Human Resource (HR) organizations were traditionally focused on personnel management and answering common benefit and payroll questions. Today, the department is viewed as a strategic asset within an organization, focusing on training, employee forecasting and more. To help keep up with the increased demands, HR departments worldwide are adopting SaaS-based HCM (Human Capital Management) solutions to unify processes and data across multiple systems.
However, extending business processes from on-premises to the cloud can create new challenges, possible fraud and data privacy leaks for any business that could lead to penalties from privacy regulations. These new SaaS-based tools drive efficiency and flexibility, but who owns checking to ensure the applications, and the associated data, are protected and up to regulatory standards?
HR Technology News:TecHRseries Interview with L. David Kingsley, CHRO at Alteryx
Take SuccessFactors, for example. SAP’s SaaS-based HCM offering processes more than 1.2 billion transactions per day, connecting to hundreds of other business-critical enterprise resource planning (ERP) applications to streamline operations. One misconfiguration between interconnected systems or lapse in authorization controls can create security issues and compliance violations that put the entire enterprise at risk.
Infosec teams are aware of these cloud applications, but the oversight for these systems often falls outside the team’s purview. Instead, businesses rely on HR information technology (IT) to step into the role, moving beyond management and uptime to focus on security. To keep businesses protected, HR IT teams need to become security experts and understand the overarching impacts these powerful cloud-based tools can have on their business.
Common HR SaaS Pitfalls (And How Hackers can Take Advantage of Them)
Like every business application within an intelligent enterprise, proper implementation, configuration and policies are critical. However, the problem is that many organizations do not consider the amount of risk these SaaS applications can introduce to their company. To ensure success, HR IT teams should know the most common HR SaaS pitfalls, their impact and how to mitigate risk moving forward. These top five insights include:
1. Excessive authorizations.
HR IT must ensure that all users have the least privileged authorizations possible. Losing sight of privileges can enable unauthorized users to view sensitive payment, performance, hiring and business policy information. It can even open up the opportunity for a bad actor to export data on a mass scale. A breach of this information could violate privacy mandates, such as the General Data Protection Regulation (GDPR), and be catastrophic to a company’s bottom line and reputation.
2. Segregation of duties.
A staff member with too much power can create a rogue user within the HCM offering who has elevated privileges and can purge data or access inappropriate personnel information. To help combat this situation, HR IT needs to put the proper steps in place to prevent a single user from owning any process from end to end.
3. User impersonation.
A bad actor’s ability to impersonate people is even more prevalent in the cloud, so user impersonation could create real problems for HR IT teams with tools like SuccessFactors. By impersonating different users, a bad actor could delegate elevated access to others, access proxy management settings and blatantly ignore business policies. Therefore, HR IT must accurately identify and track users’ access permission level, only allowing authorized employees to act on behalf of others for legitimate business reasons.
4. Security configurations.
SuccessFactors is full of custom features that streamline business processes. For example, the Metadata Framework tool enables HR IT to create company-specific objects that support unique business processes without the need to code, saving time and resources. Set up incorrectly, Metadata Framework and other custom features can create weaknesses that enable hackers to use the connection to get access into the SuccessFactors system and steal sensitive employee information. This can lead to sanctions and penalties for violating privacy regulations (GDPR, California Consumer Privacy Act (CCPA), etc.). It’s also important to check default settings and encryption keys to ensure attackers can’t access back-end servers and employee data. While these are just a few examples, HR IT teams must configure security frameworks according to best practices. To do this, consider continuous monitoring and tracking if all listed system administrator users should have this privilege or not, and remove the privilege if they should not have it.
5. System integrations.
Moving to SaaS or cloud HCM solutions means losing application visibility in exchange for greater flexibility. With this lack of visibility, it becomes difficult to know if unwanted third-party systems are connecting to your HCM application. Additionally, it’s even more challenging to know if files sent to known third-party systems are being intercepted or modified. This lapse in visibility makes it difficult to truly know if your organization’s most valuable data is safe. For example, if a third-party application is compromised the attacker can try to access it using an existing connection to get into the HCM application. The improper management of the connected third-party applications can lead to not only business process interruption but can also lead to sanctions and penalties for violating privacy regulations. Therefore, it’s incredibly important third-party integration settings are set up according to security best practices.
HR Technology News:TecHRseries Interview with Cyril De Queral, CEO at Powell Software
Keeping SaaS-based HCM Applications Safe and Compliant
These five insights help start a serious security conversation for HR IT and create a “checklist” that can help put enterprises on the path to ensuring SaaS-based HCM applications are secure and compliant. However, keeping tabs on authorizations, segregation of duties, security configurations and system integrations can be a time-consuming process that’s difficult to track if done manually. Therefore, HR IT professionals should search for support tools and solutions to automate and intelligently analyze connections between third-party applications. These solutions can identify compliance errors, misconfigurations and vulnerabilities, where they originate and how to fix them. HR IT can also use these tools to view user activity, flag anomalous behavior and raise alarms when privileges have been escalated or misused. These supporting assets can free up time monitoring applications and enable teams to focus on integration concerns, patch management, and other top-of-mind initiatives that help ensure HR continues to support strategic business goals.
Cloud transformation enables HR organizations (and the IT teams that support them) to innovate at an unprecedented pace. These teams should not be held back by the security and compliance implications of next-generation SaaS-based technology. By addressing these concerns head-on and with the support of advanced technology, HR IT teams can help ensure success with SuccessFactors and other SaaS-based HCM solutions.
There’s A lot That will Inspire New Trends in B2B Sales and Marketing, Catch more from the Experts: