Expert – at Jarman & Company 10+ years of experience in IT with 6+ years in PeopleSoft Security and Integrations Have executed and supported several end to end PeopleSoft Security Implementations. Actively working on enhancing Security module of PeopleSoft. Innovative SECURITY SOLUTIONS

that actually make your life EASIER

INTRODUCTION

HR

Job Profiles Security Profiles

Roles and Responsibilities

Business Security

Businesses use Information systems

Informations systems are protected by Security layer

Users need access to Information systems

The best security model is where Job Profiles = Security Profiles There has to be a match or there will be problems This is just one part of it

Tip 1: You should have a good design strategy in place. - least privilege

PROBLEM STATEMENT

This adds more complexity. HR and Security are 2 different modules. Changes in HR doesn’t trigger security. The effort is manual and that’s where it goes out of sync and wrong.

Hire

Terminate

Employee Life Cycle

Provision Identity

De-provision Access

Access Life Cycle

Should always stay Compliant

The Ultimate goal

HR is a very dynamic function. Means, Dynamic HR = Dynamic Security

Tip 2: Make Security dynamic as much as possible. You need tools.

Dynamic

Security

PROBLEM STATEMENT cont.

Not everything can be made Dynamic

o People wear different hats

o Job profiles are not standard

o There is no direct mapping between Job profiles and Roles and responsibilities

That’s where you need Security access request process.

PROBLEM REALIZATION

Tip 3: Use online access request process. You will save big times vs external, manual, paper-based process.

Invoices and expenses are pilling up. Very frustrated!!!

I haven’t heard about my access for many days now. Is anything happening!! I really need to approve this

PO. Please help!!!

It becomes imperative to pay bills on time or late payment fees will be charged. I do

not believe ITS wants this to happen

Tip 4: Be Proactive than reactive in your approach

MOTIVATIONAL EXAMPLES

Security is not about creating Roles and PLs only Design is the key to any Product or Service Beside the Inexperienced teams, there are other reasons as well:

o Team is always thin. o Project support takes up to 50% of time

Tip 5: Find ways to save this time

SECURITY TEAM - qualifications

Match Security Objects with HR Job profiles o Sets the platform to establish controls in business o Sets the foundation for Least Privilege Principle

Make Security Dynamic as much as possible o Help reduce administration costs o Streamline security o Eliminate human errors o Improved service delivery

Compliment it with Online Access request process o Full audit trail of all requests o Built-in approval mechanism

Be Proactive than reactive in approach o This should be used in strategy o There is no one line definition here

SUMMARY so far.

Database

Page access - Page Access - Data Access - User Preferences

PeopleSoft security has 3 elements

User Preferences

PEOPLESOFT SECURITY intro.

PL 1

Multiple pages can be assigned to a Permission list

Pag

es

Pe

rm L

ists

Ro

les

Use

rs

Users Change Roles Don’t

PeopleSoft uses Role Based Access model to control Page access Pages are grouped into roles and roles are assigned to the Users Role is a logical representation of a Job function. For example, Journal Entry role will have pages to do Journal entries. Best model where employees turnover is high

PL 1 PL 1 PL 1 PL 1

Role 1 Role 1 Role 1 Role 1

PAGE ACCESS - RBAC

Database Row Level Security

Human Capital Management

People with Job People w/o Job Time & Labor

Security by PL - Location - Company - Business unit - Setid

Security by Permission List - Person of

Interest

TL security by Permission List - Dynamic

groups - Static groups

Security by Department Tree

DATA ACCESS - RLS

Financials

Row Security Chartfield Security

- Business Un it - Setid - Ledger - Paycycle - Etc.

- Department - Account - Project - Fund - Etc.

Campus Solution

Secure Student Administration

Secure Student Financials

- Institution - Career - Program - 3C Group - Etc.

- Business Unit - Setid - Company

Also called User Defaults

In FS, they also mean User authorizations.

For example, authority to create Vendors.

It is a huge deal in FS. – 50% of work

There are tons of Authorization options in FS.

