Workday Security: We Protect What Matters
Persistent Stories
In-memory
Data
Integrations
Media
Cloud
Analytics
Documents
Business
data
AES 256 Encryption
Users and
administrators
Unauthorized access attempts are logged and monitored by data center security
Security personnel monitor 24/7
Camera surveillance systems at critical internal and external entry points
Critical areas require two-factor biometric authentication
Multiple layers of authentication required before granting access to the server area
Data privacy regulations can be complex, vary from country
to country, and impose stringent requirements. Workday continuously complies with data protection obligations and delivers strong privacy functionality and practices, enabling customers around the globe to meet their privacy commitments.
Additionally, we provide our customers’ compliance and legal teams with extensive Workday Community resources and information to help understand and validate privacy and compliance requirements for their organization, as well as detail how Workday can help power their compliance efforts.
As data protection issues and global laws continue to evolve and become increasingly complex, Workday understands the importance of a privacy program that is embedded into our company's culture and services. Workday remains committed to global privacy standards, as shown by our dedication to programs such as the Privacy Shield, Asia-Pacific Economic Cross-Border Privacy Rules, and GDPR.
As a service provider, Workday focus is on the customer. We believe that relationships are built on trust, and that trust is something earned, not given. Workday doesn’t take this responsibility lightly and remains fully committed to both earning and maintaining our customers’ trust.
In summary, at Workday, we’ve woven security into the fabric of everything we do. From an application perspective, a compliance perspective, and a technical perspective, our sophisticated measures and procedures ensure that customers receive a high-performance work environment that’s also highly secure.
Yet Workday continues to explore ways to help our customers keep their data safe, with a relentless focus on creating a culture of security. We continuously certify Workday security against the industry's most stringent compliance requirements and provide in-depth best practices and training across the Workday employee base and customer community. With our customers all on a single version, we support a rapid and comprehensive response to emerging threats and vulnerabilities and ensure all customers are up-to-date. Learn more about the ways Workday works to keep privacy and security continuous here.
In the next chapter, we'll take a deeper dive into the Workday architecture, which can be difficult to depict in a traditional stack diagram because of how intricately all the different services interrelate and work together. To help properly convey the details of how Workday architecture functions, we use a city map metaphor. Keep reading for a guided tour of Workday as a city.
Privacy, Trust, and Compliance
Workday provides an extensive set of reports available to auditors and administrators on how their users are using the Workday tenant. The audit trail, user activity logs, and sign-on reports are favorites among Workday customers and auditors.
Audit
Workday co-locates its production systems in state-of-the-
art data centers designed to host mission-critical computer systems with fully redundant subsystems and compartmentalized security zones. Workday data centers adhere to the strictest physical security measures, including:
Physical Security
Workday has also implemented proactive cloud network security procedures, such as perimeter defense and network intrusion prevention systems. Vulnerability assessments and penetration testing of the Workday network infrastructure are evaluated and conducted on a regular basis by both Workday and external third-party vendors.
Network Security
Users access Workday via the internet, and that access is protected by Transport Layer Security (TLS). This secures network traffic from passive eavesdropping, active tampering, or forgery of messages.
Encryption of Data in Transit
A fundamental design characteristic of Workday is that we encrypt every attribute of customer data within applications before the data is persisted using the Advanced Encryption Standard (AES) algorithm. This level of encryption is technically challenging but achievable because Workday is an in-memory object-oriented application as opposed to a disk-based RDBMS application. All data inserts, updates, and deletes
are committed to a persistent store on a MySQL database. This unique architecture means Workday operates with only
a few dozen database tables. By contrast, an RDBMS-based application requires tens of thousands of tables, making complete database encryption impractical due to its detrimental impact on performance.
Encryption of Data at Rest
Authorization defines user access after they successfully authenticate into a system. Authorization is defined and governed by the Workday configurable security model.
Workday enforces group policy-based security for authorization. Workday security groups combined with predefined security policies grant or restrict user access to Workday functionality, business processes, reports, and data.
Customer-configurable security groups are flexible and can be based on users, roles, jobs, organizations, or business sites. They can be combined into new security groups that logically include and exclude other groups, increasing overall flexibility. System-to-system access is defined by integration system security groups, and administrators can tailor security groups and policies to meet their needs, providing as finely grained access as needed to support complex configurations or
global deployments.
Authorization
To strengthen authentication even further and prevent attacks, Workday includes SMS and authenticator application options for Multi-Factor Authentication (MFA), including a partnership with Duo Security, a cybersecurity provider focused on trusted access and easy-to-use MFA. The partnership complements the single built-in security model
in Workday with Duo’s MFA functionality integrated seamlessly within the Workday user interface.
Multi-Factor Authentication
Organizations that use SAML, but have concerns about unauthorized access when someone leaves their console open or multiple users access Workday from the same device, have the ability to identify critical areas of Workday and force a secondary authentication factor that users must enter for access. This capability is called Step-Up Authentication, and is a proven technique to reduce the risk of account takeovers.
Step-Up Authentication
For customers using the Workday native login, heir Workday passwords are only stored in the form of a secure hash as opposed to the password itself. Unsuccessful logins and successful login/logout activity is captured for audit purposes. Inactive user sessions automatically time-out after a specified time, and are customer configurable by user or role. And Workday provides a number of customer-configurable password rules including length, complexity, expiration,
and forgotten password challenge questions.
