IAM Pulse Episode 5: Securing Access with PeopleSoft
Most organizations are running hundreds, if not thousands of applications, with some running the critical operations of the business. This is the case with Oracle PeopleSoft, which runs inventory, financial services, and campus solutions for universities, colleges, and other institutions. However, when it comes to securing this application, it can be complicated and break the mold of a company's IAM strategy. This episode of IAM Pulse, we talk about how to involve PeopleSoft with your IAM strategy.
Listen to the podcast:
Transcript:
William Papa:
You're listening to, IAM Pulse a podcast, discussing all things, identity access management from defending against cyber attacks and to enhancing our overall cyber security strategy. This podcast is brought to you by BIO-key international, an innovative provider of flexible, secure access management and biometric identity solutions. We're sitting down to talk about the impact of identity access management makes on you and your business.
Kimberly Johnson:
Hello everyone. I'm Kim Johnson, VP of product marketing at bio key international and welcome to IAM pulse. A podcast dedicated to discussing I am topics today. Most organizations are running hundreds, if not thousands of applications with some that are critical to running the essential operations of the business. This is the case with Oracle PeopleSoft, which supports multiple areas of the business, including HR orders and inventory financial services, and even campus solutions for universities, colleges, and other institutions. However, when it comes to securing this type of application, one which many users, both inside and outside the organization need to access. It can be complicated and often break the mold of an organization's. I am strategy today. We're going to talk about how to make sure PeopleSoft is not isolated from your IAM strategy, but instead seamlessly integrated into it. On this episode, I'm pleased to be joined by Greg Wendt executive director of security solutions at C and security who provide the fastest path to ERP data security and compliance without customizations or complexity and bio keys. Very own Greg Browinski principles, software developer, who has been developing and implementing. I am projects for over two decades. Hi, Greg and Greg. Thanks for joining me.
Kimberly Johnson:
Thanks for inviting us in. Glad to be here. Hey great. And we already acknowledged the Greg and Greg thing. We're going to get through we'll use last names. So happy to have you both on the line. And before we dive into the content let's provide our listeners with a brief introduction about yourself and your background. Greg went, why don't you kick us off? As you said, my name's Greg I'm the executive director of the security solutions here at Appsian. I joined about seven years ago almost to the month, but before that I've got over 20 plus years in ERP software. I started, especially with PeopleSoft back in the late nineties when everybody was trying to shift off of the mainframe and beat the year 2000 thing and all of those types of fun things. But I started with an oil and worked in retail
Greg Wendt:
And higher ed as well. And ironically, it's something that I've always been involved with rolling out large amounts of content to self-service. So when you're talking about identity management systems and how to do that effectively there are some definite advantages there. But I have worked with PeopleSoft since version five, upgraded and touched every major release all the way to the nine two platform. So until I joined and I was always on the customer side supporting and running the application side. So that's just a little bit about me.
Kimberly Johnson:
That's great. And so firsthand experience to say the least in trying to manage this critical application and the complexities of it. Exactly. So been there done that. That's amazing to go from a five dot Oh 9.2 and still be at it. So I, I, a lot of credit there in the version control. And Greg Browinski a quick intro about you and kind of your background.
Greg Wendt:
Sure. Yeah. So as you mentioned actually been a part of pistol star, which is the company that originally created portal guard. And now bio key for just over 20 years at my 20th anniversary a couple months ago. And I've been involved, as you mentioned with security, you know, we've always been involved with security and I was the original architect and designer and developer for portal guard. And that started back in 2008. And so, yeah, other than that, I'm not going to go into music tastes or anything like that, but yeah, excited to be here and talk tech with you all.
Kimberly Johnson:
That's great. That's great. Yeah, no fun facts on this one. Usually fun facts. And and prior to that, I know when I this is my second kind of, I guess, round with portal guard pistol star, we were doing notes and domino single sign-on. So talk about more complicated applications and integrations. That was where it started. So all right, great. So thank you both great backgrounds and let's dive right into PeopleSoft. So with your experience, that's specific to PeopleSoft can you shed a little bit more light on how critical of an application is to a business and also what types of security risks we're now seeing organizations concerned with Greg went, why don't we start with you on the PeopleSoft, how critical it is to the business and, you know, just why it's so essential to make it secure?
