Selling Management on the Hazards of Not Using HTTPS? 88
"I've pointed out the problems I see with all the plain text user names, passwords, Social Security Numbers, employee bank account numbers (for auto deposit), salaries, and other sensitive data. I've pointed out cached web pages, the possibility of arp poisoned switches and insufficient IDS, the hundreds of vendors with remote access to the internal network, and the possibility of identity theft and fraud. I've pointed out that streaming ciphers have epsilon additional latency, and our machines have idle CPU. I've also pointed out the possibility that supervisors sniffed passwords could be used to modify data in numerous ways, exposing the company to fraud, liability, and whatever penalties come with being out of compliance with department of transportation requirements.
The folks at PeopleSoft don't seem to know the first thing about security, and I know I won't get any help there. As one example, they wanted us to FTP our private data to their upload site, and they said they'd be sure to delete it fairly quickly once they had grabbed it. [No, we didn't do that.]
I have the impression that I'm not reaching the right people at my company, or somehow I'm just not communicating the risks clearly enough or forcefully enough. So far, I don't think I've really convinced the project manager that this is a risk that MUST be mitigated. I think the likelihood and impact are both being seriously underestimated.
Can you offer any advice that doesn't seem to be inherently career-limiting (such as playing whistle-blower and talking to the regulating agencies, labor department, legal department, union leaders, and so forth)?
Also, can you point me to any articles about other companies have made similar security mistakes (ideally with HTTP vs HTTPS) and suffered as a result."
find something secure (Score:3, Interesting)
Re:find something secure (Score:5, Insightful)
Re:find something secure (Score:1)
Wile these can be delt with they don't fill me with confidence in people soft's ablility to produce a quality system.
Re:find something secure (Score:3, Interesting)
Re:find something secure (Score:1)
I believe a lot of the problem is that the system is designed for HR more that student enrolments and so is a bad solution to the problem. However basic things like meaningful error messages are missing (eg Error 512564, instead of "You haven't sat a pre-requisite paper")
Re:find something secure (Score:1)
Yeah, charging 100 million in consulting fees and licensing is that something... The system is crap and I've never seen a company get more out of it than seeing on their balance sheet how they are now 100 mil in the hole. The only thing worse is SAP, a godawful nightmare itself, and 200 million instead.
Re:find something secure (Score:1)
And which university allows you to get away with such atrocious spelling? ;o)
Anyway, I can second that. UMass just went to PeopleSoft (for big bucks, despite massive budget cuts everywhere else on campus), and the new system sucks big fat hairy moose-cock. Jesus H. Christ, the idiots who are deploying it are beyond idiots. They went live (as in registrations and such depending on the system) with major components of the functionality still in TODO (like counting all courses to figure out GPAs...). I actually got a letter from the Dean saying [paraphrased] "your GPA is under 2.00. Please do not come back for the next semester... P.S. your GPA is actually above 2.00; the computer merely thinks you have a sub-2.00 GPA").
Re:find something secure (Score:2, Insightful)
it's the UI (Score:2)
career-limiting (Score:3, Funny)
Re:career-limiting (Score:2)
(For the inevitable "I don't get it" post... 2600 is a quarterly publication for hackers...)
Re:career-limiting (Score:2, Funny)
- First, you must march into your bosses office and demand that he follow your requirements for HTTPS. The security of your company is at stake! Don't take no for an answer, and don't be afraid to elevate this to the CEO directly. Yes, the job market it tight, but they will respect your dedication to the company.
- Second, and this is most important, send me the name, phone number, and FAX number for your human resources department. I need to send them some information about my knowledge of system administration and security to help reinforce your case.
By the way, does your company have a dental insurance plan?Re:career-limiting (Score:2)
As I said, the system is being implemented. There will be more data accessable in the future than there is now. The exposure and cost of change are constantly increasing. Better to fix it now than to wait. Besides, security through obscurity wouldn't help, it would only allow people to think they were safe.
