Home
IT Hub
Fortress in the Cloud: Workday's Commitment to Data Security

Fortress in the Cloud: Workday's Commitment to Data Security

Workday
Reco Security Experts
Updated
August 19, 2024
August 20, 2024

In today’s fast-paced digital world, data security isn’t just a buzzword—it’s a lifeline for businesses everywhere. As we lean more toward cloud-based solutions, protecting sensitive information becomes crucial. Workday, a top name in enterprise cloud apps for finance and HR, gets this. They’ve rolled out solid security measures to keep their users safe. Let’s explore these powerful tools and see why they’re game-changers for data protection.

Workday prioritizes data security from the ground up. Here's a look at some of their core safeguards:

Physical Security

Workday's production environments are in cutting-edge data centers that support mission-critical computer systems. These facilities feature fully redundant subsystems and segmented security zones. Key physical security measures implemented by Workday include:

  • Layered Authentication: Entry to the server area requires several levels of authentication, ensuring access is limited to authorized personnel only.
  • Biometric Security: Access to critical sections within the data centers demands two-factor biometric authentication for enhanced security.
  • Surveillance Cameras: Cameras are strategically placed at key internal and external access points to monitor activity 24/7.
  • Continuous Monitoring: Security staff continuously oversee the data centers to detect and address unauthorized access attempts.
  • Access Logs: All unauthorized access attempts are logged and monitored, providing an audit trail for security reviews.

Access to these data centers is strictly controlled and follows best practices, including "least access" principles for secured servers and regularly scheduled maintenance periods.

Data Segregation

Workday's multi-tenant SaaS application architecture is engineered to keep each customer's application data separate while enabling multiple customers to share a single physical system instance. This separation is managed by the Workday Object Management Server (OMS). Here’s how it functions:

  • Tenant-Specific Object Management: Each user ID is linked to a particular tenant, and the tenant organizes all application objects. This guarantees that any new object created is associated with the user’s tenant.
  • Automated Tenancy Filtering: When a user requests data, the system automatically applies a tenancy filter to retrieve only the data relevant to the user's tenant, ensuring data isolation and security.

The above image shows the Workday object management server highlighting its functions related to data protection.

Encryption of Data at Rest

Workday uses sophisticated encryption methods to secure customer data at rest:

  • Attribute-Level Encryption: Before storing in the database, every attribute of customer data undergoes encryption using the Advanced Encryption Standard (AES) algorithm with a 256-bit key. AES (Advanced Encryption Standard) is a symmetric encryption algorithm that protects data. Here's a general overview of how AES works and how it is applied in Workday:
    1. Symmetric Key Algorithm: Uses the same key for encryption and decryption.
    2. Block Cipher: Operates on fixed-size blocks of data (128 bits).
    3. Key Sizes: Supports 128, 192, and 256-bit keys.
    4. Encryption Proces
      • Substitution with a fixed S-box.
      • Byte permutation.
      • Column mixing.
      • Round key addition (repeated for multiple rounds).
  • In-Memory Architecture: Unlike traditional disk-based relational database management systems (RDBMS), Workday's in-memory object-oriented application architecture supports efficient encryption without compromising performance. This architecture, relying on a limited number of database tables, facilitates comprehensive database encryption.

Encryption of Data in Transit

Data transmitted over the internet is safeguarded by Transport Layer Security (TLS):

  • TLS Encryption: TLS ensures the security of network traffic by protecting against passive eavesdropping, active tampering, and message forgery to ensure secure communication between users and the Workday system.
  • Proactive Security Measures: Workday employs perimeter defenses and network intrusion prevention systems. Regular vulnerability assessments and penetration testing conducted by internal and external teams further strengthen network security.

Key Management 

Workday Key Management Service (KMS)

The Workday Key Management Service (WD KMS) is a robust encryption management solution. It generates, stores, and manages cryptographic keys to encrypt and decrypt your tenant data securely. Workday uses a root key to encrypt and decrypt other keys in the key hierarchy. This root key is hosted by Workday and generated using hardware security modules (HSMs) that adhere to the National Institute of Standards and Technology (NIST) 800-57 recommendations and are Federal Information Processing Standards (FIPS) 140-2 Level 3 compliant.

Workday hosts hardware and stores sensitive cryptographic materials in secure environments. Access control on a need-to-know basis, and no individual has full system access, ensuring enhanced security. Keys managed by Workday transition through various states—Generated, Activated, Disabled, and Revoked—ensuring they are secure and used appropriately throughout their lifecycle.

Workday Bring Your Own Key (BYOK)

For organizations with stringent security requirements, Workday offers the Bring Your Own Key (BYOK) feature, allowing you to generate and manage your own encryption keys. This provides an added layer of control over data security.

BYOK allows organizations to create and host their root key in their preferred cloud provider's Key Management Service (KMS), AWS, or GCP. BYOK ensures organizations meet regulatory standards, fostering greater trust with clients and stakeholders. Workday BYOK integrates seamlessly with existing key management solutions, providing a smooth and efficient implementation process.

An image explaining the broader picture of how key management works in Workday.

Data Backups

Ensuring data availability and recovery is crucial for maintaining business continuity:

  • Real-Time Replication: The primary production database is replicated in real-time to an off-site replica database, providing a reliable backup in case of data loss.
  • Daily Backups: A full backup is taken from the replica database daily. This includes collecting database backups and transaction logs to minimize the loss of committed transactions.
  • Encrypted Backups: All backups and transaction logs are encrypted, ensuring customer data remains secure even in backup storage.

Conclusion

Workday employs a comprehensive approach to data security, incorporating physical security, data segregation, encryption of data at rest and in transit, and rigorous backup procedures. These stringent measures always ensure the integrity and confidentiality of your data.

Workday offers robust tools through its Key Management Service and brings your key options, enabling organizations to safeguard sensitive information effectively. By leveraging these features, businesses can bolster data security, adhere to regulatory requirements, and maintain stakeholder trust. Workday remains committed to data security as cyber threats evolve, providing reliable cloud solutions for managing critical business functions.

Custom Permissions in Salesforce for Tailored Access Control
Have you ever had to ask for permission before taking action? Or have you been restricted from doing something you love until you get permission? The general idea of permission is to consent or authorize someone to do a particular thing or carry out an action.
Enhancing Endpoint Security Using ServiceNow's ITSM
In the modern digital age, endpoint security is an essential component of every organization's IT strategy. As IT administrators, we have to deal with the problem of securing devices connected to our networks from an increasing variety of threats.
Workday Woes: Troubleshooting Login Errors
Experiencing login issues when accessing Workday may be annoying and interfere with your productivity and efficiency. A number of things, such as mistyped login information, network problems
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Explore More
Custom Permissions in Salesforce for Tailored Access Control
Have you ever had to ask for permission before taking action? Or have you been restricted from doing something you love until you get permission? The general idea of permission is to consent or authorize someone to do a particular thing or carry out an action.
Enhancing Endpoint Security Using ServiceNow's ITSM
In the modern digital age, endpoint security is an essential component of every organization's IT strategy. As IT administrators, we have to deal with the problem of securing devices connected to our networks from an increasing variety of threats.
Workday Woes: Troubleshooting Login Errors
Experiencing login issues when accessing Workday may be annoying and interfere with your productivity and efficiency. A number of things, such as mistyped login information, network problems
See more articles from our Hub

Start Securing Your Entire SaaS Lifecycle

Request a demo