Greg Wendt:
Oh yeah, definitely. When you talk about the criticality of PeopleSoft, it is basically a mission critical application for most of these organizations, you know, that is what they're running their, their software on. So when you're talking about paying employees or doing benefits or maybe expenses, financials, you know, campus solutions, depending upon what vertical market you're actually within it becomes very important to be able to have access. I'm actually gone through ironically in my career, a couple of different scenarios where I disaster recoveries that have happened in real time. That could have been as easily as just small windows to very, very, very drastic situations where we were out for seven or eight hours. And, you know, it starts to get very obvious as to how critical it is to have these applications up. So when you talk about the data sensitivity, I think that's one of the reasons why you're seeing so many new regulations come in because of the vast amount of sensitive data that are stored within these systems.
Greg Wendt:
You know, going back to what I was kind of saying earlier with the different verticals, depending upon what market you're in, maybe it could be HCM or campus solutions. For example, you have a fast directory of all sorts of information about the people, your constituents, basically, whether they're employees or students, you know, you have all of their personal information, a lot of history on these people. So there's a lot of sensitivity in and out of those, which really explodes when you're talking about the volume of the access and people using the system. You know, you've got some of these universities that run PeopleSoft that easily have a hundred thousand students and, you know, they're all online, they're all remote. These systems were designed to be accessed anywhere at any time, basically, which is a little bit different than the commercial model. Now you're seeing that post COVID, those that that's the model where everybody's going to is it's do, I've got this ERP application and it's gotta be available everywhere because otherwise people can't do their job, you know, and, and it's a balancing act of how do I deal with allowing this particular access, but still securing the applications as we're moving forward.
Greg Wendt:
So it, it really is a critical thing to balance between the two. You know, we've seen a lot of very targeted attacks. And when you think about the applications as a whole, it used to be, the hackers would come in or the bad actors let's call them that the bad actors would really try to access your network level. They would come at devices and systems and those types of things. And now what they've really figured out is that the person's the weakest problem. You know, they're, they're the hardest challenge to secure you know, because really once you get a user ID and password in some scenarios, and I'm sure Greg will have a good, a good opinion on this is, you know, they come that person. So how do you protect your system when really that user ID and passwords the new, the new barrier, because with all of the different applications, you've got some in the cloud, some on prem and you're moving in and out of all of these applications very easily. How do you make sure to differentiate that somebody who's got the security that they need when they're accessing very highly sensitive application or, you know maybe even a sensitive transaction from that particular perspective. So, you know, the, the bad actors have a lot of time to sit there and study the organizations as a whole, and the organizations don't have that much time to react. You know, they're under,
Greg Wendt:
Time crunch and keeping the systems up and running. I've talked to some that have spent as many as 2000 man hours, trying to figure out what happened post attack. And that was for a very small attack, but that's an entire person for a year. So when you, when you think about that, that's, there's not a lot of productivity in that. So you definitely have to control the access in your risks to these systems. And it's a delicate balance of being able to do that both efficiently and effectively, so that both sides, you know, the security side and the business side, get the controls and access that they need to be able to do the functions throughout those processes, because it's really about at the end of the day, keeping the business running, ultimately you, you've gotta be able to have money coming in the door and serving your customers at that particular point.
Kimberly Johnson:
Yeah. And, and I, you know Greg Bruins guarantee you in just a second on the, the actual specific attacks we're seeing. But Greg went when you said anytime, anywhere is the way that it should have been set up. And obviously we know now with the remote access really pushing that, how many organizations do you think were really ready for the anywhere, anytime access, or were they still relying on their, you know, artificial security perimeters as we like to call them?
