Subscribe
Share
Share
Embed
This is The Possibility Perspective.
The show where we peel back the layers on enhancing enterprise solutions with Workday magic and PeopleSoft innovation. We’ll sit with real-time customers who've participated in our tailored services.
Whether you're eyeing a smooth Workday transition or modernizing your PeopleSoft with the power of Amazon’s public cloud (AWS), we've got you covered. We’ll dive into topics from cloud migrations to fluid user experiences.
Tune in and empower yourself with the knowledge to optimize your enterprise solutions.
[00:00:00] Greg Wendt: Security is really a journey. It's not a destination. There is no single silver bullet. That's one of the things that I want you to take away. You can't do just one thing and it's gonna fix all of your problems. That's just not how the world works, you know? So when we look at our platform of tools and we're gonna be discussing how all of these things integrate and work together, because much like what we talk about with security maturity, there's a maturity within GRC and all of these things need to be combined and layered together.
[00:00:28] Jeff Miller: Hello, friends. I'm Jeff Miller from ERPA and you're listening to The Possibility Perspective, the show where we talk to strategic minded PeopleSoft customers who partner with ERPA for a better PeopleSoft experience. Hello, friends. I am. Jeff Miller from ERPA. So welcome to all of you. ERPA supports customers throughout their entire lifecycle on PeopleSoft, including managed services, fluid implementation, and other implementations, modernizing with the cloud path to SaaS and much more in today.
[00:01:01] Jeff Miller: It's all about reducing risk and ensuring compliance. We're very pleased to be joined today by ERPA's partner Pathlock. On this slide you're seeing the agenda for today. We'll do some welcome introductions, PeopleSoft, security governance and Pathlock demo and capabilities both. Provided by our partner Pathlock.
[00:01:18] Jeff Miller: And then we will tell you ERPA about our partner advantages. Before we get to our q and a. We have two world class presenters joining us today. We have Greg from Pathlock and we have Shawn, my ERPA colleague. And so now I'm first gonna turn it over to Greg from Pathlock to introduce himself, and then Shawn will come on and introduce himself to you a little bit about ERPA before we hand it back over to Greg to share all things about security.
[00:01:44] Jeff Miller: Governance. So Greg, yeah, thank you for joining me on camera. Tell us a little bit about yourself.
[00:01:48] Greg Wendt: Great. Thank you, Jeff. First off, I want to thank everybody for being here and our partners, ERPA as well. We really enjoy working with them. As you said, my name's Greg Wendt, I'm an executive director here. I like, I've been here almost.
[00:01:59] Greg Wendt: 11 years, been in the industry for quite a long time. I've worked oil and gas retail higher ed before joining the team about 11 years ago. So ran enterprise architects are very familiar with what ERPA does from supporting, implementing, upgrading, all of those things. So it's just a great. Show that we have today and just look forward to giving everybody all these new
[00:02:19] Jeff Miller: capabilities that we have.
[00:02:21] Jeff Miller: Awesome. Greg, thank you and great to have you joining us today. Shawn, you wanna join us on camera and unmute yourself. Tell us a little bit about yourself, Shawn, and then also tell us a little bit about ERPA before you hand it back over to Greg.
[00:02:31] Shawn Fournier: Yeah, absolutely. Thank you Jeff. Thanks Greg. Really excited about the opportunity sharing what we can do for our partners.
[00:02:37] Shawn Fournier: So, a quick background on myself. I've been in the industry for, uh, for 20 plus years, VP of Alliances here at AWS, and my responsibility is just ensuring that we bring not only, uh, our experience to the table, but. Best of breed partners like Pathlock to the table so that our clients can get more from their tech investments, particularly in things like PeopleSoft and other ERP suites.
[00:03:01] Shawn Fournier: Very quickly just to kind of set the stage and then we'll get back to the heart of the meeting, which is with Greg and with our partner Pathlock. So if you're unfamiliar with this, just at a very high level, ERPA was founded 25 years ago as a PeopleSoft consulting firm. So two and a half decades later, I would describe as more as a.
[00:03:21] Shawn Fournier: Kind of a boutique managed services provider specializing in ERP suites, right? And so we do everything from high level strategy and road mapping to strategic account strategic support. On the other end of the spectrum, we work at every vertical. We're very, very strong, obviously in EDU and government, but SU support every vertical.
[00:03:43] Shawn Fournier: And I think two things that you probably should know about us, number one is that we rely on some of our own technology. We have a proprietary orchestration layer that is called ActiveGenie. We leverage ActiveGenie specifically for PeopleSoft migration and management. And what we've found is that with ActiveGenie, typically we're reducing maintenance windows by 82%.