Proof of concept? (Score:4, Informative)
GET IT IN WRITING FIRST!! (Score:4, Insightful)
Re:Proof of concept? (Score:1)
Then a Proof of Concept works great. A Friend of mine demonstrated an open SMTP server running at his company. He sent mails from god@heaven, and from boss@company.com telling the manager that he deserved a raise.
That server was off in no time.
Mark
first unsecure post! (Score:1, Funny)
probably (Score:2)
Probably. If anybody wanted to gain access to your data, they would do something more direct than simply sniffing the network and seeing what goes by.
Hell, have you ever considered the possibility that somebody might just call the main office and ask for it?
Stressing over HTTP versus HTTPS is, in most cases, putting bolts on your windows while leaving your door off its hinges.
Re:probably (Score:2)
Also, it's called due dilligence. It's doing your job. If you can call in for the information, and you inform the proper people, AND you can't do anymore, then it's your duty to secure your section and that alone. If you can secure both, you secure both.
Stressing over HTTPS, if telnet is open with no passwords or everything is secure is a software engineer's duty to his position.
Re:probably (Score:2)
Fix what's important first, and worry about the small things later.
Somebody accessed patient data at Indiana University Center for Sleep Disorders through a Trojan horse [iupui.edu]. Last month, somebody got ahold of 8 million credit card numbers, [washingtonpost.com] and while the details of the theft haven't been released yet, you can be sure it wasn't through HTTP.
If you want to waste your time implementing security measures that won't help and ignoring those that will, that's your business. But if you do, don't make the mistake of thinking that you're doing a good job.
Re:probably (Score:2)
So it's not a waste of time if his manager is telling him, he needs to do this. So answer his question.
Re:probably (Score:2)
I'll certainly agree that this isn't the only area where security could be improved (I've already suggested other changes, some of which have been adopted). I'm attempting to address this particular concern at this time because the system is being implemented now, so the cost of change is relatively low. If we cannot even get security correct on new systems as they go into place, it will be much more difficult to talk people into going back and fixing other systems. It will also be more difficult of convince people to do the next project correctly, because security was skipped for this project.
Security is an on-going process of setting standards and following them. The standards are being actively trampled here, so this is the right battle at this moment.
Re:probably (Score:2)
Since you brought up the word "battle," that naturally puts one in mind of that old saw, "Choose your battles." Weigh the benefits against the effort required. If you either (1) drop PeopleSoft for another solution, or (b) screw with the vendor's supported configuration, you're making significant work for yourself. Is it worth it? Isn't it possible that your time could be better invested elsewhere?
One has to keep a sense of perspective about these things, otherwise one ends up tilting at windmills.
Re:probably (Score:2)
Yeah, it was with that in mind that I picked the word. I've considered the implications, and I really do think this is currently the low hanging fruit from the security perspective. At least it ought to be. If PeopleSoft cannot make their software work with HTTPS, we certainly want to know about it now. If this only requires a certificate and a few changes to href tags, this is certainly worth doing.
"If you either (1) drop PeopleSoft for another solution, or (b) screw with the vendor's supported configuration, you're making significant work for yourself. Is it worth it? Isn't it possible that your time could be better invested elsewhere?"
We're not going to drop PeopleSoft. There is way too much political momentium at this point. As for my time and effort, when I consider how long PeopleSoft is likely to be in use here, how many people will use it, and how much data is exposed, I believe this is an appropriate use of my time.
"One has to keep a sense of perspective about these things, otherwise one ends up tilting at windmills."
I'd have advised Don to to use a torch instead of a lance. If anyone has advice that would be similarly appropriate for my situation, let me know. I'm open to suggestions. That's why I'm here.
Re:probably (Score:2)
--trb
Re:probably (Score:1)
Mark
Answer (Score:5, Informative)
Would you trust important, internal financial data using a switched network as your only safety net?
No, I wouldn't.
And neither should your IT management accept sloppy handling of sensitive data.