Greg Wendt:
Yes. I mean, a lot of them were really relying on the artificial barriers of them, you know, they, they, weren't not at the level of what it was. And I mean, it was a massive shift about, you know, what it was at 14, 15 months ago that that happened to, you know, all of the different, you know, companies and the shift of what had to occur was very drastic. And there were some that did it quickly and some got bit, you know, and, and there was a lot of organizations that really did have to make the decision between, can we do this securely or can we do this correctly? And can we do it fast enough in that scenario? So it, it's something that, you know, there's been a lot of push through the last year for identity access management single sign on, and, and that's the reason why is companies have figured out that they have to stay up-to-date with some of these technologies,
Kimberly Johnson:
Right. Yeah. Someone I just talked to said it was like a hyper explosion. That that was a great way to describe it. If you weren't ready, it was an explosion, I guess, is the way to put it. And, and Greg Lewinsky. So what type of specific attacks, you know, we're definitely focused on more the IAM side security any type of incidents, what type of attacks have we seen targeting PeopleSoft or some of these critical applications?
Greg Wendt:
Yeah. And the one anecdotally that that I've seen is ransomware. And so that's, you know, some script kitty is typically what it is. It's pretty bad that it's easy for hackers to automate these ransomware attacks now. So, you know, they can, they can just run scripts and scan entire swaths of network and, you know, try to get a toehold where they can install something,
Greg Browinski
Chain attacks, all that, and then, you know, be able to just arbitrarily encrypt the customer data. And it is interesting because sometimes that that encryption, now, it, you know, obviously it prevents those systems from being able to run correctly, but it's not necessarily kind of re referred to as a data breach because there was no exposure of sensitive data. But tell that to the person that just got attacked in that way. You know, it's kind of like splitting hairs at that point. So ransomware is definitely something that it is become easier for people to launch. And, you know, we have seen that ourselves. You know, we haven't had a ransomware attack obviously, but we've seen more prevalence of that. Again, just anecdotally with the, the people that we're talking to, you know, it's our customers or prospects people in the industry and you know, kind of at a a wider level.
Greg Browinski:
It is interesting that we're starting to see better awareness from customers from it departments about like, the fact that MFA is the thing that really can, my multifactor authentication is the thing that really can prevent so many different attacks. Right. And so then it's not just a matter of, okay. Yeah. We need to get MFA in place. It's more about, they're a little bit more discerning now where it's okay, well, we know we need MFA, or we have a form of MFA, but we need it to now be more usable. The legitimate end users should not be the ones that have to pay the price. You know, in this day and age, they don't have to be the one that pays the price that they have to do a, you know, an MFA, a full MFA every time they're accessing, you know, a different system.
Greg Browinski:
So, you know, now being able to have, you know, take usability into account and that way, you know, these legitimate users can do things like, you know, based on the context of their requests and, you know, machine learning and things of that nature, where we can start creating a picture of this user and their usage, and, you know, be able to say, well, this is outside the norm and apply like step up authentication, right. Where they maybe they've been, you know, it's outside the norm for them. So customers are starting to become more aware and more discerning about that. Like, another thing for example, is passwordless, and I don't know if that's necessarily just, you know, them, you know, hearing the, you know, the advertising coming out from other vendors like, Oh yeah, pastor, this sounds great. But for example, brute force attacks, you know, like password spraying and things of that nature, those can be prevented by a, a password, this approach, guess what, like, no, no big surprise there.
Greg Browinski:
Right. But so being able to use like a hardware token, which is you know, there's a, there's a legitimate cost associated with that. That is real right. It's businesses, can't just say, Oh yeah, you know, we're all gonna, we're gonna give hardware tokens to everybody because then it becomes about you know, how do you actually make that cost-effective so, you know, biometrics is something that can help with that. And I think we'll get into that a little bit more. But so, you know, there's a whole one, you need flexibility as a, as a customer, you need to you know, be able to also be aware, like we're seeing, for example, our customers are doing their own vulnerability scans, which was almost, you know, usually, you know, just top tier, like fortune 500 customers would be the ones that would say, Hey, we did a scan or we had a, third-party do a scan, here's the results, you know, help us interpret or resolve them.
Greg Browinski:
Right. And so we're starting to see that more, you know, kind of had another couple layers down of tiers of customers regardless of their it department. You know, so we're getting, you know, we're getting those and we can help mobile, you know, this, no, this cookie doesn't have this secure attribute because it's coming from some other app. Right. I mean, so being able, again, we've, we've been pen tested for years. And so we're trying to be up on the latest and greatest attack vectors and how you know, portal guard, for example, can be you know, kept secure. So it's good that we're getting all these, and we're starting to see that filter down you know, to different layers. One thing too, I want to give a shout out just to Verizon. They're not a sponsor, but they, they do release an annual report.