[00:04:03] Shawn Fournier: We're reducing IT infrastructure management by over 60%, and on average we're reducing costs by 30%. So that's. Our proprietary technology brought to bear. But one of the other things that we do really well, I believe, is bring best of breed partners to the table. And so that's really what today is about.
[00:04:23] Shawn Fournier: Today is about leaning on a partner that we count on to serve our customers and that it's Pathlock. So we're gonna get, we're gonna move from strategic to very tactical around. Now reducing risk and ensuring compliance. You'll also see a little bit of a demo on Pathlock’s application access, governance, and I think that the takeaway from today is you should walk away from here with probably some, some very tactical next steps that you can take to drive value into your institution beginning today.
[00:04:54] Shawn Fournier: So with that, I'm eager to turn it back over to Greg and Pathlock and have a look at today's demo.
[00:05:01] Greg Wendt: Perfect. Thanks Shawn. So let's go ahead and get started. I'm gonna do a quick brief introduction of who we are at Pathlock. So Pathlock, we've got over 500 employees globally. Now. We do also have over 1300 customers.
[00:05:13] Greg Wendt: When we joined together as the group, we became much larger. It's also, you know, when we look at our. Global reach. We're across the entire planet. So one of the things that we're able to do is really have insight as to what many organizations have to do and deal with across many different privacies controls, risks, all sorts of different challenges across the globe.
[00:05:33] Greg Wendt: So it gives us a lot of insight that we can bring to our customers regardless of where they are, you know, and you can see some of our, our partners over there as well as ERPA. Let's go ahead and get started. Security is really a journey. It's not a destination. There is no single silver bullet. That's one of the things that I want you to take away.
[00:05:50] Greg Wendt: You can't do just one thing and it's gonna fix all of your problems. That's just not how the world works. You know? So when we look at our platform of tools, and we're gonna be discussing how all of these things integrate and work together, because much like what we talk about with security maturity, there's a maturity within GRC.
[00:06:07] Greg Wendt: And all of these things need to be combined and layered together, and that's what we're really talking about with the delivery of the Pathlock Cloud and our solutions. We can do things that are very tactical, like single sign-on integration, multifactor integration, data masking. All of those are very targeted to a single point, but then we can also do compliant provisioning and de provision.
[00:06:27] Greg Wendt: SOD validation, automated risk assessment, which I'll show you a little bit today, you know, and then we've got real time analytics. So all of these things layer together to bring up your security maturity and your automation. Across lots of different controls. So let's go ahead and get started. When we think about that security maturity scale, it's like where do we start?
[00:06:46] Greg Wendt: Everybody is in some particular place across this scale. Not everybody's in the exact same place, basically. So you know, if you think about it, you have a lot of documented policies and procedures, and what are you going to be able to do to make those actionable? How do you take them to. They're not just a policy, but how can I audit?
[00:07:05] Greg Wendt: How can I control? How do I know and validate that they're actually doing what they're supposed to be doing in a production environment? Those are how you're documenting those processes and moving forward. When we look at the next step, it really is there's a baseline of security. That baseline is things like single sign-on.
[00:07:20] Greg Wendt: Why do I wanna do this? Location-based access, multi-factor authentication. There's reasons for all of those. And I'll go into 'em on slides coming up, you know, and some of the different advantages and disadvantages of each one of those. And then we move into advanced data security. What is advanced data security?
[00:07:37] Greg Wendt: It's really pro. Controls. So it's not something that's reactive. We're not thinking about this post breach. You know, we want to think about this before we actually have a problem, you know, so that we can protect the instance and we can protect our data. You have to have visibility into being able to understand what the people are accessing and doing in your systems to be able to know those things.
[00:07:58] Greg Wendt: So I always say that data. Is really the real driver. If you're looking at and capturing the right information, you can make the right choices as to what you need from a security maturity model. And then finally, application access governance. We're gonna touch base on all of these today, but. Application Access governance is really about insight into the risk awareness, being able to understand where are my risks?
[00:08:23] Greg Wendt: Let's talk about, you know, just a user access review. You know, if we were all sitting in the room together, I'd say, who does it? Who does it really in a, at a valuable way, you know? And by that I mean, do you actually remove access in a user access review or just rubber stamp it? You know, it's typically a very challenging process that many organizations don't like to do.