Workday Native Login
While LDAP allows for a unified username/password, SAML takes the next step and enables an enterprise single-sign-on (SSO) environment. While LDAP Delegated Authentication makes it possible for users to have the same username and password for both their internal applications and Workday,
it still requires the user to log in twice. However, with SAML, users gain a single-sign-on experience between internal web portals and Workday.
Single-Sign-On Support
Workday supports delegated authentication through a customer’s on-premise LDAP server, such as Microsoft Active Directory. This capability supports a customer’s security team when they need to disable a user account centrally from the LDAP server without the need to log in to Workday. Workday can also automatically update the LDAP server with new active user accounts from new hires, or deactivated accounts when employees separate or go on leave of absence.
Delegated Authentication
The first step in ensuring a secure experience is being able to define that the user or system accessing Workday is authentic. Workday allows customers to create end-user identities within Workday or integrate them into Workday from external systems, such as Active Directory. Typical examples of Identity in Workday are Worker, Contingent Worker, Candidate, or Student.
The next step is to prove it. Authentication techniques prove user or system identity. Users can sign into Workday using a variety of ways including LDAP Delegated Authentication, SAML, and X.509 Certificate Authentication for both user and web service integrations; and Workday Native Authentication or Multi-Factor Authentication.
Identity and Authentication
Encryption and Network Security
Along with the core benefits of the Workday single security model, we’re constantly applying the industry’s best cloud security practices and technologies to detect, prevent, and eliminate threats and ensure global data privacy. Let’s explore the key areas of security and privacy throughout Workday:
Workday Security Lifecycle
In other words, security continuously applies to data regardless of how and where it’s used or accessed. This universal security model, combined with the automated ability in Workday to audit all data updates, helps security administrators lower the time and costs associated with governance and compliance. And, vitally, this universal security model reduces the overall security risk for all Workday users.
Workday Security Model
The Workday Single Security Model Continuously Applies to All Data
Every user and every system accessing Workday must be authenticated and authorized through the Workday security model. By contrast, legacy ERP systems often have an application layer of security that IT and DBA personnel can bypass to access data directly at the database level.
Within Workday, security cannot be bypassed. Workday is an object-oriented in-memory system with an encrypted persistent data store. And no one has direct access to the data store—users and administrators are only able access data indirectly via APIs, which are able to enforce authorization and access policies. All access and changes are continuously tracked and audited, and the Workday group policy-based security model applies for all data access across Workday applications.
Contrast this with complex legacy systems that have security models that are byzantine and hard to fully understand. These systems frequently have several ways of securing access to data across their architectures and integrations. This complexity often leads to errors and oversights that have serious consequences, and is especially true of data access from custom reporting and analytical tools. In contrast, the Workday security model stays universal. For example, our custom report writer applies the same policy-based security at a granular level for all data in all reports that a customer creates, and this security stays in effect even when these reports are distributed and accessed via mobile, dashboards, and worksheets, and through Workday web service APIs and workflow processed in our business process framework.
Central to Workday is our single security model—critical to how we continuously ensure the security of our customers’ data.
This model enables us to deploy security at scale, and security improvements for one customer benefit all of our customers. Our smallest customers in less regulated industries are able to realize the benefits of the investments we make to meet the risk appetite of our largest, most regulated customers.
One of the tenets of strong security is simplicity. Workday achieves simplicity with strong security by extending the
single security model to all data, transactions, processing, and applications. All end users, administrators, systems accessing Workday through its UI, APIs, and integrations use the same access model. This streamlines administration, making it easier to ensure that the right people and entities have the right access to the right data. The single access model also mitigates the risks associated with administrative “backdoor” access that are present in other legacy applications.
And as Workday develops and delivers new application features and updates, security is integral to our continuous delivery process. Workday applies automated security testing as a fundamental part of our continuous delivery pipeline and with every customer on the same version, any security updates are immediately available to all customers. No one is left behind
by being on an older version of our applications.
A single security model also means that we consider all customer data to be sensitive and encrypt all customer data at rest. Audit capabilities are integrated into the fabric of our applications, enabling Workday to have pervasive, always-on auditing for all customer data. And, business processes exist within Workday, not outside of it—allowing for a complete and continuous level
of audit coverage. Other solutions frequently use bolted-on audit capabilities that are limited to a subset of customer data and can be bypassed, creating headaches for auditors.
When evaluating any cloud service provider, third-party assessments are essential. Our single application architecture means that our security certifications, attestations, and third-party audit reports apply universally across our platform and to our entire application suite. We put a great deal of energy and focus through extensive auditing and certification processes to ensure that data is private and secure.
Around the globe, organizations are tasked with securing and protecting their customer, employee, and intellectual property data in an environment of increasingly sophisticated security threats. So at Workday, security is job one. When creating software that houses some of the most sensitive data that enterprises have, security must be built into the core of our application, not bolted on. And in an era of increasing regulatory scrutiny, compliance and audit capabilities are a must.
Security at Workday starts with the Power of One.
With Workday Security, There Are No “Backdoors”
Power of One: A Single Security Model