Greg Browinski:
It's called the data breach investigations report. And it is, you know, it is a wide ranging report, but the one thing I want to give them props for is that it is not a dry read. Right. So something like this, it is there actually have a, there is a sense of humor that pervades the entire document. So it makes it actually enjoyable to read, to make sure if you download it, read the footnotes, because that's where a lot of them are. But is it that it's absolutely worth it. And so it it's been consistent over the years with that. So I don't know if they've got a couple of people that, that man it, and, you know, do the final editing or something, but it's it definitely makes it digestible. And yeah, so that I do want to, that's kind of where we've got some of this from, but actually one last thing I want to mention is interesting in this kind of hearkens back to the exchange zero day, you know, the big one that happened like a month or two ago, but so exploits, all right.
Greg Browinski:
So exploits are very high visibility and they account for like a lot smaller number of actual breaches and problems, but they're scary because they're completely indiscriminate, right? So you could be doing everything right as a customer, right. You could have MFA in place and you can, you know, all your, you know, you're completely in compliance with so many different standards, but then an exploit can completely subvert all of that. Right. And that's kind of one of the reasons why it's so scary and it gets a lot of attention, but in actuality, it actually still represents a very small number of the breaches that occur. Right. You know, so patching is important. That's the thing that you could be patching. You could be up to date on all your patches and then still zero day comes out, you know, zero day vulnerability that makes you all of a sudden, you know, exposes you and your organization. And that that's scary. It's legitimately scary. So, but but yeah, in reality, it only accounts for a small portion, like a lot smaller portion of the, you know, these kinds of breaches and tax.
Kimberly Johnson:
Yeah. And I think that's the, first of all, the Verizon data breach report or breach report, how they call it used to be like Christmas day to some of the folks I've worked with. Like, I think they marked their calendar, no one, it comes out and literally celebrate reading every page, as soon as it gets issued, it's like the latest episode of game of Thrones or something coming out. So a big, big, huge kudos to that. And if you've read it you know, like I said, definitely should read it and look at it. Some of the things they highlighted are just actually scary as to what people are able to do. And I think what we've seen also and Greg went, I think you hit upon this a little bit too, as they get into an application like a PeopleSoft or other, and they just watch and they just kind of listen.
Kimberly Johnson:
And so you know, I think the solar winds attack is the other one we're very familiar with. As of late, they said they were up in the systems maybe up to a year potentially. So it's not an immediate thing. It's not necessarily the most obvious thing necessarily. But when it attacks, you know, those 2000 man hours, you mentioned are going to cost the organization. So those are, those are excellent points. And so part of what you covered Greg Lewinsky was on the different multifactor authentication methods, and definitely gonna bring that back around to you. But I think what you pointed out really well is a combination of what you both commented on, on the type of people that are accessing a PeopleSoft type application. And, you know, I just talked to a university customer of ours and they said, students, aren't the problem. You know, students are happy to adopt the latest technology. It's my faculty and staff that write down their passwords and can't understand why we're changing it, you know? And so I think each user population is, is potentially a challenge also.
Greg Browinski:
Yep. We need different types for each different. Yeah, for sure. Yeah.
Kimberly Johnson:
And it's a, it's an application, right. That customers access employees are accessing somewhere in between, in between with partners. Right. because it just runs so many aspects of the business. And so looking into that a little bit further, so PeopleSoft being critical, having different users, the different attacks, which we could probably spend a whole episode on the attacks cause they're just fascinating as to what they come up with. But how about PeopleSoft in terms of securing it itself? I know it's complicated. Has, you know, definitely hierarchies to it. Greg went in terms of your PeopleSoft experience, why is such a challenge maybe on more of the technology side to bring it into that identity and access management strategy?