[00:08:42] Greg Wendt: Because it is so time consuming, and what we're gonna talk about is how we can automate and bring that right to the forefront. Make it very easy for you to do so. Let's jump in and talk about some of those actionable steps, you know, within this data security maturity model. So first off, those documented policies, you have to move away from ad hoc.
[00:09:01] Greg Wendt: You have to have clear policies and security measures that become protective. They stop inefficiencies, you know, they build you for the future, and it's really about reducing those inefficiencies and increasing, you know, your protection about some of the vulnerabilities that are out there. But it's, they're often typically driven out of it.
[00:09:23] Greg Wendt: So you're going to be pushing those things, and that's typically where you're going to come up with the next baseline. Is it? Or your leaders might say, we're gonna do single sign-on. What does that mean for us? We need to have multi-factor authentication. All of these things are moving away from, I have this documented policy and procedure.
[00:09:42] Greg Wendt: What am I going to do? And when we think about. The baseline. There's a reason why we call this baseline because if you want to think, for example, when you're dealing with cyber insurance, for example, if you're not doing these things, that's due diligence. You're not going to get reimbursed if there's some sort of issue.
[00:10:01] Greg Wendt: Multifactor, you know, authentication is considered due diligence within cybersecurity insurance policy. So if you find out that somebody hacks your system and gains access and steals data and they didn't perform an MFA and you allowed them in, this is where you're gonna run into travel because it's a baseline.
[00:10:21] Greg Wendt: This is assumed minimum bar of what people have to do inside of their systems. You know, and whether you do single sign on to invoke multifactor at that particular event. There's a lot of organizations that do some, do additional access controls where they implement multifactor inside of the application.
[00:10:40] Greg Wendt: Some do it more at a risk aware. The important part about this is you've got to make sure that you're protecting your system from all access, and it's not just your production systems. There are a lot of breaches and a lot of data leaks that occur within your dev stack. One of the reasons that is, is because typically within the PeopleSoft market, these are going to be.
[00:11:01] Greg Wendt: Full copies of production. So you've got to protect those instances, enabling these types of things the same way you do production. Make sure you're doing data masking. Make sure you're doing the MFA because it's the same PII, it's the same, you know, somebody's not performing a transaction, or most likely it's not gonna run and pay somebody, for example, or they're not gonna be creating vendors and those types of things, but they can access your sensitive information.
[00:11:26] Greg Wendt: Take that information out, share it. I talk about that because we've seen it all of the time. And hear about it from different situations with customers and non-customers. Actually, one of the things that I wanted to touch real quick on though, with enabling single sign on a multifactor, is when you're talking about that, be very secure in the decisions that you've made.
[00:11:47] Greg Wendt: We talked to many customers about this. ERPA can help with this, but make sure you're making the right decisions. You know, if you're trusting something and saying, oh, we're not gonna challenge for 30 days, or whatever. Be sure that if you understand the decisions that you're making, because we've definitely seen some issues and some, some organizations that have been hit with certain ways that they get around that.
[00:12:07] Greg Wendt: So when you're trying to implement that single sign on a multifactor authentication, make sure you're using really good. Policies and procedures and, and, and follow up on those additional access is really when we're talking about context aware. That's one of the things that makes security far easier for the end users to adopt it when it's context aware, it can inject whether it's data masking, multifactor, and all those types of things based upon how that user is accessing the system.
[00:12:37] Greg Wendt: So it changes, you know, if I'm off of my network, not on my VPN. I have to go through different security checks. I might have to do MFA, again, I might have data mask, I might have static masking of data. All of those things to protect the user's data, which really takes us into the some of the advanced security because it is about protecting your data.
[00:12:57] Greg Wendt: And when you think about your organizational systems, you've got a couple of different people to think about. Number one, I would say think about your end employees. Because you want to protect their data. You want them to know that you've invested and you're protecting their data because that really is one of those steps that, you know, if you end up having your systems breached and all that employee data goes out.
[00:13:19] Greg Wendt: There's a couple of different ways that that's gonna happen. One, it can happen in an individ individual layer. You know, one of the things that we have seen numerous times out there is, let's talk about the direct deposit situation. You know, there's been numerous organizations that are hit with that, that's at an individual employee level.
[00:13:35] Greg Wendt: So that individual made a mistake or fell for a phishing attack or whatever happened in that scenario, and they lost their private data and somebody updated their bank information. So that's really phase one. That's what I'm talking about with advanced security controls is protected them because you need to enforce certain policies, data masking unwanted activity at that particular level to protect the individual.
