Workday contains the most critical data of your organization. Information about Employees’ SPI, PII, Payroll related information, Performance reviews, Time Tracking and Recruiting which are all critical to the functioning of your organization. How this data is handled is essential to the health of your company, and security is the first concern when using Workday.

In this article, we take a look at security for Workday, starting out with some foundational security concepts, and then moving on to discuss how test automation in particular enables better security for Workday.

Shared responsibility for security
Workday, like other cloud-based platforms uses a shared security model. This means that Workday takes responsibility for certain aspects of security, and leaves other aspects to customers. Here are some of the aspects of security that Workday is responsible for:Data isolation: Workday data is housed on multi-tenant servers that Workday owns and operates. It is Workday’s responsibility to ensure every customer’s data is well-isolated from other customers’ data.

Data encryption: Workday encrypts all customer data so that it is not easy to decipher in the event of a data breach. There are two types of data encryption – data encryption at rest, and data encryption in transit.

Login security: Workday supports multiple types of logins to the applications on its platforms. These include Single Sign-on (SSO), LDAP, and SAML. How your applications and data are accessed is important to security, and Workday has some strong defaults for this.

These are foundational security concepts within Workday, and though you as a customer have some responsibilities with these features, the bulk of the management in these cases is on the part of Workday.

Now, let’s look at the aspects of security that fall within a customer’s domain, and how automated security can help with this.

1. Access controls
Configuring access controls for users in Workday is a key security responsibility of the customer. Workday Security Groups are of three kinds – role based, user based, and standard worker. As you configure access remember to follow the principle of least privilege, and give users just enough access to complete their key tasks. Wherever possible give users ‘view-only’ access rather than ‘manage’ access.

Similarly, with automated testing in Workday, you can give testers different levels of access so that only some users can create and manage tests, while others can only view tests. Testing accesses sensitive parts of Workday, and it’s important to keep automated tests accessible to only a select few. Automated testing makes it easier to scale access control to multiple users easily unlike manual testing which requires manual review and assigning of access controls every time you run a test.

2. Negative testing
The goal of testing is to surface bugs, security vulnerabilities, and malfunctioning features across the application. To do this well, testing should look to break things and push the application to its limits. Users will try everything that is possible in an application even if causes issues. Testing should be ahead of users in this aspect and attempt as many scenarios as possible. It’s not possible to test every permutation and combination of how the application works before release, which is why post-release testing is important. The concept of continuous testing is relevant to Workday testing where you need to test right from the start of development all the way to post-production. When a bug is found, it’s not cause for concern, but rather an opportunity to fix something. In that sense, testers should be rewarded for finding more bugs, and automated tests that don’t uncover bugs and issues in the application are of less value than those that do.

3. Testing the integrations
Integrations are essential to Workday. Typically, an organization has numerous integrations with applications like Salesforce, ServiceNow, Cornerstone, SAP ERP, Oracle EBS, Atlassian Jira and custom applications built in-house. The number of integrations can range from a few tens of integrations to hundreds of integrations. Integrations enable cross-department operations and complex workflows, and make it possible to automate these workflows. It’s important to test these integrations to ensure they are secure, and are handling data as expected.

Automated testing can help you test integrations easily. As Workday releases updates, and as the various applications that are integrated are updated automated testing can check that integrations are compliant.

Many security breaches occur when third-party applications abuse their access to an application or they handle data carelessly. Automated testing puts checks and balances in place to ensure that integrated third-party apps are reined in and their behavior is always monitored and compliant.

4. Auditing & compliance
Auditing and compliance is something that should be done frequently as the system keeps changing. Despite changes you want the application to be compliant and automated testing can run quick checks across the system to ensure adequate steps were taken to secure data and allow only authorized access.

5. Reporting on security events
Automated testing surfaces security loopholes and can report on vulnerabilities before the application is released and the vulnerability causes damage. For this to be possible, you need to setup detailed reporting for the automated tests. By reading test metrics with an eye for security compromises you can spot and stop issues from escalating.

Test automation tools should enable real-time reporting and detailed reporting for tests. This reporting should be easy to analyze and view at every level whether an overview or the minute details. It should be easy to share with teams, and give each team a view that’s appropriate for them to take action. Test automation tools for Workday should also include real-time alerts that alert the right person to take action immediately when an event has just occurred or is about to occur.

As you look to make your Workday HCM more secure, you need a test automation tool to enable the kind of proactive security that’s required. It should let you check access controls for users (Who should have access and Which level), enable you to do negative testing and surface bugs easily. Additionally, a Workday test automation tool should enable testing of Workday integrations at scale, and it should ensure every part of the application is compliant and auditable. Finally, a test automation tool for Workday should provide robust reporting that delivers both the top-level view and the in-depth view that’s required for managing and operating Workday applications.

A robust testing tool like Genie enables all these core security features are tested successfully, and takes your Workday testing to the next level. It ensures you maintain high levels of security without spending time on manual writing of test scripts.Try Genie and experience the difference in security management for Workday.