Security risks of SaaS HRMS highlighted by Oracle Peoplesoft

Back in April of this year an HRMS World article took a look at three of the more ‘non-system’ threats to HRMS security in 2015. Namely, the ways in which your data might be at risk due to cybercrime, your own budget cutbacks, or a too-reactive attitude to security matters. Naturally, there are more technical weaknesses when it comes to protecting your HR data and recent news has highlighted an issue connected to the increasingly online nature of business intelligence applications.

Business app security provider, ERPScan used Oracle PeopleSoft’s systems to demonstrate the TokenChpoken attack as a means of gaining unauthorised access. The results were a little worrying in that over 40% of Oracle’s systems that are accessible via the internet, were proven to be vulnerable.

TokenChpoken

The TokenChpoken attack can be used on systems using Single Sign-On (SSO) which is another worry because let’s face it, SSO is a key convenience when using multiple and integrated systems. In the interests of efficiency, the recommendation is that you integrate your various HR packages. After all, there’s nothing more off-putting to users than having to log on over and over, every time they need to access a different system. However, thanks to the SSO principle, ERPScan has shown that a particular authentication cookie can be forged, enabling the unscrupulous to sail through multiple identification procedures. Apparently, it only takes a day to decrypt and costs under $500 to do so which, given the potential value of the data in the average large company’s systems, offers a good return on investment to the hacker.

Fixing SaaS security risks

What’s more, a simple patch is no solution. More rigorous protection comes from changing any default passwords and using certificate authentication for token nodes. As a spokesperson for ERPScan says, “Those changes will require some configuration, especially if [the] customer uses multiple nodes. And, of course, it requires [users] to turn off systems for some time to reconfigure it. Every time customers stop [these types] of systems, they stop business processes that can result in loss profits, for instance.”

These days we have increasingly flexible working arrangements, virtual and remote teams and an increasing demand for mobile 24/7 access to HR (and other) systems. Add this to the budgetary arguments in favour of cloud and SaaS deployment and internet-accessible HRMS won’t be going away anytime soon.

Recommended Reading: HRMS Vendor Guide - Find HRMS vendors conscious of SaaS data security

Yet, it’s hard to imagine that Oracle PeopleSoft is the only vendor whose systems are vulnerable in this way.

It seems that easy access for authorised users carries with it potentially easier access for those who are less authorised. There’s a cost to everything, and in this case, accessible data and a simpler user experience appear to mean more rigorous precautions need to be taken behind the scenes by those responsible for IT.

author image
Dave Foxall

About the author…

Dave has worked as HR Manager for the Ministry of Justice for a number of years, he now writes on a broad range of topics including jazz music, and, of course, the HRMS software market.

author image
Dave Foxall