[00:14:01] Greg Wendt: That's one way of protecting your PII, thinking about it at the actionable level of how do I protect an individual in my own organization, but then I also have to think about it from the organizational stack of now all of a sudden I have people that are gonna be able to perform very large roles.
[00:14:18] Greg Wendt: They're, you know, maybe they're the director of payroll or benefits and they have access to everybody, or AP managers and clerk and all those types of things, depending upon whether it's financial data, HR data, campus data. It's all relatively the same, and the fact of I have to layer my protection models, depending upon whether we're talking about somebody who's doing a very small thing like self-service or something who's doing a very large thing, like a back office, high privileged access.
[00:14:46] Greg Wendt: So you wanna make sure that you've got those layered controls in place, really protecting that PII in those processes. That could be as simply as protecting something to where you can't run a payroll. At three o'clock in the morning, you block out those types of things to where that way if somebody does, like a high privileged user gives up their credentials, somebody's not logging in and going through and running processes at them at a time and place where it shouldn't happen anyway.
[00:15:14] Greg Wendt: So. Those are the types of things. Moving from a reactive to proactive is really going to be about logging and understanding how people are accessing your sensitive data and where it's going and what they're doing with it. So where can be accessed from, what time is it accessed from, and a lot of those things really boil down to being able to answer the questions around GDPR, the CCPA and who's lacking or who's viewing data.
[00:15:39] Greg Wendt: If my data has been breached, who looked at it? Being able to answer and respond to those all, all those types of questions, you can't do that if you're not logging and capturing that information before somebody's active to talk about it. There was a, they weren't a customer, I can say that, but I can't obviously say who it was, but they spent 2200 man hours trying to figure out what happened with like the direct deposit issue.
[00:16:02] Greg Wendt: That's more than a person for a year. And when they came back after it, they basically said, well, we don't really know. It's because they didn't have the proactive controls in place to be able to stop it or to be able to understand what occurred through that process. That's why all of these things are maturity.
[00:16:18] Greg Wendt: You're going to start with one of them and you have to build through. Let's talk about the last one in that path, and that's really the application access governance. So I'm gonna. Kinda get out of the little walkthrough there. And when we talk about application access governance, there's really going to be a couple of different areas that we focus on.
[00:16:37] Greg Wendt: One is going to be analyzing and reducing access risk. The easiest way for this, for me to explain this, and I'm also going to demo this to you, is the fact of what we're able to do is tell you what type of risk a particular access is going to change for your organization. We can show that to the end user, or we can show it to the approver who's going in and accessing and saying, yes, Greg gets this new particular role.
[00:17:03] Greg Wendt: For example, if you think about that in all of your custom roles and authorizations within the PeopleSoft system, which are probably, you know, in a lot of situations, thousands of new roles. Do you understand what each role has? What type of risks are enabled and accessible inside of each one of those things?
[00:17:21] Greg Wendt: Are people actually using what's inside of that particular role? So that's where we're talking about analyzing and reducing that access risk. We wanna make sure that it's proactive. That's another thing that we're focusing on here, knowing what your risks are and limiting those risks beforehand, not after the fact.
[00:17:38] Greg Wendt: Automating secure provisioning. You know, when we talk about provisioning, I hear a lot of people say, yes, we do provisioning. Okay, what do you do? Do you know what you're granting? Do you understand the risks that are given with these particular authorizations? Are you doing birthright? What about closing off and on terminations, for example, many organizations are left vulnerable because they never shut off accounts with people who leave the organization.
[00:18:03] Greg Wendt: Or they never change accounts for admin level accounts that are shared between multiple people. Those are where a lot of breaches occur because the bad actors come in as them. They know things aren't reset. They know accounts aren't shut, shut off. It's one of the advantages of going back to that in implementation of single signup because you can turn it off at one place.
[00:18:20] Greg Wendt: So yes, there are. That's why I'm saying it's a layer. Approach to this. You have to do all of these things cohesively together to really reach that maturity model. When you're talking about secure provisioning, make sure that you're not increasing your risk profile. Just because you automated, you know, provisioning processes, performing user access certifications, this is where you're gonna see today some of the advantages that we bring in.
[00:18:45] Greg Wendt: Because what we're going to be able to do is we're going to not only show you what a user can do, we're going to show you what a user did do. And the easiest way to say this is every organization that I've worked with and everybody I've talked to, if you can't show whether somebody's used an authorization or not, they're never going to remove that authorization.
