Security posture for Workday application at Netskope

Workday is a cloud-based software platform that provides a suite of enterprise applications for human resources (HR), finance, and planning. It is designed to help organizations manage their workforce, streamline business processes, and gain insights into their operations.

Workday is a critical application which hosts sensitive information. Netskope is currently monitoring and securing access to Workday internally with a breadth of products that are developed and maintained by the development and QA teams. These capabilities include areas such as inline protection, API-enabled protection, SaaS security posture management (SSPM), and Cloud Firewall, to name a few. In this guide, we will provide a perspective of how Netskope’s products and capabilities are used internally for securing enterprise data. 

Real-time Protection

• We are restricting access to the Workday app for Netskope employees through client enforcement in IDP, whereby access to Workday would be granted only if users are connecting to our corporate Netskope tenant, making use of dedicated egress IP ranges specific to the tenant. More details regarding this can be found here.
• This helps achieve two goals for the Customer Zero team. One is to secure access to Workday through the Netskope client. The other one is to force users to connect to our corporate tenant via the client so that their web access is subject to our policy and security stack.

Access is locked out when a user is not connected to our production tenant via NS client or when the client is disabled.

• Traffic originating from managed endpoints [Windows, Mac, and Linux OS], is currently being steered via the Netskope Client to the cloud, where deep inspection takes place, in the form of policies. 
• This gives us the capability to manage the traffic to Workday in a granular manner.
• Netskope’s Cloud Confidence Index (CCI) has analyzed and classified Workday as an enterprise application, and provides an overview of the activities that are identified by the Netskope proxy for inline traffic. These activities include:
  • Delete
  • Login Failed  
  • Login Successful
  • Logout
  • Share
  • View
  • Invite
  • Login Attempt

Policy capabilities currently in place:

1. Block access to the application when traffic is originating from unused real-time access methods (other than adopted methods of Netskope client, IPSec). 
2. Threat protection:
   • Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture. CE consumes valuable Netskope telemetry and external threat intelligence and risk scores, enabling improved policy implementation, automated service ticket creation, and exportation of log events from the Netskope Security Cloud.
   • This protects users from uploading and downloading malicious files and data. 
3. Monitor with more scrutiny the upload, download and formpost activities for users who are about to end their employment with Netskope. 

SaaS Security Posture Management (SSPM)

SaaS Security Posture Management (SSPM) is a service that provides an organization insight into the security posture of their SaaS applications. According to Gartner, SSPM is defined as “tools that continuously assess the security risk and manage the security posture of SaaS applications. Core capabilities include reporting native SaaS security settings' configuration and offering suggestions for improved configuration to reduce risk."

Some of the benefits of SSPM include:

• Continuous security assessment into policy violations of SaaS apps.
• Guided remediation of misconfigurations.

Rules we have in place for Workday Security Posture check are:

Each of these rules satisfy the following compliance standards:

• CSA-CCM-4.0
• GDPR-2016-679
• HIPAA-1996
• ISO-27002-2013
• NIST-CSF-1.1
• NIST-800-53-4
• PCI-DSS-3.0
• AICPA-SOC-TSC-2017

Nextgen SSPM version supports enhanced features for Workday security posture management. This provides some new features such as:

• Visibility to SaaS apps and sub resources (in Inventory page)
• Powerful Netskope Governance Language (NGL) which is a lot easier to use and also helps hunt down details such as:
  • The name of all users who have access to any connected apps on Workday. 
  • Names of users having access to a particular connected app installed on Workday. 
  • A list of all connected apps a particular user has with access to on Workday. 

• Ability to create custom rules quickly based on NGL queries
• Revamped simplified Policies page (doing away with ‘Profiles’)
• Support for cross-application rule
• There is also a findings history visualization available with the next gen feature. This shows the status of compliance findings for Workday over the last seven days visually.
• In the policy, we also have an option of sending SSPM rule violation notifications to the concerned SaaS app admin, so they can start working on remediating the alerts accordingly. 

• When checking the rules that failed, we can see the NGL definition the rule is based on:

• The definition associated with each rule gives a good reference for searching the inventory for finding resources that don’t satisfy the criteria the rule is checking. 

• Netskope begins building an inventory within five minutes of the account configuration. Subsequently, inventory updates are run at the same frequency as the compliance assessments. At the time of the account setup, you can choose to run the compliance assessments every 15 minutes, 30 minutes, 45 minutes, and 60 minutes.
• Reports can also be generated for further analysis of compliance findings.

User Behavior Analytics 

For both real-time as well as API-based Workday traffic, machine learning algorithms can be used and classified, as part of Netskope Behavior Analytics. Netskope's User Behavior Analytics tool looks at patterns of human behavior, and then applies algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats. Instead of tracking devices or security events, behavior analytics tracks users. There are a set of predefined Behavior Analytics rules that can be used to create policies for detecting any abnormalities in both real-time, as well as API connector-based Workday instances, from a user activity perspective. A Few of these are mentioned below:

• First access from an IP block for the organization: Find users that are coming from /16 IP blocks that have never been seen before for the overall organization. The idea is to find potentially compromised credentials being used outside of the organization. 
• Users accessing the application from risky countries.  

Application Activity Summary dashboard can be used in Advanced Analytics to get some insights of trends for Workday.

We hope this blog posting has been helpful in providing an insight into how workday has multiple layers of protection at Netskope. Please feel free to discuss any concerns or questions that you may have.