Top 3 Security Priorities from Workday DevCon 2023

By Alec Peiffer, Director of Product, Growth, AppOmni

James Alston, Senior Solution Engineer, AppOmni
Joseph Thacker, Senior Offensive Security Engineer, AppOmni

Workday DevCon 2023 was held last week. The company’s premier technical conference reaffirmed the tremendous power of the Workday platform. The capabilities and customization are astounding and allow customers to maximize the solution to address a near infinite number of use cases.

With great ability to customize and configure comes a large amount of responsibility and an equally large amount of risk when it pertains to Workday instance misconfigurations. It was no surprise that a theme of the conference was security of the Workday platform and secure use of the platform. This was echoed by senior executives who recognize that the tremendous power of the platform presents challenges for its secure use. It seems widely accepted that the complexity of Workday’s permissioning model often makes understanding users, their permissions, and their current access level very difficult.

While securely using the platform is a challenge, our team of SaaS security experts were on-site to stay up to date with all the latest and greatest technologies Workday has recently released, and/or plan to release.

Read on for our top three insights on how to prioritize security around Workday. These insights can also be foundational for how to build your company’s Workday SaaS Security program more effectively.

Top 3 Workday Security Priorities

1. Bridge the Workday Admin and Security Team Divide

Securing SaaS apps like Workday necessitates a close cooperation between app admins and security teams. While app admins comprehend the platform, security concepts may pose challenges. Security teams boast security expertise but lack hands-on Workday experience. Overcoming this disparity is critical for effectively and consistently ensuring secure operations on the Workday platform. Achieving this often entails a cultural transformation that fosters shared responsibility for application security.

Workday admins gain advantages from security teams’ expertise in best practices, threat awareness, and configuration management. Conversely, security teams acquire insights into Workday’s specifics from app admins. Through these joint efforts, they establish robust security controls, monitor vulnerabilities, and respond to threats.

Open communication, knowledge sharing, and cross-functional training bolster this collective approach. Embracing this cultural shift results in a more fortified security foundation for SaaS apps like Workday.

2. Understand your Environment and its Data

Workday’s high degree of configurability creates a complex role/permissions model, making it challenging to understand what users have which role and/or which role is tied to what security group, and finally, what security group or role gives over permissive access to sensitive data such as payroll, benefits data, or even the most sensitive financial data about your company.

This challenge is manageable at a small scale, but at the enterprise level it becomes a tangible web with blindspots and complications making sense of what you do have visibility on. Can Workday admins confidently list the security groups and roles that have access to payroll data, PII, or other sensitive data? If they can, it’s probably because they’ve lived in Workday for years, but can any other teammate understand without years of tribal knowledge?

To illustrate this challenge, let’s look at Workday’s User-Group-Permissions model:

  • Users, referred to as accounts, are categorized as either Workers or Integration System Users.
  • Roles define specific sets of permissions and are associated with security groups and in other cases, by a single user.
  • Roles can be assigned to Security Groups which can help with determining their access levels and privileges.
  • Supervisory Orgs are utilized to establish hierarchical reporting relationships within an organization.
  • Domains serve as categorizations for different types of permissions, enabling finer-grained access control.
  • Business Processes encompass various actions that can be performed within an organization.
  • Security Policies are applied to Domains and Business Processes, governing the access and authorization rules.
  • Functional Areas are clusters of permissions, providing a consolidated view of related access rights.
  • Constrained access: Limits access within a security group, vs unconstrained access: Allows full access within a security group

This model offers remarkable flexibility in granting permissions and entitlements, but it necessitates a substantial level of expertise and experience to manage it effectively and securely. The higher the complexity involved, the higher the risk of misconfiguration, potentially leading to data breaches.

To securely manage user permissions in Workday, a Workday administrator must focus on the roles and security group design, regular reviews and updates, and ongoing monitoring and auditing. This is required to minimize the risk of misconfigurations or data breaches, and ensure that users have appropriate access privileges within the system. In our experience with the most mature security programs in the Fortune 500 companies, this is exceedingly difficult to effectively implement and understand.

To securely manage user access in Workday, a Workday administrator must prioritize three critical tasks: role and security group design, regular reviews and updates, and ongoing monitoring and auditing.

These actions are essential to minimize the risk of misconfigurations or data breaches while ensuring that users have appropriate access privileges within the system. However, based on experience with the most mature security programs in Fortune 500 companies, effectively implementing these measures is often exceedingly challenging.

3. Continuous Monitoring

Security isn’t a point-in-time state, it’s a collection of practices required to manage and secure an ever evolving environment. Collectively these practices are called Continuous Monitoring, and they depend on our previous two priorities of bridging the application admin-security gap and understanding your Workday environment and its data.

There are two primary components of continuous monitoring in Workday:

  1. Establish baseline policies and monitor for drift: Organizations must define clear baseline policies that outline expected permissioning and behaviors in the Workday platform. These policies encompass user behaviors, access privileges, data usage patterns, and system configurations. Continuous monitoring tools are then used to detect any deviations or drift from the established baselines, enabling proactive identification of unauthorized changes, policy violations, or abnormal activities.
  2. Measure baseline activities and utilize detection tools to identify anomalous behaviors and remediate as needed: Workday logs are ingested and pushed to tools such as Security Information and Event Management (SIEM) systems, behavior analytics, and machine learning algorithms. These tools analyze collected data in real-time, identifying and flagging suspicious patterns, triggering alerts or automated responses when potential security incidents or policy violations are detected. This enables timely remediation actions to address anomalies promptly and mitigate associated risks.

Putting this into Practice

Effectively executing on these three priorities will significantly enhance the security around your Workday environment. The good news is that it’s technically feasible to execute on these priorities without buying additional tooling. The bad news is that it’s extremely difficult to do and harder to sustain with Workday native tooling, which is the reason Workday customers struggle with secure configurations.

A potential downside of complexity is that Workday customers attempt to solve this security challenge by layering on in-house and custom security control frameworks, which invariably become impossible to manage, with limited security outcomes. This is where SaaS Security Posture Management (SSPM) tools play a critical role.

AppOmni is the SaaS security leader and the only SSPM company partnered with Workday to provide comprehensive security for Workday environments, including robust posture management and threat detection abilities. AppOmni allows the creation and application of security baselines to uniformly apply a common security control plane across Workday environments, as well as your entire SaaS portfolio.

See why some of the leading enterprises in the world have chosen AppOmni as their SaaS security solution of choice. Schedule a demo today.

Related Resources