You should mention some words to the effect of "our responsibility" and "legal liability".
And here's another log to toss on the fire: My corporation uses PeopleSoft for various HR related Web interfaces. And guess what? We use https for these transactions, despite our switched network, despite our firewall protecting us from the outside world.
So it can be done. Companies that care about protecting sensitive data do it. There's no excuse not to do it at your site, too.
Re:Answer (Score:2)
Thats a really basic course in identity theft and credit card theft the e-way.
You need to have firewalls, routers with strict access lists, servers with minimal ipchains setup.
If you're the one that gets blamed for this later, you'll probably lose your job.
oh, and also, document every time to try to get them to implement security (propose it in writing), and make sure they sign if they're against it. that way they can't play the blame game.
Re:Answer (Score:2)
Yeah, I already said those things. How do I get the right people to hear me?
Re:Answer (Score:3, Informative)
or just tell them its more cost effective (which after lawyers and lawsuits it would be) to do https.
saving money always makes the happy.
Re:Answer (Score:2)
If you don't even know who the right people are, then you're not in a position in the company where this is your problem. Tell your manager your concerns, and document the conversation. Then drop it.
If you know who the right people are, but they're not listening, then you're not in a position in the company where this is your problem. Tell the people your concerns, and document the conversation. Then drop it.
In a company of 2,600 people, there is going to be a lot of crap that's busted, poorly done, or just plain b0rked. Find something else to fix.
If you can't find anything worth fixing -- nothing that is interesting to you, within your technical and political capabilities, has some monetary benefit to the company, and is within your sphere of influence -- and you enjoy fixing things, then find a different job.
Security through switching ? Arf, Arf ! (Score:1)
Each time I hear "switched network = security", I cringe. Just think about it 5 seconds: any enterprise-grade switch has a "sniffing/packet mirroring/..." function. This take 5 seconds to configure, and a network link to sniff out anything coming to/from the server and any client deemed appropriate
Would you trust you network admin with all the company data ? Maybe yes, but:
Secundly, a switch is not a security device, even if you do not arp-poison it (noisy that), getting the switch password is enough for any ill-intentionned invidual to repeat the former scenario. So, still not convinced ?
Something else: if the PeopleSoft guys do not want to implement https, then start questionning their level of competence. Because the nebulous problems they are mentionning does not compare to what can happen if someone has access to the personnal data in your company. Just think litigation there...
Re:Switch != security (Score:2)
Although they do this by not forwarding traffic onto networks that don't contain the destination host for a packet, this does not mean that they never send a packet out on all ports. If a host drops off of a switch's tables for whatever reason, the switch will forward all traffic meant to go to that host on all ports until the switch is able to add the host back into its tables again.
Furthermore, it is fairly easy to spoof a switch into sending traffic to you instead of a packet's intended host, and there's nothing in a switch's design to keep someone from doing it.
Yeah, it's harder to intercept traffic on a switched network, but since switches don't even attempt to implement security, those words 'responsibility' and 'legal liability' that the parent mentions really do come into play - anyone worth their salt in networking would say that your company hasn't even tried to implement security, so they could easily be held liable.
If they insisit on avoiding https and using only switches to implement security, at least convince them to buy switches that support vlans and use them to segment the network to keep traffic from going to groups of people that it shouldn't go to.
Working for a large company? Call the lawyers! (Score:2, Insightful)
Then, you can explain the risk/rewards etc. Unless the lawyers are incompetant, they are going to want to do whatever they can to mitigate the risk of lawsuits/fraud etc.
Re:Working for a large company? Call the lawyers! (Score:2, Insightful)
Then, update your resume
Re:Working for a large company? Call the lawyers! (Score:2)
I'd be worried too (Score:4, Funny)
(just kidding... I'd actually trust them more than most)
https works (Score:2, Informative)
Re:https works (Score:2)
Great, that's helpful information. I'd love to be able to verify it, and learn more about your setup. Please consider contating me privately with more details, if you can.
