How to track user activity in PeopleSoft
“You’ve a mole in your organization.”
Ok. Ignore the dramatic start as I’ve been watching too many spy movies, but the fact is that internal threat is the real risk.
As per this report , 30% of data breaches are caused by the internal bad actors.
There are many examples where businesses, state & federal agencies were a target of insider threat as most systems are designed to stop external attackers and very less is done to stop the internal attacks.
What if you suspect that someone in your organization has a malicious intent? You don’t know for sure but then, how would you track their activity in PeopleSoft and save your business from losses & sometimes huge penalties.
Even before that day comes, you should organize PeopleSoft security on Zero-Trust model that relies on ‘Never trust, always verify’ approach.
Here are several ways to track a user’s activity in PeopleSoft to confirm if they are misusing their PeopleSoft access. Below list only covers the tracking from PeopleSoft application & doesn’t include other tracking methods that network and system administrators use to audit users in an organization.
- Track Login and Logout
Tracking a user’s login and log out activity would be the first thing that you want to track. If user has a regular day job but they log in at odd hours for an extended time without an obvious need, then this would be suspicious.
You can track user’s login activity using PSACCESSLOG. This table stores the login and log out activity of a user. You could also extract additional login information using application server logs. - Restrict Login Time
You could also restrict the login days and time for a user. This can be setup at permission list level. Once it’s setup, a user will only be able to login during the pre-determined time. This setup will at least restrict the misuse to a limited time. For example, if your setup allows a user to access PeopleSoft only during office hours when they are physically present in the office & disable their access outside of work hours, this will minimize the security violations. - Track IP Addresses
Next thing you want to track is the IP Addresses from where the PeopleSoft account is accessed. If the user is working remotely and you see that they are not logged in from their usual IP address then this might be a sign that there is an ongoing misuse. IP addresses are stored in PSACCESSLOG and can be reviewed using application server logs. - Track different user logins from the same IP addresses
Based on the above gathered information, if you notice that same IP address is used to access PeopleSoft application using different user ids then this should be carefully reviewed. Once I found a user who was using super user account to access PeopleSoft application when they shouldn’t even have access to that account. This was only found when same IP address was used to login with different User IDs. - Review & restrict page access
After making sure that you’re tracking the person in question, you can start reviewing their roles and page access in PeopleSoft and if needed, restrict their access to only limited pages. - Enable auditing for important records
If you’re worried about the user making changes to your important data and want to keep a log of those changes for obvious purpose, then you can setup field level auditing or record level auditing in PeopleSoft. - Enable security table audit
By default, PeopleSoft doesn’t track the user ID who made changes to the roles assigned to a user. Let’s say there is a person who has security access and want to cause some damage. That person could assign some critical roles to themselves and then cause the damage and then remove their roles. You will never be able to catch them as they might deny even having that critical access. In that case, you may want to enable auditing on PSROLEUSER table too. - Enable monitoring scripts
Monitoring scripts can be deployed to alert whenever a suspected user logs into the application or accesses a secure PeopleSoft screen. - Track processes
In PeopleSoft, many organizations run hundreds or thousands of processes every day. A periodic review of the processes, reports should be done and access to critical processes such as payroll or payments should be done. - Track Query and reports
You should also monitor the queries and reports that are run by the user in the past few days. If someone is stealing your data in bulk, they might be running certain queries and reports to extract this information faster. - Track bulk export
Bulk exports at database level (using SQL) or other data export tools should be monitored and such instances should trigger an alert. - Have a Plan
This is probably the most important tip. Thinking that your organization is safe and secure and won’t fall prey to insider threat, is what I would call wishful thinking. So always have a plan in place, which you can implement to secure your PeopleSoft application and take action in case of suspected behavior.
These are some of the things that you may want to setup to track in your PeopleSoft Application. There are some software solutions that you can also deploy to secure your PeopleSoft Application. Pathlock (formerly Appsian) has some products that can help with Intrusion detection, data loss prevention and several other security features.
How secure is your PeopleSoft Application and what security monitoring have you deployed ? Share your thoughts in the comment section below.