USER PREFERENCES

End Users

Permission

Lists

PeopleSoft

Pages

PeopleSoft

Security Roles

•Pages access is same across all applications. i.e. RBAC model

Secu

rity

Op

era

tio

ns

Secu

rity Main

ten

ance

Secu

rity

Op

era

tio

ns

Page Access Data Access

•Row Security elements can be assigned via Permission Lists. •Or, Directly to Users

End Users

Security

Elements

Permission

List

Secu

rity

Op

era

tio

ns

User Preferences

End Users

User

Preferences

Very high maintenance cost. TnE Self-service also needs Data security. There, usually, are Business rules But Assignment is all manual Huge Potential for Human errors Inconsistent Security Leads to large number of Help Desk Calls •There is a huge list

of User Prefs in FS. •And, they all get assigned Directly to Users IDs.

ADMINISTRATION COST

RBAC model works fine for page access in all Applications. Row level security and User Preferences get assigned Directly to User IDs Or via PLs in some cases.

o This is where most of the cost lies.

o And, this is where security remains inconsistent.

Can there be rules around assigning Row security and User Preferences? Even better, can those rules be fed into the system? Can system auto assign Row Security and User Preferences? Answer is YES! We have introduced Rule Based Security model for auto assigning Row security and User preferences.

WHAT’S THE SOLUTION?

Au

tom

ate

d

Data Access

End Users

Row Security

Rules

Engine

User Preferences

End Users

User Prefs

Rules

Engine Au

tom

ate

d

Secu

rity

Op

era

tio

ns

Data Access

End Users

Security

Options

Permission

List

Secu

rity

Op

era

tio

ns

User Preferences

End Users

User

Preferences

This makes Data Access and User preferences dynamic as well. Huge win in terms of administration cost.

DYNAMIC SECURITY

LIST OF TOOLS Bolt –ons (HCM)

Dynamic Security by Permission list

Dynamic Security by Dept tree

Dynamic TL Security by PL

- Location - Company - Business unit - Salary Grade

- Security by Department Tree

- Dynamic groups

- Static groups

Person of Interest

Bolt-ons (FSCM)

Dynamic Row Security

Dynamic TnE authorizations

- Business Un it - Setid - Ledger - Paycycle - Etc.

• Request Access

• Approve Request

• Auto Implement

Online Access Request Process - Production

We have similar Process for Project Environments

Dynamic Role Assignment Process 1 2 3

4 5

6

7

8

Pieces that can’t be made dynamic, a process is required

Production – Live systems

– It is always urgent

– Less number of systems but large number of users

In Project – Test environments

– Again, it’s always urgent

– Large number of systems but less number of users

ACCESS REQUEST PROCESS

FS HCM CS

Portal

Roles

Data Security Data Security

User Defaults

Roles Roles

Data Security

User Defaults

Roles

Data Security Data Security

User Defaults

Roles Roles

Data Security

User Defaults

Review/Approve Review/Approve Review/Approve

1. FS 2. HCM 3. CS Step 1: Requester makes request. Paper based manual process. Too much information to fill.

Step 2: Approver approves request. Manual: paper/Fax/Email/Phone

based process. Hard to organize, adds delay.

Step 3: Security Implements request Manual: Add roles, Data Security &

User preferences. Very cumbersome. 3 different

systems. Hard to stay on top. Potential for Human errors.

Current

Approach

COMMON PROCESS

FS HCM CS

Portal

Data Security Data Security

User Defaults

Roles

Data Security

User Defaults

Roles

Review/Approve

2. HCM Down to one process. We have created online

access request process within PeopleSoft.

You can configure multiple forms

It uses workflow for approvals.

Auto implement

No manual Intervention by Security team.

No delay from Security end. Requests get implemented as soon as they are approved by business.

New State

of Security

STANDARIZATION - automation

AWE

Program

User will make a request

Lead will review/approve it

System will auto implement it

Time saved here can be utilized in designing better security Improve project teams productivity Email exchanges/tickets between Project team and security will reduce by more

than 50%

PROJECT TEAM - security

SOLUTIONS SUMMARY

Security Objects should match with Job Profiles Security should be as dynamic as possible Centralized Security model

Delivered - Dynamic role assignment Custom – Dynamic RLS and User Preferences Custom – Online Access Request Process (Production and non production)

We discussed STRATEGIES and TOOLs STRATEGIES

TOOLS

This is what will make security Simple, Easy to Operate, Complaint, Streamlined and Instantly available.

Questions?

Visit our website for more information: www.jarmanc.com Name: Jarmanjit Singh Email: info@jarman.com Cell Ph: 647 282 9267