Thanks.
be skeptical about claims of "unspecified" problem (Score:4, Informative)
That's b*shit!
You should never, EVER, rely on claims or rumours for "unspecified" problems. What were those problems? There are hundreds, maybe thousands, of sites that use HTTPS. The PeopleSoft people should present verifiable, repeatable cases where HTTPS was the cause of problems that HTTP could "magically" solve.
Sacrifising security just because someone says "HTTPS will cause problems" is something you shouldn't accept. At all. Ask the one who makes such silly claims to provide more data.
Re:be skeptical about claims of "unspecified" prob (Score:2)
Use a proxy (Score:3, Informative)
Re:Use a proxy (Score:1)
This is a simple, elegant solution if there are nay-sayers at every turn. It won't take long to set up a working example (set your windows HOSTS file to point mypeoplesoftserver.domain.com to your proxy https server and you're half way there). OK, so it's not the "correct" solution, but I'm guessing it will be approximately 1% of the effort required to get the problem fixed at source.
Low-hanging fruit at it's best!
CYA (Score:5, Insightful)
Don't attack, don't complain, simply state that one important part of your role as sysadmin is network security. It is your understanding that the system being installed will house sensitive data such as
Avoid the jargon - non-techies just hear "risk of a frammywhatzit snort-spoof relay attack" and think "that sounds complicated and exotic - it's probably not something we need to worry about."
Offer your assistance to explain the problems and/or test for vulnerabilities.
You might also suggest that those responsible for managing the project state to PeopleSoft the nature of the data on the system, state that security is a priority and that the company expects PeopleSoft to make use of any available features of their product to increase security.
Demand from PeopleSoft a memo confirming that all of their conduct will be in conformance with "best practice" for information security. Then document anything that fails to meet that criteria.
Whatever you do don't come across as a whiner - where there is a problem, state the solution and offer your help.
Re:CYA (Score:1)
I'd suggest reading any policies or employee handbooks for possible trouble in doing what you are trying to prevent.
Re:CYA (Score:2)
There's also the non-zero probability that they'd not only fire you, but prosecute you criminally. Demoing a vulnerability when not working in "security" will at best, make you someone who is considered to "bear watching," and at worst a convicted felon.
Further to the above: Get it SIGNED! (Score:2)
Like the man says CYA, and let the PHB's know you are not happy with doing this
However, if all else fails and you are forced to go ahead, give your PHB a writen statement saying why you are unhappy and that you will refuse to go ahead unless s/he signs a wavier absolving you of responsability if it all goes tits-up.
This is SERIOUSLY nessesary!
Reason being you could be open to legal action for negligence if personal data gets out. Your reputation as sysadmin would be in tatters (good referece huh). Having a bit of paper signed saying you were told to act against your profesional judgement will cover you.
Just asking the PHB for this and saying how concerned will be enough for them to sit up and pay attention. (Before anyone says the boss wont like it, in my experiance it has been enough to make them sit up and act on you are saying so no sig was nessisary. It's something I recommend and have done when I've had no alternative)
ugh (Score:2)
If this is true, then I'm afraid. My university spent boat-loads of money on Peoplesoft to replace a bunch of systems, including student records,ID card access, and payroll IIRC. It's been slow and painful. There's always something wrong with the card access system and filling out timesheets online looked so confusing that a lot of people stayed with submitting them on paper despite what the payroll department demanded. But this has got to be better than the cobol and fortran systems we used to run, right?
Re:ugh (Score:1)
You'll never guess what's at the foundation of PeopleSoft's core programs. That's right, good old COBOL.
While we're at it... (Score:2)
Yes, some companies still do that.
Re:While we're at it... (Score:2)
Oh, that's easy... (Score:1)
JDE (Score:3, Informative)
Re:JDE (Score:2)
Re:JDE - NOT (Score:2)
Re:JDE - NOT (Score:2)
Some Advice (Score:2)
Yes. Fire off a short and polite e-mail to the person in IT who is in charge of the People Soft application deployment. Say that you have security concerns and ask for 15 minutes of his or her time. Print and keep a copy of that e-mail.