Greg Wendt:
Oh, definitely. When, when you think about PeopleSoft as a whole and how things have changed I'm going to step back and actually just kind of bring it out from a, from a broader market all the way down is, you know, the system was designed 30, 35 years ago. And if we think about how people are accessing data, now it's all about the data. And if you think about how many of these applications are, are configured in the secured, it's all about being able to access the transaction. It's I have a user ID, this user has a role, they've got permission list, and they're going to be able to access X amount of transactions basically. It's not really about the data itself and should that user have access to the data? Basically, you know, depending upon how they're accessing the system, you know, when you think about how a user is going to access the system, you know, we were kind of talking about it earlier, how many people were ready for the explosion of having everybody work from home most weren't, you were talking about a small subset of let's have self-service access available from home.
Greg Wendt:
That's great. That's fine. It's easy. We can control those transactions. It's very limited in scope, but now all of a sudden we've got power users that are not only doing payrolls and benefits and four Oh one and, you know, adding and enrolling students and all of these other drastic transactions and expenses and all of these things that weren't ever really designed or thought about that you were going to run from home. So when you think about the dynamic part of that, that's missing, that's really one of the largest challenges of it to me is if I want to secure my environment effectively, I need to be able to bring in context to that. I need to understand some things that are known outside of PeopleSoft, but not known and understood within PeopleSoft, maybe where that user is coming from, what time of day are they on or off the network?
Greg Wendt:
Do we need to look at something inside of the network? Maybe we need to look at an attribute coming from the identity provider that says, Hey, wait a minute. This person is coming in from an untrusted location or you know, something else like that. And I want to do something different inside of the application now because of that you know, that's one of the larger challenges to me is really the, that explains the gap between what a lot of people want to do from the it perspective, but what they can't do because of the way the application itself works and the way that it was designed. So bringing in that additional context and understanding really allows you to then go with the data and think of it rather at that data level than a transaction, you know, should you know, Greg be able to work with this particular piece of data, let's say an account number from where he's coming from the time of day and all those other types of things, you know, that's what it's coming down to, you know, and, and we have been working with customers, you know, on securing that for years, but it's something that it's it's to see the life cycle of, because kind of going back to the remote explosion is there've been organizations that have been concerned about this for many years and really started data privacy and securing the applications, you know, five, six, seven years ago, which really was kind of bleeding edge.
Greg Wendt:
You know, if understanding, wow, I need to know when somebody accesses sensitive information, should they be able to work with this? We have to take it out of our organization as a whole, you know, that was very forward thinking then just like the users that are, you know, when we designed our systems to be accessed to a hundred percent remote, that was forward thinking at the time as well. And probably didn't make a lot of, you know, chief information security officers, very happy at that particular moment in time when somebody decided that that's the direction they were going to go. So you know, that's probably one of the largest challenges in, and I think Greg, we'll go into this a little bit more, but the last part is PeopleSoft. Doesn't speak sample and doesn't support it. So when you're trying to incorporate that gap between the IAM strategy and bringing it into PeopleSoft, they don't communicate nicely, which, you know, makes it a very hard bridge to cross.
Kimberly Johnson:
Yeah. And there's, there's some great 0.1 I just can imagine. Right. I've talked to enough CSOs in my career and they're always trying to push something right. That, that we need for security. That's important to invest in. And the common balance of the business saying, is it really needed? Are you just needing insurance? I can just imagine this chief information security officer five years ago saying, but what happens when our HR person has to run payroll from their house and they're gonna like, yeah, well, you're crazy, right? Like that's, that's not a legitimate use case come back, you know, when it, when it is, but, you know, I can just imagine, cause that kind of complacency attitude unfortunately, is I think more prevalent than not that while we've always done it this way, this works, you know, relatively okay. For, for what it is. So, but I can imagine five years ago that probably didn't float. So well and then, you know, you brought up SAML, so Sam will being obviously the single sign on protocol. You know, I always described those as speaking the language. And so it just sounds like PeopleSoft just doesn't speak the language is maybe the most simple way to put it is that is that,
Greg Wendt:
That would be, that would be a very straightforward, simple way of putting it.
Kimberly Johnson:
And so how should a organization solve this Greg Bruin ski? So from that I am perspective what do we really recommend, you know, our organization, should we be considering when they're looking for an IDP you know, identity provider or a solution to support the needs of something like PeopleSoft, that's not really speaking the right language and obviously has, has these complexities.
