Understanding Workday Security: Meeting Compliance with Best Practices

While an abundance of data may deliver more fruitful insights, it may also end up creating areas of concern for security, governance, and compliance.

Let us discuss how this relates to Workday security, the important factors that impede compliance, and the best practices to overcome them.

What is Workday Security?

Workday is a cloud-based SaaS platform that delivers a one-window solution to organizations seeking a consolidated solution for their financial management, payroll processing, enterprise planning, and human capital management (HCM) needs.

Workday security defines what type of data different groups of people in an organization can see in their Workday system, what level of access they have, such as view only, view/write, etc., and what security measures are implemented for protecting that data. To better understand it, let’s take a look at the different concepts of security in Workday.

Workday Security Concepts

Workday Security Configurations

Security configurations define a set of security measures, such as data masking, data encryption, multi-factor authentication, or access controls that allow security experts to mitigate security and privacy risks and reduce vulnerabilities that could lead to cyber threats, such as data theft, corporate espionage, etc.

Workday Security Groups

Security groups configuration defines who requires access to specific business processes and objects. In Workday, groups are usually categorized into role-based, user-based, and standard worker or process-maintained groups. Apart from the delivered groups, administrators can also create custom groups.

Administrators can add users to the group by first creating a role and constraining them with the Organizations that the role and responsibility fall within, such as Supervisory Organization, Cost Center, Company, and Location.

Role-based Security

Most organizations create role-based security groups because they are usually associated with a single Organization, such as a Location or Company. In a role-based group, access is assigned to users based on their role or responsibility in the organization, such as HR Partner, Manager, HR Contact.

Suppose a user switches job roles in the organization. In that case, their access control is changed following the change in their job responsibility and the required access to specific business processes. Similarly, when a user quits, their access must be removed..

User-based Security

Unlike role-based groups, the user-based security group is usually unconstrained, and the user can enjoy access to multiple Organizations, such as Company, Location, Cost Center, etc. In this type of group, a role is assigned to the user based on their job responsibilities. An ideal example may include a Security Administrator who may be granted organization-wide access to systems.

Standard Worker/ Process Maintained

Standard worker, sometimes called Process Maintained, is automatically assigned to every worker or employee. It is a constrained group and includes “Employee as Self.”

Workday Security Roles

Security roles are tied to different security groups and the organization. It defines a specific group of people with pre-set security permissions and responsibilities. Security roles determine the information a user in a particular group can view or a task they can approve or execute.

As different groups of people within an organization access Workday regularly, having varied responsibilities and managing volumes of data, it becomes imperative for organizations to place strong security measures and controls to enable seamless business operations, improve governance, minimize risks, and ensure compliance.

3 Factors That Impede Compliance

As large organizations have to deal with employees' data at scale, they tend to face three primary hurdles that give rise to security threats, and governance or compliance risks.

Lack of Visibility into Sensitive Data

Section 1798.140(ae), California Privacy Rights Act 2020 defines sensitive personal information as any personal information that reveals the data subjects’

• Social security number, state identification, passport number, or driver’s license number;
• Debit or credit card number, security code, access code, or financial account number;
• Data subject’s precise geolocation;
• Union membership, religious belief, ethnic or racial origin;
• Contents of emails and messages;
• Genetic data.

The European Union’s General Data Protection Act (GDPR) treats certain categories of personal data under a special category of personal data under Article 9 and allows the processing of such data only under certain limited grounds and safeguards. Under the GDPR, sensitive personal data can be:

• Health data.
• Genetic data.
• Biometric data.
• Racial and ethnic origin.
• Political opinions or political organization membership.
• Religious or philosophical beliefs or trade union membership.
• Data concerning an individual’s sex life or sexual orientation.

Both the regulations give special attention to the sensitive data of individuals as the loss of such data or any harm to its integrity may have a significant impact on an individual. Regulations in other areas of the world have similar definitions.

Organizations collect various sensitive data of their employees for various purposes, such as improving communications, employee relations, wellness, policies, etc. The existence of data sprawl because of unregistered devices or disparate accounts, emails, or spreadsheets make it relatively difficult to tie sensitive data, which is distributed outside Workday, to the respective employee. This lack of effective data mapping, cataloging, and data governance may lead to compliance failures in situations like Data Subject Rights (DSR) fulfillment, Data Privacy Impact Assessment (DPIA), or while managing records of data processing activities (ROPA), as required in privacy regulations, such as under Article 30 in GDPR.