If you are rebuffed, then drop it. It is not your problem. Do not allow your sphere of concern be larger than your sphere of influence.
depends on... (Score:2)
The other much more knowlegeable folks here covered the technical aspects clearly. This is something that needs to be fixed, so what you need to do now is FIRST CY own A before you proceed further because it sounds like you have exhausted all the "normal channels" to get heard. You honestly need your own lawyer at this point, and someone who can review your contract in advance and is technically savvy enough to understand the concepts involved here. Proceeding from that point, understand that problems that cost large corps money, even when they need to be addressed, are not popular, and bottom line right now this second profits are usually WAY more important that future "what if this happened?" type scenarios. You should be prepared for a drawn out process of recouping money in the event you get fired is what I am saying. If the data is correct as you say, a savvy lawyer could feel that the potential benefits from winning a suit or accepting an out of court settlement(should that be necessary) are good enough that he or she would take it on a percentage contingency fee. That covers that, and accept no substitutes when it comes to selecting your own lawyer. You might have to include a proviso that the corp recoup your lawyers consultation and mediation efforts EVEN IF THEY AGREE THEN, CAN SEE THE PROBLEM, AND IMPLEMENT YOUR CONCLUSIONS, because that part will most likely come out of your pocket, and it can be explained you had to resort to out of pocket expense just to get anyone to address the issue.
Then get your ducks in a row, have YOUR lawyer approach THEIR lawyer with your proposal in a calm and rational manner, stating your case and your desire to not be retaliated against because you want to push the issue and see it as your loyal employee duty to "do your job to the best of your ability". If they then consider it to be still trivial, and fire you for "going over some PHB's head and not following orders and etc" and etc,or any other obvious retaliation, you would (most likely, guessing here) have grounds for a suit if they retaliated, but like I said, some states are a lot more decent about this than others. Some states allow corps to fire you no matter WHAT the reason, they don't need one, and trying to fight them or get any money from them is almost a waste of time.. Be prepared and be actively looking for another job before you do ANYTHING else, because matters could get sticky quick. If it is a publically traded company, you owning stock will probably allow you yet another angle in this, as you have rights as a stockholder to speak up at stockholders meetings, etc, that could be of assistance in your efforts. You are allowed as a stock holder some interesting rights, these are federal. A corp having such obvious securty flaws is really putting the stockholders investments at peril, should a widespead exploit occur. Egg on face for corporations cost them money, so by default the stockholders money. Delibately obfuscating problems or ignoring them has a lot of case law behind it, so in that sense you are coverted pretty good as a stockholder. Think just recently of enron and arthur anderson for example. It's not an exact parallel but close enough for posting and conversational purposes.
Really SUCKS when you are just trying to be intelligent and loyal and they bounce you around like this, ain't it? "Sorry Vern, just STFU and do your job!' "But I am TRYING to! We could get owned and a lot of customers really get hosed if we don't fix this like yesterday!" "STFU or you're fired!".
This is called "modern corporate mindset" and is more common than not near as I can see. I personally really try to avoid working for larger companies, from this very reason (very generally speaking), just got tired of dealing with peter principle factors all the time..
Mod Parent UP (Score:2)
Success Is Possible (Score:5, Insightful)
When we first launched our internal MyHR site, powered by PeopleSoft, and I noticed that it was not secure, I immediately contacted my manager, who shared my privacy concerns. She forwarded it to her manager and so on up the chain, and eventually I knew that I have gotten through when I got a call back from one of the actual MyHR team members here at the company. I think she was relatively pleased that she was talking to someone technical, and explained to me that they did feel that HTTPS was required, but did not necessarily have the full management support. With my query, and that of others, they would now hopefully have the backing to make the solution work.
