Product Spotlights
5 minutes

Five Challenges of Workday Security

Workday is the leading SaaS solution for finance, HR, and planning. It’s widely adopted by enterprises globally and entrusted with private employee and business data. A variety of teams rely on Workday as a business-critical platform, but it’s frequently identified as a blindspot by security leaders. Below, we’ll look at five primary challenges commonly faced when protecting Workday and break down exactly what security teams need to overcome them.

1. Your security team doesn’t have insight into or control over Workday.

There’s a fundamental disconnect between the teams who implement and manage Workday and the security team looking to protect it. Application owners are primarily concerned with configuring Workday to be a powerful productivity tool for your organization, and often see security as a lesser concern. Security teams typically need to request information, and even if they’re given access, Workday’s interface is designed around the needs of business users and administrators.

The most important first step to establishing a better relationship between application owners and security teams is ensuring that both teams have a full understanding of what’s happening within Workday and across your other business-critical applications. That includes insights into user activity, the scope of user privileges, access to sensitive information, unoptimized security settings, and integrations with other applications and third-party services.

2. Account takeovers and insider threats are difficult to identify.

While existing single sign-on and multi-factor authentication solutions are effective initial measures to protect Workday, your security team needs to continually monitor for insider threats and bad actors that manage to bypass these systems. Without a complete picture of user activity within Workday and across other applications, potential threats are nearly impossible to manually identify.

Your security team needs a solution that can baseline user activity across Workday and other business-critical SaaS applications to identify anomalies early on, prompting remediation before data exfiltration. Such context would give you the ability to immediately identify signs of external threats, including logins from countries with no active employees and banking information changes directed at foreign accounts. You should also be able to monitor employees with upcoming termination dates to analyze abnormal file access, identify potential insider threats, and ultimately protect sensitive data and intellectual property.

3. Workday privileges are distributed generously and difficult to rope in.

Because Workday application owners are concerned primarily with enabling teams to fulfill their responsibilities efficiently, it is common for employees and contractors to receive higher privileges than are actually necessary for their duties. Security teams are challenged to minimize risk by right-sizing privileges while trying not to impede users who actually need elevated access. Workday’s incredibly complex permissions model makes defining privileged roles a monumental task.

To effectively manage privileges and minimize enterprise risk, your security team needs a holistic, clearly defined inventory of privileged roles in Workday. They should also have comprehensive analysis of unused rights and a peer group comparison to identify outlying users whose access doesn’t make sense for their role. For example, you should be able to easily identify which users are able to access all personal employee records contained in Workday. Managing privilege will also keep you in compliance with HIPAA, GDPR, and other regulations.

4. Inefficient change management processes leave your organization vulnerable.

To improve your organization’s overall security posture and minimize the potential impact of a breach, your security team is constantly looking for opportunities to optimize application configurations, privileges, and third-party integrations. But without insight into Workday, knowing the impact of these changes is virtually impossible. When approaching application owners with proposed changes, this lack of information makes the change management process slow and inefficient.

Giving your security team full insight into activity, configurations, and privileges in Workday informs and accelerates these conversations to ensure security improvements are made without impacting productivity. The ideal solution doesn’t just highlight opportunities to harden your security posture, but also details exactly which users will be affected in order to take the guesswork out of change management. You should immediately be able to answer critical questions such as, “Which users would be impacted if I disable this third-party integration?” and “Which of my connected services have full system administrator rights in Workday?”

5. Limited access to Workday context is hurting your overall SaaS security posture.

Not having access to Workday doesn’t just impact your security team’s ability to protect Workday itself—it leaves your entire SaaS environment vulnerable. When investigating a specific user’s suspicious behavior, your security team has to request employee details from application owners. By the time your team has the full context, it may be too late.

To rapidly investigate and respond to threats in any application, your security team needs independent access to Workday’s contextual information at a moment’s notice. They should be able to answer crucial questions like, “What is this person’s position in the organization?” and “Is this user’s activity consistent with their role?” You should also be able to identify activity in Workday and other core applications from employees and contractors whose termination dates have passed. This improves the speed of incident response and general security posture across all your business-critical applications.

Harden your security posture and mitigate threats early on with Obsidian.

These five challenges all tie back to a fundamental lack of insight into Workday that makes the platform particularly challenging for security teams to protect. Obsidian is the first to deliver a comprehensive SaaS security and compliance solution that complements your existing security stack to mitigate threats and reduce enterprise risk. We make it easy to monitor and secure Workday because our platform is built with a deep understanding of the application. From mapping Workday’s complex permissions model and identifying best practices for its configurations to offering out-of-the-box detections for threats, Obsidian gives security teams the context and confidence they need to proactively improve hygiene and respond to threats immediately.

Learn more about Workday security with Obsidian by reading our in-depth brief.