[00:19:03] Greg Wendt: Why? Because by default, most people want to ensure somebody can do their job, so they're, they're going to err on the side of giving authorizations or too much access rather than setting the controls. A baseline of we want to implement more of a zero risk or a least privileged access model. So being able to understand and seeing very easily what somebody has accessed versus their authorizations allows you to control the roles and the role per proliferation.
[00:19:36] Greg Wendt: That occurs within a lot of these different systems. That's gonna be something that I'll show you today as well. Monitoring, privileged user access. That's definitely something when we're talking about dealing with what are my users accessing? What are they looking at? How are they accessing these systems?
[00:19:52] Greg Wendt: This comes back to one, understanding the usage within your system, but two, if you're not really understanding this. Let's say in the worst case scenario, you do have a breach. You're not gonna be able to answer what occurred quickly or easily, or maybe even at all. If you're not performing the monitoring of activity and that's privileged or not, you know, at that particular level, you have to understand what users are doing.
[00:20:19] Greg Wendt: And then how is the access used? You know, what are they doing with that access? Where are they accessing it from? This kind of goes back to your policies and procedures. You have a policy maybe that says you cannot take data out of PeopleSoft. Well, how do you implement that? Can you protect it? Can you actually do that at a tactical level and implement things like that, you know, or.
[00:20:40] Greg Wendt: Is data masked? Should they be able to see that data depending upon where they're accessing or the time of day? Those types of of scenarios. So it allows you to really implement those policies and procedures throughout your system at that particular point. Lots of different scenarios. Of how we're going to be able to do this.
[00:20:58] Greg Wendt: So we're gonna be able to go in when we talk about analyzing and reducing the risk access, we're gonna talk about a lot of the different things that we're gonna see here. Risk identification. It's important to jump that up front. 'cause we're going to be able to see what that risk analysis is, and then you can remediate it right away.
[00:21:16] Greg Wendt: That remediation can occur with maybe changing of a role, changing of the access, reducing the role that you're going to give to them, and then that's going to reduce your risk completely right out of the box. I'm not gonna go through each and every bullet point on there. Otherwise, we would be here much longer than 45 minutes.
[00:21:32] Greg Wendt: Secure provisioning, there's really three main processes that you need to think about there. A bullet point that I want to call out is 68% of breaches involved a human element. It's a scenario where it's normally the people are, are the weakest point. You know, I can create a really secure system if nobody ever accessed it, honestly.
[00:21:50] Greg Wendt: But there's three main provisioning scenarios that you need to think about is your joiners, your movers, and your lever. You know, your joiners. I have a. This is my belief on this. Your joiners, give them lease privilege. Start with lease privilege. You don't necessarily have to start with giving them everything they need to do to perform their job role.
[00:22:10] Greg Wendt: Think about it as, I'm an employee first. I need to do benefits, payroll dependence, all of those types of things first, right? So give them access to do that. Then you go through and basically almost treat them like a mover. A mover is going to be a little bit different in the fact of typically what you're doing in that scenario is you're going to have an approval step within workflows.
[00:22:32] Greg Wendt: So yes, Greg can have this access, but we're going to review the access that he's given and we're going to approve it so that from an auditor perspective, we have an entire training of all of that, and they can look at it, they can see where that process blow is in any particular point. But you also know who approved the access and that's not an emails then and it's not, Hey, just copy Jimmy's access and give it to Greg.
[00:22:57] Greg Wendt: Jimmy might have been for 20 years and has 50 extra roles that Greg doesn't need. This allows you to develop and target really that Lee privileged access regardless of whatever the person's doing in your organization. And then labors, that's the off borders. There's really a couple of main points there.
[00:23:14] Greg Wendt: Number one, are you going to treat them or do you have to do something like provide them with a W2 at the end of the year? Because then you have to think about, you almost bring their access back to what they were as a joiner. That base employee level. If you're not gonna do W Twos or Cobra or something like that, then you can turn off their access altogether.
[00:23:33] Greg Wendt: So it kind of depends upon what you do as an organization. But the typical thing is you want to shut down that access and enforce the least amount of security that they can have as quickly as possible when that event occurs. And you can do that systematically. That's an important step. So those are really, when we talk about secure provisioning.
[00:23:53] Greg Wendt: What it gets come to. You know, when we talked about certifications earlier, it really got into that point of they're typically very resource intensive. Most of the time it's emails, it's spreadsheets. Nobody's really looking at it. There's no automated, automated way to do 'em. You know, it's how do we know what roles and authorizations?
[00:24:11] Greg Wendt: So it's a ton of queries that are being run, everything's being pushed into a, an Excel file. And then there's the question of how do we duplicate this again? Well, it all has to be recreated. I've talked to some particular organizations and it takes one to two months just to prepare to collect all of the data, to do a user access certification.