Lo and behold, they eventually figured it out. One of the issues that was mentioned to me was of getting all of the desktops to recognize the secure certificate for the site. They considered using their own CA (certificate authority), but faced issues with distributing the CA certificate out to all the desktops. So, I guess the lesson here is to get as much management buy in as possible. Emphasize the privacy concerns to those who have a bigger voice than you in the company. Mention that all it would take would be one unscrupulous employee. And if possible, get in touch with someone on your internal architecture team, who can figure it all out and make it work.
Re:Success Is Possible (Score:2)
In fact if it is only for intranet usage you can get one for $39. You don't have to woorry about distributing a CA certificate because the root CA cert will already be on the boxes.
Re:Don't fight the Man. (Score:2)
After all, the less secure the network, the more opportunity for "creative advancement initiatives".
I've seen the same with spam (Score:1)
I found out about this only after we had done the mailing, since I was one of the responsible parties on the domain name registration. Lots of irate messages were coming back to all manner of corporate mailboxes. I think we even got listed on spamcop for a while.
When I approached the marketing department to educate them on the damage caused by this blatant spamming, I was met with complete indifference. Their rationale was that they had only received a few dozen complaints, so it wasn't a big deal. Their heads were as thick as bricks.
It was a rather surreal view into the mind of a marketing weenie. I don't recommend you go there, it's not clean.
Protect Yourself (Score:2)
Re:Protect Yourself (Score:2)
I already submitted a risk assessment, three weeks ago, containing those details, and the strongest arguements I could come up with. That assessment has already become part of the project documentation, so I think I'm covered there, but it looks like we may try to implement https and give up the first time we hit a snag.
This risk hasn't yet been recognized by management as REALLY SERIOUS, and I was hoping for some insight on how to get that message out in a way that management will hear. I figured examples of other companies who suffered serious problems after making a similar mistake would be useful, if I could find anyone willing to admit they had seen something similar.
Re:Protect Yourself (Score:1)
Just sniff the packets (Score:2)
Funny thing is, it's also supposed to break HTTPS as well, but I haven't tried it for that.
Talk to the head of human resources (Score:1)
Hopefully the head of HR will realize the danger and insist on action being taken.
The Company's Problem is Your Problem. (Score:1)
In addition, in the current era of job-scarcity, if the company gets sued and goes out of business, because the Union Bosses find out that not only is Due Diligence being ignored, it's being actively trampled, then he has the concern of finding a new job.
And finally, knowing Nathan as well as I do, I can say with certainty that part of the issue is that he hates watching people be willfully incompetent.
-il cylic
Re:The Company's Problem is Your Problem. (Score:2)
I don't think that's happening here. I do think there are some people who appear to have severly underestimated the potential impact and/or the likelihood of that impact. I also worry about the possibility that the successful implementation of the project may be placed before the quality of the implementation, especially if doing it right takes more time. But I'm not in a position to say anyone is being willfully incompetent.
why use http at all? (Score:1)
Re:why use http at all? (Score:1)
Re:why use http at all? (Score:2)
While that might be relevent for the general web, it doesn't really apply to low volume traffic on an internal network. We're not likely to be constrained by network bandwidth, latency, or CPU when we use PeopleSoft on an internal network, but we have a duty to keep our sensitive data from traveling over that network in plain text because the internal network is not secured.
Re:why use http at all? (Score:2)
Precisely. Smaller sites can afford a domain (.uk domains are only about the equivalent of US$10 a year) but not a SSL cert (around US$900, unless you want a 40-bit false sense of security). If browsers had some sort of web of trust model, perhaps SSL would be feasible, but with the current certifying authority model, the whole thing's very reliant on the good will of the CAs (who obviously have an interest in keeping prices high).
SSL also breaks HTTP/1.1 name-based virtual hosting, since you have to figure out which certificate to use before the client has sent you a Host: header (IOW, each physical computer can only host one SSL hostname).