Greg Wendt:
Yep. Yeah. And actually definitely standards based security is some of the best security. You do hear a lot about open source projects and they had you know, you, you worry about, Oh, if somebody can see
Greg Browinski:
The source, there's a natural inclination that we all have that says, Oh, somebody could put something bad in there. Right. So what you don't wanna do is you don't wanna, you know, use something that is you know, not commonly used, right? So those kinds of open source projects, you definitely want to stay away from, but in general, things that are standards based that have been developed by experts, right? So that have a specification that's been open, you know, the, so I kind of ended up living and breathing in RFCs, these are documents that are standards documents in the technology space where someone has an idea like, Hey, we have certain problems we want to solve. And then there's a big conglomeration of technical geniuses that get together on them and put together a specification. And this is how for example, SAML came about you know, there's other necessarily protocols as well that are openly known, right?
Greg Browinski:
So it's keeping the stuff out in the open. There's been thousands, hundreds of thousands of people like, ah, sets of eyes have looked at this stuff and tried to break it. And so the standards based approach is by far the best option, because if you try to write your own, let's say connector, that is going to be a big problem because, you know, are you a security expert? Right. And so anybody who's thinking about doing that, like to save money, they have to think about the flip side of the coin, whereas, okay, what if I write it? And it is like, am I going to take the time to pen, test it? Am I going to take the time to you know, got to stay current with it? And what if the person who writes it leaves and there's all these other kinds of worries.
Greg Browinski:
Well, when you have a product like [inaudible] and that plugs right into PeopleSoft, then it will speak that language. It will speak SAML. And Sam has been around for, I don't know, close to 15 years at this point or this 2.0 version of it. So it is very well supported, is a very well documented and known. And so, you know, it's almost, it's a perfect marriage in that case. So definitely start with standards based and action makes that possible for PeopleSoft, with SAML. Yeah. So then all the things for example is just because it is an identity provider, you can now talk to PeopleSoft, we'll just take one step back and just say, okay, well, how is that identity provider authenticating the user? Right? And so MFA is basically a must at this point. So, you know, you want to do strong authentication.
Greg Browinski:
So if, you know, most people are still very comfortable and familiar with getting a username and a password prompt and they enter that and then they get prompted for a second factor. So MFA that second factor, that can be a whole bunch of different options. But so some of the things, for example, you might hear, Oh yeah, we support biometrics. And so biometrics comes in different flavors, not just like whether it's your fingerprint or your Palm or your facial recognition. It's actually about what I'm describing is device-based biometrics versus server-based. And so for example, if somebody said, if a product says, Oh yeah, we have biometrics. We just use touch ID, you know within the iPhone. And so that biometrics authentication is being done completely on the phone. And so there is no way from a central perspective to be able to confirm that is a, you know, you know, at that point that a user unlocked the phone, but you don't know if it, you know, which user it was.
Greg Browinski:
And so it's interesting that biometrics itself, you, a server side, centralized, biometric is going to be something that organizations can have a lot more control over while keeping short while making sure that that biometrics data isn't you know, isn't available. It's not a problem that it's being held because usually it's not the actual fingerprint full fingerprint, they break it down to something called templates. But so being able to authenticate the person with centralized biometrics is much better, much stronger than being able to authenticate a device. Right. And that, Oh, a device was unlocked by a user that doesn't give me the warm and fuzzy is about, you know, the identity of who did it. So yeah, strong authentication using server-based biometrics. It's definitely, you know, we're seeing a big trend towards that as well. Luckily we're well-positioned for that. Flexibility is another key thing.
Greg Browinski:
You are going to have people, like you mentioned like faculty and staff or some older folks are not going to be comfortable, you know, doing a, you know, any kind of MFA. So you have to be able to accommodate that. Right. And so flexibility is key. You can't have a one size fits all in this day and age. You know, so maybe it's something, for example, like backup codes, they might be more comfortable with because they can print out a sheet and put it in their wallet. And then they use a, an OTP when they, you know, when they're, when they need to. So there's, there's a lot of different things there. So it does come down to standards, strong authentication through biometrics server-based biometrics and then maintaining flexibility. Right? So different users are going to have different use cases and scenarios, and you have to be able to support those without, you know, end users revolting, you know, which is, cause they are still are the customer, right. Even though you're, you need to secure them and you secure the access that they're requiring nowadays you can't compromise security results of that. Right.