[00:24:31] Greg Wendt: That's a long time. That's not efficient. And really the main thing that I want to talk about there is when you look at reviews, our manual, they include more than 2,500 items. The revocation rate is less than 2%. That goes back to what I was talking about. If you don't know what they can do versus what they did do, you're not gonna revoke it.
[00:24:52] Greg Wendt: You're gonna leave them. You're gonna rubber stamp that access and it's just gonna continue to perpetuate throughout the system. Monitoring privileged access. That's something where we get into here, we're granting additional access or somebody has additional access. We're going to track and see what they did with that.
[00:25:08] Greg Wendt: And when it's over we can actually report on what they touched and what, what they looked at within the system. You know, this is a little bit more on that. Can do. Did do. So let's pop into. Pathlock Cloud. So Pathlock Cloud really is an opportunity to have a cross application that allows you to see insight and risks into many different aspects of your organization.
[00:25:32] Greg Wendt: I'm gonna quickly go through this. So when we talk about risks, the way risks are defined. This is kind of a building block because it does lead to compliant provisioning. It does lead to the access risk assessments and seeing how you're doing those. One of the things that I want to call out is this particular system is talking to numerous different systems.
[00:25:52] Greg Wendt: So you might be on PeopleSoft Financials and Workday today, or PeopleSoft, HCM, and Oracle Cloud, or you're moving to it in the future. That's totally okay. Because we communicate and work with all of those different systems. So when you define your risks, you can pick which applications they're within. And the nice part about it is you can have them inside of those two different target systems.
[00:26:17] Greg Wendt: So if I pull open this PeopleSoft Financial risk right here, number seven, what we're going to do is dig into what consists of that risk. Where is it within your organization or where is it within your roles? So as that risk comes open. What we're going to do is, first off, explain that risk in the layman's terms.
[00:26:34] Greg Wendt: What does this mean to me as an organization and how does that risk affect me? I wanna know, okay, if I have this, what does it mean, right? What do I need to do about that? So we give you real world examples, some of the best practices to, to mitigate those. But we, we drill into the policy details. This is where we're looking into the authorizations of the target application.
[00:26:54] Greg Wendt: I say, oh, the target application. 'cause this can be numerous applications. You know, this is just looking at PeopleSoft financials. So now what we're able to do is looking at that risk. If somebody has the authorizations for one side and the second side, that's going to create a problem. You know, if you can create a vendor and pay a vendor, that's not a good thing.
[00:27:14] Greg Wendt: If you can create an employee and pay an employee another thing. So we're gonna be able to look in to see those risks. But because we are communicating and pulling in that target data from all of those different systems and all of the authorizations, we can tell you all of the users who have that risk automatically.
[00:27:33] Greg Wendt: So now you're not having to do a lot. You have a risk library of all the risks that that you want to define. We deliver a baseline for that, but you can immediately see which users already have that. Which roles have those risks? And those roles. So if I give somebody that default role that was delivered in PeopleSoft, for example, I could be creating this.
[00:27:54] Greg Wendt: We can have some of 'em that are flagged high risk because they automatically are entitled too many. So you don't wanna give those out. So that's what we're talking about with understanding these risks as we're going to tell you. In your delivered roles and your authorizations, where do these risks exist today?
[00:28:10] Greg Wendt: So what does that mean and how do I leverage that? So one thing that we can do with that is let's look at it from an access request. So as a user goes in and says, I want to have additional access inside of my system, the first thing that you're going to do is you're gonna pick which system that you wanna work with.
[00:28:28] Greg Wendt: So let's do PeopleSoft financials, and then you can select the user, be self-service, where they're doing it themselves. It could be at a manager level. You know, you can decide how you want to implement this, but let's do Ann here. So if I look at Ann and I hit next, what we're gonna do is immediately see all of the authorizations that she has.
[00:28:47] Greg Wendt: This is what she's got in financials right now. Let's go ahead and give her a role, and obviously we wouldn't do this, but I'm just gonna give her an administrative role just to make this easy. So let's copy the administrative role and let's add that in. So now when I look at this, here's the role she's got at the top.
[00:29:04] Greg Wendt: I'm gonna add in the administrator role and we're gonna run a risk analysis right away. So what we're going to see as this is running is it's going to return back to us. It's looking at all of the risks we've defined for PeopleSoft financials. This could be Workday, could be Oracle Cloud, but in PeopleSoft financials.