Security Misconfigurations

Encryption (at rest or in transit) and Single Sign-On (SSO) are effective initial data protection measures but they are not sufficient as data can be accessed by Workday users even if encrypted.. Optimal security measures require a seamless relationship between Workday end-users and an organization’s security team involved in ensuring data protection and compliance. However, this isn’t always the case.

End-users are often mainly concerned with productivity and job performance when they use Workday systems. Security is the least of their concerns. To ensure that the right security measures are in place, the organization has to call upon the services of its security team. The security team then manually has to scan the system and skim through it to check security misconfigurations.

A smart solution to this disconnectivity is the automation of different security measures from the onset. For instance, as soon as users pour in employees’ sensitive and personal data to Workday, the automation system should kick in, categorize data, tag with relevant sensitivity labels, and generate a security alert, notifying the security team to take measures or auto remediate the misconfiguration, such as missing data masking or multi-factor authentication. For instance, a security rule can be created to ensure that all the users on Workday are behind multi-factor authentication (MFA).

Access Controls

As mentioned earlier, Workday users are more inclined to focus on empowering teams and enabling them to bring more efficiency to their jobs. To ensure productivity and efficiency, employees often get excessive privileges to sensitive and personal data than they require as per their actual job responsibilities. This creates difficulties for security teams to monitor a huge pool of employees and govern their access to unauthorized data.

This ultimately creates insider threats, allowing internal threat actors to get around security measures due to excessive privileges of sensitive data. Efficient automation systems are required to tackle and remediate these problems. An effective discovery and mapping system will allow security teams to track sensitive and personal data within structured and unstructured systems and apply automated security measures to disallow unauthorized access, such as enabling data masking.

Workday Security Best Practices

Effective Data Discovery and Mapping

Security and compliance start with knowing which type of data needs to be protected, where it is located in the Workday ecosystem, and whose sensitive and personal data.

Structured Data

Use article intelligence (AI) and machine learning (ML) technologies to increase the accuracy of sensitive data detection across disparate data stores. Moreover, a contextual analysis mechanism should be used to wade through Workday structures fields and columns to skim name heads and detect sensitive data while keeping false-positive to a minimum.

Unstructured Data

Leverage the same AI/ML technology to scan through unstructured data that exists in spreadsheets, quarterly reports, employee files, etc., across Workday systems. Classify sensitive and personal data elements via graph algorithm search to resolve any ambiguous classification. Link the personal and sensitive data to individuals for compliance, such as with the data subject requests.

Data Risk Graph

It is advisable to have a data risk graph that can give the security team a detailed risk-centric view on the personal and sensitive data of employees residing within the Workday environment. The graph or dashboard will allow the team to track any risk changes to the environment and remediate anomalies.

Govern Access to Sensitive Data

Accurate classification of data under correct data categories and data elements allow security teams to design effective security policies against personal and sensitive data. For instance, the system administrator can create an automated data masking policy that masks all the sensitive data defined to limit access to only authorized users.

Protect Sensitive Data From Exposure and Risk

Discover any security misconfiguration, such as storage retention policy, storage bucket encryption, or multi-factor authentication for Workday users. Create auto-remedial policies to fix such security misconfigurations automatically, and then enable policies to send alerts to system owners.

The aforementioned best practices allow organizations to effectively fulfill different privacy regulations, such as honor data subject rights, maintaining a record of processing activities as required by Article 9 GDPR, etc.

Securiti: Your Workday Security Solution

Securiti delivers end-to-end Workday security, privacy, governance, and compliance solution. Securiti’s partnership with Workday enables organizations to seamlessly integrate their Workday systems to our PrivacyOps platform to get a consolidated view of governance and compliance.

• Sensitive Data Intelligence: Discover and understand what type of data resides across a dynamic on-premise or multi-cloud environment.
• Security: Leverage the mapped data to view security posture and create a mesh of security rules.
• Privacy: Use the classified and cataloged data to fulfill DSR and other regulatory requirements.
• Compliance: Achieve global regulatory compliance, such as GDPR, HIPAA, CPRA, etc.

Request a free demo to learn how Securiti helps organizations overcome Workday security, governance, and compliance risks.