Six signs your Workday security model could be costing you

Business requirements evolve and so should your Workday security model. Security drift, the divergence of security model design and business needs, tends to increase security model complexity over time. Eventually, overly complex Workday security models can increase costs in the form of administration effort, security risk exposure, adverse disclosures, and higher audit fees.

Simplifying Workday security with disciplined use of Workday’s configurable security architecture can help companies correct security drift and streamline Workday security administration. In fact, many companies can reduce Workday security administration costs by 25% with a simplified security model.

To help companies recognize symptoms of security drift (and how to correct them), we summarized the following six signs that your Workday security model might be costing you.

1. Volume of Help Desk Tickets

Help desk tickets provide a convincing body of evidence that your current security model may not meet evolving business needs. After filtering out normal provisioning and deprovisioning requests, the volume of requests for additional access, custom entitlements, and access restrictions is often a good gauge on possible security model pain points. By streamlining and simplifying the security model, security administrators can quickly solve security tickets while still maintaining the integrity of the security environment.

In addition to helpdesk tickets, you can also objectively gauge volume of security model changes by leveraging native Workday change logs. Look for changes to security groups, security policy changes and activations, new role assignments, and modification to security segments. Building simple custom reports and dashboards to monitor security model change volume can help you pinpoint possible inefficiencies often associated with Workday security drift.

2. Number of Custom Security Groups

Workday customers use custom security groups when delivered security groups do not address business requirements. Customers like custom security groups because they are typically powerful and flexible, but they can be overused. Consider evaluating the number of custom security groups and look for potential signs of short-cuts that might increase risk and complexity. Look out for:

• Custom security groups with only a few workers assigned
• Custom security groups designed around a person rather than a persona
• Custom security groups with similar permissions to Workday-delivered security groups
• Duplicative custom security groups with slight differences in access
• Custom security groups with no users or access assigned
• Old or unused custom security groups

Rationalize the usage of custom security groups by assessing whether they address a valid business need. And consider defining configuration change processes over custom security groups to help prevent risk of future security drift.

3. Similar Security Groups

A common provisioning short-cut is to modify an existing security group with one or two tweaks specific to a small population of workers. The practice might address inbound access requests, but it may also cause security group proliferation and unnecessary security model complexity. Other consequences may include higher administrative costs, higher audit fees, and diminished security posture.

Identify similar security groups by comparing domain security policies and business process security policies across your population of security groups using standard reports like Compare Security Permissions of Two Security Groups and View Security Groups. You can even spot them by manually inspecting specific security policies configurations or even similarities in security group name.

4. User-Based Security Group Assignments

User-based security groups are often referred to as “administrative” security groups in Workday. Workday-delivered groups automatically divide administrative capabilities by functional area, allowing for a separation of responsibilities for the Workday administration team. No matter the size of your team, keep in mind that users with administrative access should not have transactional access.

User-based security groups also extend unconstrained access in Workday. Verify users require unconstrained access and, if not, use constrained security groups where possible and restrict them to organizations, departments, or other relevant criteria.

Carefully review workers granted user-based security groups. Confirm the administrative access reflects role and business need. And make sure user-based security groups have at least two users assigned, in case back-up is needed.

5. Over Assignment of Roles and Entitlements

When security models get complex, a common response is to over-extend access to cut through perceived security administration challenges. Here are a few common ways that over-extended access might show up:

• Too many role assignments: Any worker with more than 10 roles may be an indication of a possible issue. Maintaining and managing significant numbers of roles for a single worker complicates role design, increases effort to help track worker role assignments, decreases clarity on role permissions, and increases risk regarding how roles interact with each other. Review and rationalize role assignments to assess if they are appropriately scoped through periodic user access reviews. Consider merging similar roles and prevent redundant roles.
• Business processes with too many initiating groups: The ability to initiate a Workday business process should be carefully controlled. Business processes with more than 10 initiating security groups should be reviewed against business requirements. The more security groups that can initiate a business process, the higher likelihood of errors, improper transactions, and confusion around appropriate security assignments.
• Non-user-based security groups with more than 100 permissions: Granting more than 100 security permissions to a single, non-user-based security group may be a signal of over-extended access. Security permissions include the number of domain security policies and business process security policies assigned to a given security group. Not only does this cause a security group to become difficult to manage but, it increases the risk of unintended access and transactional errors. Divide permissions into smaller, more manageable security groups based on specific roles and function to help simplify security and practice the principle of least privilege.

6. User Access Reviews and Certifications

If your Workday security model is custom or overly complex, your user access review (a common control performed quarterly at many companies) may be taking longer than expected and/or may not be effectively assessing security risk. Symptoms of complex security models that might show up during the user access review include:

• Large number of security groups to review
• Insufficient understanding of security group entitlements
• Multiple corrections arising from user access review completion
• Stakeholder complaints on time consuming review process

Streamlining the security model and clarifying the purpose of security groups can improve efficiency of Workday security administration, including efforts related to internal controls and compliance. These benefits can even translate to lower audit fees.

These are just a few of the signs that your business may have outgrown your original Workday security design. To help our customers identify and remedy symptoms of security drift, we have our Workday security diagnostics capabilities to help automate the analysis and diagnosis of complex Workday security models using dozens of metrics focused on streamlined Workday security.

Simplifying your Workday security model can help reduce administrative costs and security risks while meeting evolving business needs. So, look out for common signs that your Workday security model might be overly complex - and seek opportunities to simplify your Workday security model.

Contact us or learn more about how PwC can support your Workday journey with effective and sustainable Workday security.