Skip to content

COVID-19: Securing your Workday tenant

With the overwhelming need for your workforce to stay home, securing your Workday tenant while enabling their flexibility to access enterprise systems is one of the top priorities for your organization. Workday provides companies with the ability to define authentication rules specifying from where and how employees can access your Workday installation.

In addition to providing employees with access to your systems, you also need to protect these systems against malicious access attempts. Beyond securing the physical connections and devices as recommended by the U.S. Cyber Infrastructure and Security Agency (CISA), there are application-level configurations that can be put in place to further strengthen your organization’s network.

The key pillars of an application security strategy to overcome the unprecedented challenges you may be facing include:

  • Authentication—defining who can access systems
  • Authorization—defining how users can access systems
  • Access Control—defining what users can do after accessing
  • Auditing—verifying users are doing what they are expected throughout the process

To achieve a solid security foundation in Workday, security administrators should review their Workday authentication policy to confirm which groups and networks are currently supported and identify any opportunities to extend the Workday Authentication Policy.

Security admins should also review attempted sign-ons into the system to determine if there are potential gaps or challenges that employees are facing as they attempt to access outside of their usual access methods. Additionally, security administrators should consider opening up Workday’s additional security features such as Security Emails, Trusted Device, and Multi-factor Authentication (MFA) solutions.

Authentication policies

Authentication policies determine how users can access your Workday tenant either by blocking networks or establishing setup rules that determine how users sign-in. Workday’s authentication policy allows you to define for each security group which IP addresses they are expected to access and what authentication methods are allowed to access the Workday tenant.

Key Supported Authentication Methods
 

Authentication Method Type Consideration
Username and Password Workday Native Can support self-service password resets
SAML for SSO Federated Most common protocol for SSO solutions
OpenID Connect Federated Use Google to authenticate users into Workday

 

Supported Multi-factor Authentication Factors 

 

MFA Option Relative Effort Consideration
Challenge Questions Medium Not exactly a second factor, but is intuitive enough for users to setup and use in Workday
SMS One-time Passcode High Requires setup and user phone data
Email One-time Passcode Low Requires security emails to be enabled
Authenticator App Low Uses industry standard (TOTP) that is widely supported by available authenticator apps

 
Note: As of Workday 2020 R1, MFA solutions are available on Federated authentication methods.

 

 

Access restrictions

In addition to controlling how an employee signs into Workday, you may also leverage Access Restrictions to control what users can do after they’ve signed in. The access restriction is applied based on the authentication rule configured, so it can be used to allow regular access while on a known trusted network and restrict to self-service when off-network.

This feature is great for people with elevated permissions to allow them to access self-service while restricting sensitive administrative activity.

Some examples of the possible restrictions include:

  • Sensitive information (whether it needs to be viewed and/or transacted upon)

  • Certain transactions, such as payment elections or tax elections where the unmasked

  • Social Security Number (SSN) is viewable

  • Phone numbers, addresses, dependents and beneficiaries

  • Any non-applicable data and transactions for former employees or other groups of employees

Access from personal or mobile devices

Employees may require flexibility to access the system from multiple devices from day to day. The policy designed should permit Workday for mobile. The ability to use the Workday mobile app is controllable via Domain Policies for Workday’s Android and iOS apps.

Workday approaches security with a ‘unified’ model and applies it across all platforms. It is completely independent of device types, so the user will be consistently granted or denied access to functionality regardless of which type of device they are on. Since access is provided based on this security policy, it is consistent across all platforms, including desktop. Some tasks might not be available on the mobile app per the List Task Available on Mobile report.

Access to Workday’s mobile application can be restricted for a user when they log in outside of a whitelisted network. This restriction will apply to all devices; access cannot be limited by device type (i.e. Workday mobile app or desktop off-network.)

Additionally, Workday provides the ability to leverage your organization’s Mobile Device Management (MDM) solution to apply more granular authentication rules within the authentication policy.

For more information on Workday for Mobile, check out our article here.

Other security items for review

Workday provides additional security features related to the behavior of the tenant that aid in refining the experience and providing granular control over security features. These include:

  • Using activity audit reports to better understand user behaviors
  • Enabling an authenticator selector to provide specific sign-on experiences
  • Allowing security emails to be generated when users login from new devices

See below for more details on other security items.