Re:why use http at all? (Score:2)
Ade_
/
I was once in such a situation... (Score:2)
I was once in a situation much like this. They had gotten as far as a beta test with "dummied up data"--real HR files that had had sensitive fields replaced by random goo--before I hit upon the idea of demonstrating how easy it was to crack. I e-mailed my boss & my boss's boss copies of their (fake data) salery history & confidential performance reviews, along with an explanation of how to get anyone's data out of the system.
There followed a flurry while the specific hole was patched, and then I repeated the stunt on the new, "secured" system.
By round three or four of this the idea of using http for the web interface for HR data died a quiet death.
-- MarkusQ
Suggest a security consultant (Score:1)
This is not a technical issue... (Score:2)
if you phrase the issue in technical terms, you let the business folk off the hook. I have some experience with Peoplesoft, and it's hoodoo-ware - it's expensive to buy, it's typically sold at a senior executive level ("all your problems will be solved by our magical software ! Sure, it's expensive, but think about the benefits ! Oh, and if it doesn't quite work for you, you should change your business processes so they fit our software"), and it can be a little temperamental, so people who have it running tend not to like to mess with it.
By saying "there are sound technical reasons why not using HTTPS is a risk", you leave the debate at the technical level; most business folk I've met tend to think that they should not interfere in technical matters (and this is typically a view we techies like to reinforce). So they will leave it to the technical management team. And the technical managers will realize very quickly that they will gain nothing politically by jumping on this - the best they can hope for is that they don't break the application which cost the organisation a lot of time, money and political heartache.
If you phrase it as a business issue - not a black and white binary choice, but as a risk and cost issue. For instance, I would send a brief note to the head of HR (or the head of finance if you're also using it for accounting etc.), copied your boss and the head of IT, and explain that there is a risk that information managed by Peoplesoft being intercepted; that the information being intercepted may include usernames and passwords which allow unauthorised access to the application.
Explain that the risk is not purely hypothetical, and offer to explain in more detail, but don't get into the specifics. You can then suggest which options are available; do nothing - the business may decide the risk is not worth the cost of the fix, implement HTTPS and deal with stability issues as they arise (explain that this may cause inconvenience to end users), or investigate further. You may even be able to get one of the Peoplesoft team to dig up documentation from the Peoplesoft extranet - it used to contain a lot of very specific implementation instructions, and the Professional Services team were not always up to speed with them.
Whether this is career-limiting is hard to tell; it depends on your organisation and specifically on your boss (and their boss). In my experience, Peoplesoft implementations are politically very sensitive because they nearly always coincide with business change, and that means there are going to be winners and losers. It's quite likely the IT management team don't want to hear the word Peoplesoft ever again. If you are worried about the politics, find someone you can talk to who is plugged into the politics - it may well be in your interest to keep quiet for a while, until the implementation settles down....
HR: What (idiot)^2 would put *that* on the net? (Score:1)
--
N. Evil Genius
My thoughts.. (Score:1)
If the CIO or upper manager is a fairly decent person you can formalize your complaints (use power point with pretty pictures, graphs, and buzz words) and ask him if he has time for you to meet with him informally. Do your presentation and hope for the best. You may burn a bridge with the project manager however at least the CIO will a) know that you know what you're talking about, b) appreciate that you are were looking out for them, and c) know you better.
Some of you may be upset that I said power point and pretty pictures but take it with a grain of salt as we all know upper management relies on information spoon fed to them.
Peoplesoft opinion or a Consultant's opinion? (Score:1)
Try to determine if this is a Peoplesoft opinion, or the Consultant's opinion.
If the consultant is speaking about it, ask for a peoplesoft white paper or technical document on the topic. I suggest, like others have, of raising the concern - don't sound like chicken little, and go to the business types, not the techies - explain that you have a concern that there is a security risk with HR data, and that you'd like to have someone address your concerns. Write a less than one page document on the subject, reference other implementations using HTTPs, and suggest that they use their peoplesoft user group or references (they had references on the product before spending all this money...) to validate your concerns.
I would under not try to prove your point unless you like the risk of prosecution. It's not worth it.