Data Privacy, Data Security & Workday: The Solutions
In the first of this two-part guide, we discussed how data is firmly protected within Workday’s configurable security model, but customers must not forget their obligations for data privacy when testing, training support teams, or granting elevated access to Workday.
Now, we're exploring the solutions available, how they can be applied, and how they stack up when considering a data privacy strategy for non-production access in Workday. But first thing’s first…
What are your data privacy obligations?
When implementing new systems, everyone across the project team must understand their obligations to data privacy before, during and after the implementation. First comes data discovery, a vital first step to understand the location, volume and context of where sensitive data is stored so it can be identified and provide visibility. Listed below are just some of the types of data that are critical to protect:
1. Personally Identifiable Information (PII)
Data that reveals the identity of a person such as date of birth or diversity information. In Workday HCM, this would also cover compensation, benefits and payroll.
2. Protected Health Information (PHI)
The type of data collected by Healthcare providers, PHI includes demographic information, medical history and medical reports for patients.
3. Commercially sensitive information
The latest profit and loss accounts before they are released publicly as well as bank account numbers and payments are business sensitive and could cause damage to an organisation if exposed.
The next step is understanding who should have access to this data at different stages of the implementation project and in post-deployment—what does the business-as-usual state of play look like? During implementation and post-deployment, it is vital to consider data access, especially for people that are supporting the application.
Workday has configurable security for all the live production users, but it’s in non-production where individual customers need to consider other data controls. Data masking or data scrambling can allow support teams to do their tasks while data remains protected.
The final step in this cycle is data monitoring. The need to isolate and detect events that indicate abuse of access ensures easier auditing and that compliance standards are met.
What data privacy solutions are there for accessing non-production?
We previously mentioned that data is firmly protected within Workday’s configurable security model, but data privacy solutions are an organisation's obligation when extending access to non-production environments for various scenarios.
Solutions can range from the advanced, complex, and costly – internal teams or external consultants rejigging security configurations as your needs change over time, for example – to more simple and cost effective, such as data scrambling or data masking.
Here, we focus on the latter two, as they readily allow for scale but still ensure that data is protected.
The difference between data scrambling and data masking
The key difference between these two solutions is that data scrambling changes the data at the storage layer making it permanent and irreversible whilst data masking is the process of data obfuscation at the UI layer, so the user cannot see the original data but it still exists beneath. It’s clear that the scrambling process is more invasive than the masking one. Learn more in the video below.
The one you choose really comes down to the tasks your Workday support team have within your non-production tenants and which one is flexible enough to enable these jobs to happen but still ensure you are compliant.
Data scrambling changes the data at the storage layer, and therefore is widely used when you do not need real-time data usability, making it well suited to protect data at rest or in transit.
Data masking is especially useful for data in use, where data is being directly accessed by a pool of testers or people being trained to troubleshoot issues or receive a demonstration. Masking can create a fake but realistic version of the data to ensure it is still useful for training and testing purposes within an organisation.
Data masking – when implemented with other security measures – can protect an organisation from accidental exposure and insider threats, ensuring compliance in an ever-changing regulatory landscape.