Auditing Sign-ons and Attempted sign-ons

The Sign-Ons and Attempted Sign-Ons is a Workday-delivered report that provides key details on user access attempts. This report provides a very detailed snapshot of the time, source IP address of the user, what authentication method they tried, what (if any) problems occurred during the sign-on and what access restrictions were applied to the successful sign-on.

This report can be further customized by copying it and updating it. Additionally, for report writers, the sign-on details are available through the Workday Account business object, enabling them to report at the worker-level to analyze sign-ons across the organization, explore the last time they signed in and from where.
 
Workday also offers the ability to view detailed audits in the system, providing deeper insights into user activity through the View User Activity report.

Tenant Setup - Security

The Tenant Setup – Security page defines a broad array of options related to security, including the configuration for self-service Password Resets as well as authentication methods SAML, OpenID Connect and Multi-Factor Authentication.

Security Item Description
Enable Security Emails Allows notifications to be generated when account security changes are made, notifying users to their work or home email.
Enable Forgotten Password Reset Provides the ability for users to reset their password with Challenge Questions or by a one-time-use link emailed to their work or home email.
Login Redirect and Authentication Selector Provides the ability for organizations to offer different routes and methods. This is often used to support diverse user populations that have varying authentication methods.
Mobile Authentication Enables use of biometric and mobile PIN on the mobile app for greater convenience of the user when accessing from the Workday mobile apps.
Trusted Device Enables the ability for employees to designate a device as trusted. Whenever a new “untrusted” device signs in for a given user, the user will receive a notification indicating a new device has signed in.
Multi-factor Authentication Settings Settings to designate the supported MFA solutions that can be combined with native authentication as well as federated (SSO) authentication.

 

Workday's authentication recommendations

Whether employees use your company’s SSO or Workday’s native credentials, Workday recommends all clients use a Multi-factor Authentication approach across the board. 
 
From a design perspective, Workday encourages that the rules are designed to be evaluated in decreasing levels of restriction with a default rule to apply to any user not falling in the other defined rules. The default rule helps ensure that a minimum company-wide restriction is in place for any users not falling into any rules defined for specific security groups.
 
Please find additional Workday Community resources here:

Alight's POV

In the face of these unprecedented conditions, we recommend the following:

  • Familiarize yourself with the Attempted and Attempted Sign-ons report and perform analysis to understand failed sign-ons by users as well as attempted sign-ons from potentially malicious sources.

  • Every user should be subject to a Multi-factor Authentication (MFA) solution or, at minimum, IP-restricted to harden access methods.

  • If your organization does not have an MFA solution applied, we recommend using Workday’s Authenticator App as the MFA due to ease of setup and use for the users compared to all other MFA methods.

  • We recommend enabling security emails to ensure users are notified of relevant security notifications from Workday regarding their account.

  • Employees now have even more of a need to review their information online and receive the latest information from their organization. Leveraging access restrictions will help enable self-service while limiting access to sensitive tasks. You may also consider using Workday’s “Stepped Up Authentication” feature to satisfy stricter information security requirements related to forcing re-authentication if a user attempts to access protected data or tasks within the Workday system.

The recommendations below highlight some configuration approaches in the Workday Authentication Policy:

On/Off network recommendations

Access Restrictions (These recommendations apply to all device types)

User Allow only On Network Allow on Both On/Off Network Comments
Employees Export to PDF/Excel
Check In/Out
Inbox Approval
Payment Elections
Attachment Download (Limited)
Inbox Complete Actions/To Dos
Unless Multi-factor Authentication is in place, Payment Elections should only be allowed to change when on corporate network.
Check In/Out should not have Off Network access unless there is specific business reason.
Manager Attachment Download (Limited)
Check In/Out
Export to PDF/Excel
Payment Elections
Inbox Approval
Inbox Complete Actions/To Dos
Manager should not be allowed to download data related to employees that they support.
Administrators Attachment Download (Limited)
Check In/Out
Export to PDF/Excel
Inbox Approval
Inbox Complete Actions/To Dos
Payment Elections
  Administrators, HR roles should not have Off Network access unless there is specific business reason.

Related Insights


Improving financial forecasting in a post-COVID world

Deploying cloud financial solutions can be the difference between your organization thriving in your industry and just surviving.

Custom Workday report – Assess the impact of COVID-19

Download this complimentary custom Workday report from Alight that allows you to understand the impacts COVID-19 has on your employee population.