Two-Factor Authentication for PeopleSoft Apps & Higher Education
Duo Security provides two-factor authentication to protect PeopleSoft applications, paired with GreyHeller's ERP Firewall Plug-in to ensure seamless security for students and staff at higher education institutions.
The Application
PeopleSoft, a suite of Oracle applications, includes solutions for HR, financial, supplier relationships, enterprise services (like billing, project management, contracts, etc.), supply chain management, and a tool to help integrate these applications.
Intended to increase productivity, accelerate business performance and lower costs of ownership, the applications house some of the most critical business and employee data, requiring robust security controls.
While used by many different businesses, higher educational institutions also use PeopleSoft to give their students and employees access to sign up for classes or enter timesheets for managerial approval, allowing them access from anywhere with the use of an Internet browser.
The Security Challenge
Higher education institutions have to make PeopleSoft available via the Internet to support all of their users, from students to employees, all while protecting financial, personal and healthcare information from unauthorized access.
Security challenges are especially top of mind for higher education organizations, as they are targeted very closely by criminals that attempt to phish their credentials, and other similar attacks. These low-tech attacks target login access to PeopleSoft applications.
A phishing attempt may target an employee or student of a higher educational institution with an email that appears to be from a credible source (such as the IT dept.), asking them to enter their username and password into a form. Armed with these credentials, a criminal could log into their PeopleSoft app account and steal HR, financial, or any other sensitive/confidential data without being detected.
While cloud-based applications allow for convenient and easy access anywhere, anytime for employees or students that work remotely or while traveling, it also provides easy access for remote criminals. Universities and commercial companies are adopting more complex business and support models that include hiring contract employees and third-party vendors, opening up access to their apps to environments and people they may not be able to regulate.
All of these threats create serious security challenges for organizations of any kind and size, confronting security officers and CISOs with questions about how to balance security with the use of their productivity-saving PeopleSoft applications.
The Solution
Limiting access to PeopleSoft apps to only those on your corporate network isn’t practical, as students need to update financial aid information, check grades, etc., while employees should be able to enroll in benefits or log their work time.
To enable organizations that use PeopleSoft applications to secure and properly monitor access to their critical business applications and data available online, Duo Security’s two-factor authentication can be used with the GreyHeller ERP Firewall Plug-in for advanced security.
GreyHeller’s ERP firewall gives organizations rules about who is authenticating and what they have access to. The firewall filters traffic that comes into PeopleSoft, including queries or requests to visit a page. When a request comes through, the firewall either allows or blocks access, preventing traffic from coming to or from the web server; presenting a configurable message to the user alerting them if they’re denied access.
The ERP firewall also detects when an user needs to be challenged for authentication; passing control to Duo to manage two-factor authentication.
Duo Security’s two-factor authentication allows users to secure their individual access to PeopleSoft applications by adding another layer of authentication security at login. After completing their single-factor authentication (username and password), users are prompted to authenticate using their smartphones or a token.
Users can choose which method of authentication they want to use, from SMS passcodes to smartphone push notifications, phone callback and more. The flexibility of using different methods allows users to authenticate without cell service or Internet.
As a cloud-delivered two-factor authentication platform, there’s no infrastructure to manage, which is key to fast deployment, and no equipment to manage, making it easier for IT admins to manage. Plus, Duo’s easy self-enrollment feature walks non-technical users through setup, including students and staff, signing them up in just minutes.
Advanced Security Controls
Duo Security’s two-factor authentication provides easy management for help desk, IT and security staff with the help of a self-service portal that allows users to login and manage their own devices.
The solution also gives administrators the ability to customize security policies by group (e.g., enforce that admins must use Duo Push, the most secure out-of-band authentication method).
Organizations can also get real-time authentication information by using Duo’s geolocation Maps and Flags feature that displays logged data about who is authenticating and from where, as well as user-reported fraudulent auth attempts. Or, view, download and filter user activity and fraud alerts with Duo's Authentication Security Logs.
Transaction-Level Two-Factor Authentication
Good security shouldn’t get in the way of the user. One potential scenario could prevent a student from signing up for a class, if they were unable to get access to the PeopleSoft system due to network issues. Lags in authentication can result in a class reaching capacity before a student can log into the application and sign up.
One of the most important aspects of vetting a two-factor authentication solution is taking into account the user’s perspective. The security login process must be as streamlined, simple and quick as possible for users.
With transaction-specific security controls, you can specify where exactly the two-factor challenge should occur. That allows administrators to require two factor only when conducting sensitive transactions, or unlocking masked data (obfuscated data, like bank account numbers or SSNs). This can be used to prevent criminals from accessing and changing direct deposit data in efforts to redirect paychecks to their bank accounts.
It can also be used to prevent internal threats. For example, in one case, a financial aid officer was viewing and writing down the information of many different financial aid accounts, then selling the identities. By protecting requests to view financial data with two-factor authentication, higher education institutions can track who is viewing certain types of information, and how much, allowing them the insight to identify potential insider threats and take action.
Duo’s two-factor APIs allows higher education organizations to customize which transactions they want to protect with the technology, giving them more granular control and narrowing the focus on security, making it easier for every user.
Specific Use Cases
Protection of Self-Service
With two-factor authentication and an ERP firewall, your organization can protect users that log into PeopleSoft for self-service use, including protecting activities such as manager approvals, employee time approvals, benefit enrollment, and sensitive data and transactions.
For example, if a student shares his credentials with a friend, that friend would be able to drop his classes or alter other student information in his account. Using two-factor authentication can prevent this from happening, as it would require his friend to use the student’s personal device to login.
Protection by Location
Duo’s two-factor authentication solution also allows for protection by location. Organizations can customize and configure a set of known locations from where they trust authentication attempts.
For example, if an employee is logging in from an on-campus location, they may allow them to authenticate only once during their session. But if someone is logging in from a Starbucks off-campus, they may not be a trusted location and may be subject to stronger authentication controls. Learn more about Trusted Devices & Networks.
Protection of Super Users and Administrators
In order to protect against the exploitation of phished credentials, organizations need to enforce identity verification for privileged tech and functional users.
Administrator accounts within PeopleSoft allows them to update bank accounts, enter grades and access Social Security numbers. All of these actions and information need to be protected from unauthorized users. Two-factor authentication provides more assurance of their identity every time they log in or carry out a privileged action.
A Rich History of Securing Higher Education
Duo Security and GreyHeller both have experience working with higher education and commercial companies. Duo Security supports higher education through InCommon, operated by Internet2 that provides security and privacy for research, higher education and their partners in the U.S.
InCommon also operates a related assurance program and certificate and multifactor authentication services. In addition, Duo’s involvement with Internet2’s Net+ program allows universities to roll out two-factor authentication very broadly and at a very affordable price.
Some of GreyHeller’s commercial clients include Verizon, Geico, Pfizer, Blue Cross Blue Shield and United Healthcare; while higher education clients include the University of Cambridge, Syracuse, University of Colorado and many more.
Webinar: Two-Factor Authentication for PeopleSoft Systems
This co-sponsored webinar demonstrates how GreyHeller and Duo Security have partnered to bring resilient two-factor authentication to PeopleSoft systems, including demos of how to implement and manage an effective 2FA system for HCM and Campus Solutions. Watch the video now.
Contact us for a free consultation of how we can help protect your applications. Or, sign up for a free trial to see how it works.