Kimberly Johnson:
Right. And I think, you know, I, I mean, we've seen it together really in terms of the evolution of MFA, actually, we started to factor right now we're in multifactor. And I remember, I always, I always remember in finance, they were one of the first ones to be, you know, regulated to do so. And so they did password plus the security question, and then we came out with, well, that's not really two factor, and now we've gotten multiple things, you know, and that's something you have, or our right as the classic kind of for MFA. And now we're going around and trusting, like you kind of pointed out we're trusting phones and USB tokens and, you know, kind of devices and hardware more so than actually being able to say the person is truly authenticating. And so, you know, it's getting to a tipping point where attacks are going after SMS OTP.
Kimberly Johnson:
You know, people are email OTPs even right. Are problematic to fishing. And so I think it's, it is going to be an interesting evolution of how much flexibility can we, you know, include also with generational changes and acceptance of technology. Do we move more towards people being comfortable with biometrics and more advanced technologies. And then Greg went, you brought up another good one where, you know, you're looking at not just the factor, but the contextual or behavioral, you know, kind of conditions around the authentication and the transactions. So it's definitely an interesting evolution and, and you know, the applications such as PeopleSoft, that's so critical has so many different access scenarios and it's just kind of a no brainer that it has to be part of your IAM strategy. And then it has to be modernized as we kind of evolve this thing.
Greg Browinski:
And it's actually Kim on that, just to be fair to all of the machines out there that do need to authenticate because there are right. So it's not just people doing it as automated processes in the background. And so there are other standards, like, so off is another SSO protocol. And so that actually has different code flows that can accommodate machine to machine authentication. Right? So like, again, like don't roll your own you know, use the standards. So
Kimberly Johnson:
I think in the Latin, Latin, I think of the language analogy, and I'm just, I, the reason I said Latin is because I decided French was not for me. And I went to Latin and my mom, my mother's like, you're not gonna speak that to anybody. So pick a language, pick one that's widely used as so to speak, but it was still beneficial, you know, SATs. Anyway, so to wrap up today's episode you know, getting to the end of the time we have we definitely covered challenges of securing PeopleSoft how critical it is to the business, how many people are accessing it. And why it's so critical to look for an I am solution that includes it as part of your strategy, right? You don't want it to be this one-off requiring or separate credential or being vulnerable. What key piece of advice, let's say it's one piece of advice. Would you give our listeners if they're trying to understand how to integrate PeopleSoft with their IAM strategy Greg went, why don't we start with you?
Greg Browinski:
Sure. I would, I would really, from a key piece of advice, echo would what Greg was saying. The whole, you know, buy versus build. I've probably done about 350 to four different security
Greg Wendt:
Reviews through, through my time. And it's shockingly probably consistent to find out how many different breaches really stemmed from a homegrown security solution. You know, you kind of commented about it earlier, where we had, you know, questions, you know, answer these two questions and that's how we're going to validate you and things like that. It's just, it doesn't work in today's environment and, and that's where so many organizations got bid through the time because they are, they're attacking the individual users. They're not going at the systems. So when you have, you're not going with an enterprise wide solution that has multiple different options for trust and delivering multi-factor authentication, for example integrating with that or trying to build that on your own is very problematic and it becomes difficult to really go through the scenarios and think through a hundred percent of what that bad actor is going to do to your organization and attempt to, you know, how they're going to think about attacking your organization.
Greg Wendt:
So that would probably be one of the, one of the biggest things that I would say is, you know, if I were evaluating Vipers is build at this particular point in time, I would, I would be looking at built, you know are not built. I would be looking at by, sorry, because the building is just so problematic. It's so difficult to keep up and running. The technologies are changing very quickly and as Greg said earlier, the connectors between these different end points, you know change very frequently. So it's something that, you know, let somebody else manage that, who does that for a living and, and go with the buy because it is going to simplify your life and your support and your security model much, much better for you in the long run.
Kimberly Johnson:
Right? No great advice. And I think, you know, we've also seen a shortage of cybersecurity talent, right. There probably could even do this in the first place. I think that's another, you know, even if you consider building it, do you have the right people on staff to maintain it, build it in the first place? You know, we're hearing more and more that those resources just aren't available.
