Five Workday security considerations for compliance confidence
Workday's unrivalled flexibility, customisation and reporting provide a powerful platform for operational transformation, but careful consideration is required when it comes to system security and auditability. In this guide, Kainos Principal Security & Compliance consultant Patrick Sheridan details the five key areas that can help support robust controls for a compliant Workday system.
---
“Cyber security incidents are growing exponentially in terms of frequency and damage to an organisation’s reputation in their respective marketplaces. Users and organisations have not adequately deployed defences to discourage would-be attackers’ intent to strike.” - Cybersecurity Risks, Vulnerabilities, and Countermeasures to Prevent Social Engineering Attacks
With cloud platforms boasting ever greater organisational oversight, security, and functional dexterity, it’s no surprise that IT leaders are increasingly pivoting to systems like Workday to compete in a vastly digital world, as well as mitigate against the growing risk of sophisticated cyber-crimes and fraudulent activity.
Built specifically for the cloud with security at the core of its technology, Workday’s “Power of One” means that all customers are on the same version with the same code. Not only does this allow Workday to take a singular approach for security (so customers can benefit from this one-to-many model) but also allows Workday to deploy security at scale—updates for one customer means updates for all.
However, despite its cutting-edge out-of-the-box security features, CIOs, CISOs, and Workday system owners should treat Workday like any other digital platform and apply the same level of compliance due diligence relevant to their industry and location. As the legal, fiscal, and reputational stakes grow higher for organisations who lack robust controls—or simply don’t pay enough attention to them—the consequences can be serious.
So, where to begin ensuring that personal data is protected, evidence is auditable, and that sensitive business processes are appropriately managed within Workday?
Here are the five key things to consider from a security perspective to gain confidence in the compliance of your Workday system:
1. Access Model
The Workday security model allows for all data, transactions, processes, and applications to be secured using the same security model which helps ensure that all end users, administrators, and integrations have access to the right data. This simplistic but powerful security model allows for a streamlined administrative process when it comes to maintaining the integrity of your Workday security.
It’s important to consider carefully what users should have the ability to assign security—the ability to assign administrative security groups is often referred to as being given the “keys to the kingdom” so this level of access should be kept to a limited number of trusted users.
2. Maintenance of your security configuration
Organisations do not stay stationery and reorganisations can occur for various reasons that can impact security. What may have been best practice and suited your business at the time of the initial security design may no longer be fit for purpose. When there is the need for new security configuration to meet new business requirements, it’s important to take the global Workday security model into consideration. This ensures there's no knock-on impact to any of the existing controls in place for the business.
Focusing on new business requests in isolation without wider consideration for the global Workday security model could result in a break in inheritance which can lead to unintentionally exposing the population of users to a set of users who should not have access. To help minimise the risk it is best, where possible, to not over-engineer your security by creating complex intersection security groups if a role-based security group is sufficient. Use unambiguous security groups and clear descriptions for these so that future users can understand their purpose and any particular controls that they relate to.
3. Segregation of Duties
This topic warrants a blog of its own, but consideration needs to be given around process workflows. The flow of business processes can be configured on the business process definition within Workday, so when implementing or revisiting existing configuration, consideration should be given to ensure there are no conflicts of interest. For example, we would not want a user to be able to able to issue a bonus to themselves and then also approve the same transaction—careful consideration needs to be given to the business process definitions around delegation authority, advanced routing restrictions and security group assignments.
Sufficient controls should be in place to have more than one person required to complete a transaction to help reduce the risk of fraud and error. Business process transactions within Workday should be able to output expected and consistent behaviour whilst achieving operational efficiency and without the need to weaken controls.
4. Data Encryption
One of Workdays key design characteristics is that every attribute of customer data is encrypted before is it is persisted in a database. The highest level of encryption can be achieved as Workday is an in-memory, object-orientated application instead of a disk-based RDBMS. Workday use an Advanced Encryption Standard (AES) algorithm with a key size of 256 bits and each customer has their own unique encryption key.
Workday’s backend is very secure and ensures that your system is built for the future, but the front end of your system is only as strong as your weakest user. It is best to limit the ability to natively login to a small number of trusted users and, where possible, Multi-Factor Authentication should be in use. Integration System Users (ISU) generally interact with integrations via web-service calls and do not need the ability to login directly via the User Interface (UI). There is a setting called “Do Not Allow UI Sessions” against each ISU account that can be marked to prevent the ISU account logging in via the UI. Consideration should be given to all Workday accounts to ensure the minimal amount of access is granted to users to be able to perform their jobs, helping close any potential backdoors.
5. Always-on Auditing
Workday has integrated their audit capabilities into the core of the product allowing for always-on auditing which includes access, transactions and changes to data. Workday has several, delivered Audit reports to help satisfy audit-related questions by retaining information about what changed, who changed it, and when. It is worth noting that whilst audit logs for access, transactions and changes to data are retained, user activity logging that enables you to analyse the activity performed by users is only retained for 30 days. In non-production environments such as Sandbox where data can be refreshed, all the user activity information from before the refresh is lost.
As a next step, Workday recommends exporting the user activity to an external processing system for analysis, so it’s important to check that when selecting an external process system, it can record the activity from ALL your Workday tenants. For example, if an unauthorised user was to access restricted data in the Sandbox environment, as it is a mirror copy of Production, the same information would be exposed as if they accessed the data in Production. That’s why it’s critical to treat user activity in all tenants that have been refreshed from Production with the same level of respect.
Conclusion
As Workday is a cloud-based solution, it handles how the backend of the system is configured ensuring data is safely secured. Workday does provide the ability to audit your Workday tenant, however it is an organisation’s responsibility to ensure the appropriate controls are in place to be compliant with regulations such as General Data Protection Regulation (GDPR). It’s essential to not underestimate the setup and maintenance effort when configuring these controls and how easy it can be to overlook or make a mistake—even with a robust change management process in place.