[00:29:22] Greg Wendt: Here's the new risks that she's going to get them and how she's attaining these new risks upfront, very easily show that end user making that request. So now we know immediately we don't have to trust. Well, we're going back to Bob, who's the admin and we're here and he's gonna tell us all of he knows these roles well enough that he knows what the risks are.
[00:29:45] Greg Wendt: No, we have a systematic automated way to do that Becomes very easy. You can understand what your risk profile is immediately. Before that request even comes through, if we think about it from the backend of, if I go in and look at my approvals, let's say I'm a manager who's going to approve this. I can have another way that I look at this.
[00:30:06] Greg Wendt: And let's look at this one here, because it's kind of in flow of having the steps and the processes of, of that particular workflow. So what we're going to do is we're gonna tell you information about that employee who made the request, who it was opened by. We're gonna tell you what does this employee do for me, and should they even have that, what role was requested.
[00:30:27] Greg Wendt: The next thing we're going to do is tell you what is the impact. So this is on the approver. So the approver can instantaneously see, wait a minute. They requested the role that it's too powerful for them. Look at, look at the risks that this is creating. You know, we can immediately implement a mitigation.
[00:30:44] Greg Wendt: Maybe that's an online mitigation, maybe it's an offline, maybe it's data masking, for example, or logging or something like that. The role mapping isn't going to allow us to see what role they've got, but this particular user. As the approver could go in and say, wait, they requested the grant super user.
[00:30:59] Greg Wendt: Let's just make it the the grant user instead. So we're gonna dial that down. We could also say, well, if we give it to 'em, we need to remove this other role. So we can do all of that. And then we can see the history. Because all of this is really important to have the history and the audit flow on because you need to understand who's touching what, who's looking at things.
[00:31:18] Greg Wendt: So you can see where that sits through that audit flow. 'cause this is what closes that gap. This is what makes it easier. So. I'm going to look at it from the perspective of, I know I'm coming, trying to hit a certain time page. So let's talk about user access reviews here real quickly, because I wanna show you the can do, did do.
[00:31:39] Greg Wendt: Who? A user access review is really important to be able to understand, number one, who am I working with first? And. What's the population and what systems do I want to do this for? So when we look at a user access review, that's the first thing we're going to do is who are we? Who are we going to select to perform this review?
[00:31:57] Greg Wendt: Maybe it's just act privilege. Maybe it's everybody. Next thing we're going to do is what are we going to do in this review? We're gonna look at roles. We can look at activity groups. We can look at multiple high risk roles, high risk activities, but let's just look at roles and then we select the system.
[00:32:14] Greg Wendt: So when you talk about your user access reviews, can you select an automated, coup automated couple of systems? I can do PeopleSoft Financials, campus Solutions, and on draw at one time. Can you at the click of a button and then we're going to schedule and activate this. This could run one time. It can be a template that other people can run and spin up and work with.
[00:32:34] Greg Wendt: So all of it becomes very quick. You can schedule this to happen at the first of every quarter or every six months. That way you don't have to go do anything because the way we sync and pull those authorizations and the data, we have it all, you know? So going back to the user of can do, did, do, let's look at that from just the end user perspective.
[00:32:54] Greg Wendt: So I'm gonna log in here real quick, um, to what the end user would see.
[00:33:05] Greg Wendt: Let's see if I got that right on the first time. And I did. So let's look at the certifications. So the certifications are where somebody would look at. From the ability to, I'm going to perform a, a, a user access review. If I look at the security administrative review, what I did here is I selected somebody, all of the auth, all of the users who had the PeopleSoft security admin role, and I looked at the PeopleSoft and I wanted anybody who had the as a Ps.
[00:33:33] Greg Wendt: So I did that intentionally. So it would basically go to, you know that a, a lot of times that's a technical manager who's going to do it. So as I look at this review. I can dig into PeopleSoft, the PSID specifically, and we're gonna be able to go in and approve and reject and do all those types of things.
[00:33:49] Greg Wendt: We don't have all the information up here at the top on the employee, because this is generally a system account. But the real important part about this is if I go down to the security administrator and we talk about. What we're able to see and what we're able to do, and this is the real differentiator with Pathlock because we understand PeopleSoft and we're investing in it and we're working with it.
[00:34:08] Greg Wendt: We've got our security controls inside and we have our Pathlock cloud. What we're able to do now is answer that question, oh, there is a risk already existing within this role, but number two, what we're able to do is come in and tell you what the usage is. So now I can explicitly see. When did that user perform one of these authorizations that they've got within this role?
