This article guides you in enhancing the security of your Workday system. In today's connected world, protecting sensitive data is more important than ever. Session management is crucial in preventing unauthorized access by controlling how and when users interact with the system.
Session management is all about overseeing how long and in what ways a user's session lasts on a digital platform. It includes deciding the duration of a session, when it should end, and when a user needs to log in again. Good session management helps real users get their work done without unnecessary breaks while keeping unauthorized users out. It's vital because it prevents unauthorized access, mitigating risks such as data breaches and financial losses.
Imagine Sarah, a busy marketing manager, logging in to Workday on her office computer to check campaign performance. She gets occupied in a brainstorming session and forgets to log out before leaving for lunch. An hour later, a colleague stumbles upon Sarah's unlocked computer. With an open Workday session, they can potentially access sensitive data or even make unauthorized changes.
Following are some of the conventional solutions to handle unauthorized access.
Beyond the foundational practices, consider these advanced techniques to strengthen your Workday security posture further:
Let's take a closer look at each of these components to gain a deeper understanding of how session management operates in Workday:
A. Session Timeout
In Workday, a session timeout is the amount of inactivity that automatically ends your login session. Once your session has timed out, you must re-enter your password to access Workday. This is a security measure to protect your private data.
When you log in to Workday, the backend server initiates a session identified by a unique ID. This session retains your IP address, username, and temporary data. A timer linked to your session starts counting down based on a pre-defined timeout duration set by administrators. Each action you take within Workday resets the timer, signaling continued activity. However, if there's no activity and the timer expires, your session is deemed idle, triggering a session timeout notice and requiring re-authentication to continue.
For PCI user accounts, Workday automatically sets the session timeout to 15 minutes, and you are unable to modify it. However, for Workday accounts that PCI users do not use, you can adjust the session timeout. Apply:
i. The Maintain Password Rules task modifies the tenant's default session timeout.
ii. To adjust an individual user’s session timeout, access the Edit Workday Account task.
B. Multi-Factor Authentication (MFA)
MFA implements a two-step verification process. While usernames and passwords remain the initial access point, MFA introduces a secondary authentication factor, significantly strengthening the overall security posture.
Before enabling MFA in a Workday tenant, there's a crucial prerequisite: ensuring users have the necessary security access to relevant domains for the task and any additional actions. After getting security access, you must set up MFA providers in the tenant before you can specify them on authentication policies except for challenge questions.
Workday automatically prompts users when they sign-in using any MFA method. Workday advises you to give your users instructions on how to capture and safely preserve their backup codes. For one-time email passcodes, Workday automatically prompts users to verify the email address to which Workday will send one-time passcodes the first time they sign-in. For a time SMS passcode, when users log in, Workday prompts them automatically to set up an SMS one-time passcode. Users pick a cell provider during setup. They also choose the cell phone number that Workday will use to text them one-time passcodes via SMS from a list of numbers.
C. IP Address Restrictions (Optional)
IP address restrictions in Workday are a security feature that allows your organization to control which IP addresses or IP ranges can access the Workday platform.
Before enabling IP address maintenance in a Workday tenant, there's a crucial prerequisite: ensuring users have the necessary security access to relevant domains in the system functional area. You can define a range of IP addresses as client networks and use them in authentication policies to designate blocked and allowed networks for accessing Workday.
i. Access the Maintain IP Ranges task.
ii. To define a network, add a row and input a list of IP addresses separated by commas in the IP range box.
iii. To disable an IP range, tick the inactive check box (optional).
iv. Access the Activate All Pending Authentication Policy Changes task to confirm changes.
D. Access Restrictions
Workday access restrictions are a broad set of controls that limit what users or groups can see and do within the platform. This ensures data security and compliance with regulations by granting access only to the functionalities and information required for each user's role.
Before enabling access restriction in a Workday tenant, there's a crucial prerequisite: ensuring users have the necessary security access to relevant domains in the system functional area. Access restrictions and authentication policies allow you to restrict Workday access based on the kind of sign-in (internal vs. external network).
From the Excludes Functionality prompt, select the Workday functionality to which you want to restrict access.
E. Monitoring Sign-Ins
In Workday, "monitoring sign-in" refers to the procedure of keeping track of and examining user login actions. This is also important for maintaining security and keeping track of user activity within the platform.
Before enabling access restriction in a Workday tenant, there's a crucial prerequisite: ensuring users have the necessary security access to relevant domains in the System functional area. By enabling the View Signon History report, users can examine their own Workday sign-in activities for a chosen period. Look for any unusual behavior related to their Workday account sign-in.
Access the Activate Pending Security Policy Changes task to confirm changes.
Users can access the View Signon History report and review details about their sign-in activity, such as:
Effective session management is key to keeping Workday secure. By setting up session timeouts, requiring re-authentication for sensitive tasks, using multi-factor authentication, and constantly monitoring sessions, organizations can protect their sensitive data without sacrificing user convenience. Regularly reviewing and updating these policies ensures they stay effective against new threats, keeping both your organization and its employees safe.