Greg Wendt:
You're, you're, you're, you're, you're right on point there. I mean, we, we saw it, you know, with a lot of the different processes and the different people that we talked to. I mean, right now it was with COVID, everybody's still trying to figure out exactly what they're, what they're doing, how they're doing it, how they're going to secure it, you know, with the whole shift to remote work, for example. So it's just not in the priority, you know, and they don't have the teams and the staffs to be able to do this. So it, it comes where if you can buy a turnkey solution that, that supports your needs, it just makes sense to
Kimberly Johnson:
Right. 100%, 100%. And, and Greg Bruins, D I think we, we kind of took your one piece of advice, but let's see what other one piece of advice do you have besides being space, which I think is probably one of the stronger pieces of advice out there.
Greg Browinski:
So it, it, it does kind of piggyback off what my namesake just mentioned it, but with a slightly different, we haven't even brought it up yet, but so we are seeing, obviously there's a, a dearth of it security professionals, and with all the different, all the new requirements around access, right? For you know, for ERP data, what I would recommend is that people look seriously at the cloud hosting more things in the cloud. This is obviously a shift that's been occurring for, you know, I don't know, eight plus years at this point, but so people are becoming more comfortable with it because their own data centers now that people outside of your network need access to it. You know, you are now stuck with this legacy model of your own data center and maintaining all of this, you know, like all this infrastructure and how often, you know, it must keep people up at night, or it should about how many different holes there are in a traditional data center.
Greg Browinski:
And so are those being monitored, you know, are these things being patched, our servers that are unused being decommissioned, you know, are there reports on like, you know, different activities done by admins? I mean, there's, there's so many different things. Even like data backups, you know, are they being done? Are they being validated and verified? So using a cloud-based solution, whether it's hosting PeopleSoft with Oracle, whether it is using a cloud-based identity provider, all right, those are the things that now you got experts doing that. They're doing it for a lot of people. It is a specialization at that point, right? It's not you holding onto this data in your own data center, because that's how we've always done it. You know, that is just going to get you in trouble. So, you know, being able to free your aisle, your like your local it department, which are understaffed.
Greg Browinski:
Right. And so being able to free them and say, I mean, who in their right mind is going to host email at this point? Right? I mean, so everybody should be using email as a service, right. Cause I don't know what value it is to have it themselves, unless it's like, Oh, you wait, we have to keep email for six years. I mean, you could probably talk to, you know, Google and Microsoft about that and they can get you on some special plan, but, you know, otherwise it there's very little value for hosting it yourself because it's just too expensive and so many different ways. And the risk is also a lot higher when you're doing it yourself. So that is probably what, what I would put forward is, you know, consider the cloud for, you know, again, it's, it's come a long way. People are more comfortable with it. And you know, that exchange zero day attack, for example, that occurred a couple of months ago, office three 65 was not effective.
Kimberly Johnson:
Right? No, that's, that's a great point. And I know there's been shifts from what we've seen for moving PeopleSoft to the cloud. And as well as other, like you said, IDP, and we we've seen it with talking about ransomware, hitting your infrastructure, right. If your, I am a solutions on prem or any of these major systems, it's even greater likelihood that those are gonna be impacted not to mention disaster recovery, business continuity concerns. So it just, it's one of the best ideas that they haven't adopted it already. So that's, that's excellent. And so advice we took away you know, don't build it yourself. Don't custom code. It definitely look to buy or purchase based on expertise. That's out there. Standards-Based all the way pick a common language and consider the cloud. I think those are fantastic pieces of advice for our listeners today.
Kimberly Johnson:
And so Greg and Greg that is all the time we have for today. Thank you both again for joining me to discuss this common and really widespread challenge of not only integrating PeopleSoft, but also other complex application into an organization's. I am strategy as mentioned, it is possible that requires the right. I am options and flexibility as well as a seamless integration. So anyways, that wraps up today's episode of I am pulse. Thank you for listening to the show. Join us next time to learn more about I am and how to secure identity the way you want talk to you soon. And thanks, Greg, and right.