[00:34:35] Greg Wendt: So you can see there's a lot of activities within this role that they have access to that they never do should they have those access. Now you can make the decision of, do I need to create a new role? Maybe I need to shrink this down and make it a little bit more precise. That's what I wanted to show you with that can do and did do.
[00:34:53] Greg Wendt: As you can see, security is a journey, not a destination. So I touched base on a few of the utilities and what. We can do with inside the Pathlock Cloud and with our security inside of PeopleSoft. When we talk about being beyond IGA and evolving the access controls, here's just a touch of some of the systems that we work with.
[00:35:10] Greg Wendt: When we do our application access governance, we've got cybersecurity controls, we've also got continuous controls monitoring. Each one of the systems actually allows us to go into different depths. Of access and controls. So it really allows us to work with you as a customer to develop exactly what's interesting to you.
[00:35:31] Greg Wendt: So with that, I'm gonna go ahead and hand it back to Shawn, so I appreciate your time. Thank you very much, Shawn.
[00:35:38] Shawn Fournier: Just a quick wrap up. First of all, thanks again to Greg and to the Pathlock team. We ask them to squeeze a lot into a very small period of time. So a couple of takeaways. Number one, obviously reach out to us and have Greg and Pathlock walk you through this demo and more.
[00:35:55] Shawn Fournier: In depth and really get into some deep Q and A about how the relates to your business and your PeopleSoft stack and the future and where you're going with both PeopleSoft and other technologies. Really, the question from us is, from an ERPA perspective is, hey, what's next in your PeopleSoft roadmap? But I think the important takeaways are really twofold.
[00:36:12] Shawn Fournier: Number one is that, you know, we've been doing this for a long time. So we have a lot, an abundance of experience to share with you, not only maximizing PeopleSoft on-prem, modernizing PeopleSoft in the cloud, and even transforming from PeopleSoft to Workday services, if that's the path that you're on. We have experience as an AWS customer and AWS partner.
[00:36:32] Shawn Fournier: We're a Workday customer, obviously a Workday partner, and we're happy to share with you lessons that we've learned along the way. Both as a customer and a partner for both of those organizations as well as how we've helped our customers not only make those transitions to the next level, but also move beyond the migration and into additional value.
[00:36:52] Shawn Fournier: So there really are, are three paths, and I'm gonna build this out. One path is just a better PeopleSoft, right? Maximize your investment. And that includes things like implementing best practices. For example, around risk and compliance as Pathlock can help you do that. A first step, there might just be a health jack, right?
[00:37:11] Shawn Fournier: Check in with us. We'll help you look at your PeopleSoft stack holistically and say, Hey, based on our experience, if we own this stack, these are some of the things that we might consider doing. And potentially Pathlock’s application access governance would be one of those things. Another path in the journey is, look, we, we like peoples saw, we're gonna stick with it, but we wanna modernize it on the cloud for a SaaS like experience.
[00:37:34] Shawn Fournier: You guys run everything else. We just want it to work like SaaS. We can help you with that. A third path might be, PeopleSoft works for us now, but there are modules or aspects of PeopleSoft that you wanna adopt in SaaS, for example, Workday. So those are the paths that we can help you along. They're all resulting in essentially a better PeopleSoft.
[00:37:54] Shawn Fournier: But on these paths, I think the key to that is fundamental best practices. So, as Greg mentioned, reducing risk and ensuring compliance is really not a destination, it's a journey. And so one of the things that we love about Pathlock and best of breed partners like Pathlock is we're not locked into where you are today.
[00:38:16] Shawn Fournier: Certainly we can add a tremendous amount of value to where you are today and deliver a better PeopleSoft. However, the incremental value is that the best practices and technologies that you're implementing today, for example, from Pathlock. Extend beyond where we are today and into the future of the organization, right?
[00:38:34] Shawn Fournier: So I think that's a critical component to understand that your investment today pays dividends not only now, but in the future as you continue to evolve your journey. So with that, Jeff, I'll leave it back to you. Thank you to
[00:38:45] Jeff Miller: Greg from Pathlock Great Partners. We enjoy our partnership in this. Look for more webinars to come on a variety of topics of interest to those of you who love PeopleSoft.
[00:38:55] Jeff Miller: So in the meantime. Thank you to all of you, and we hope that you have a great rest of your day. That's it for now. Bye-bye. Thanks for listening to The Possibility Perspective. If you'd like to talk to ERPA about what's next in your PeopleSoft journey, be sure to visit erpa.com.