We are committed to protecting your data and communicating transparently. We employ rigorous measures across our people, processes, and technology to ensure that your data, applications, and infrastructure remain safe.
Security is everyone’s responsibility at Workday. Employees and customers alike contribute to our security goals. That’s why Workday ensures everyone is informed, enabled, and supported in prioritizing security and using best practices.
Leadership and employees.
Leadership prioritizes security at every level of our organization. All Workmates are responsible for the protection of our customers’ data and receive security, privacy, and compliance training from day one. Our dedicated Information Security team provides ongoing security training to minimize risk, while Workday Security Champions evangelize security best practices through employee engagement and fun.
Our customers have full control of the data they enter into Workday, as well as all setup and configurations. Workday offers training, specialized support, detailed documentation, timely communication, and a peer community to help you safeguard your data and make the most of our robust security tools.
“With Workday, we reduced 262 systems down to a few overarching applications—while increasing security, gaining functionality, and pressing forward with innovation.”
—Chief Information Officer
Processes for continuous protection.
To continuously protect your data, Workday has detailed operating policies, procedures, and processes for our data centers, network, and applications.
Workday applications are hosted in state-of-the-art data centers with fully redundant subsystems and compartmentalized security zones. The data centers adhere to the strictest physical and environmental security measures. The facilities require multiple levels of authentication to access critical infrastructure.
Camera surveillance systems are located at critical internal and external entry points, while security personnel monitor the data centers 24/7. The data centers have implemented redundant environmental safeguards and backup power management systems including fire suppression, power management, heating, ventilation, and air-conditioning, setup in a minimum N+1 redundancy.
We secure our network through proven policies, procedures, and processes, such as perimeter defense, threat prevention, and threat detection tools that monitor for atypical network patterns in the customer environment as well as traffic between tiers and services. We also maintain a global Security Operations Center 24/7/365.
Multiple external vulnerability assessments conducted by third-party experts scan all internet-facing assets, including firewalls, routers, and web servers, to prevent unauthorized access. In addition, we use an authenticated internal vulnerability network and system assessment to identify potential weaknesses and inconsistencies with general system security policies.
Every step in our application development, testing, and deployment process is designed to ensure security in our products. Our Product and Technology teams employ enterprise Secure Software Development Life Cycle (SSDLC) as well as DevSecOps accountability practices. Our development process includes an in-depth security risk assessment and review of Workday features. Static and dynamic source code analyses help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.
Prior to each major release, a leading third-party security firm performs an application-level security vulnerability assessment of our web and mobile application to identify potential vulnerabilities. The third-party firm performs testing procedures to identify standard and advanced web application security vulnerabilities.
Technology built to be secure.
Our technology, from architecture to applications, prioritizes your data security and provides configurable tools to meet the security needs of every customer, including the most risk averse.
We use powerful encryption technologies to protect customer data at rest and in transit. Workday relies on the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits for encryption at rest.
Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. File-based integrations can be encrypted via PGP or a public/private key pair generated by Workday, using a customer-generated certificate. WS-Security is also supported for web services integrations to the Workday API.
The Workday Key Management Service (KMS) covers the full lifecycle management of cryptographic keys used to encrypt and decrypt customer data at rest. Additionally, customers have the option to implement bring-your-own-key capability to retain full control of their root encryption keys.
Workday provides an extensive set of reports available to auditors and administrators on how their users are using the Workday tenant. The audit trail, user activity logs, and sign-on reports are favorites among Workday customers and auditors. Workday allows you to monitor all your business transactions and easily see your historical data and configuration changes.
Workday authenticates every user or system accessing the platform. Workday allows customers to create end-user identities within Workday or integrate them into Workday from external systems, such as active directory. Workday security access is role-based, supporting SAML for single sign-on and x509 certificate authentication for both user and web services integrations.
SAML allows for a seamless, single-sign-on experience between the customer’s internal web portal and Workday. Workday also supports OpenID Connect.
Workday native login.
Our native login for Workday Enterprise Products only stores the password in the form of a secure hash as opposed to the password itself. Unsuccessful login attempts and successful log in/log out activities are logged for audit purposes. Inactive user sessions are automatically timed out after a specified time, which is customer configurable by user.
Customer configurable password rules include length, complexity, expiration, and forgotten password challenge questions.
Your Workday security administrator can control what data users can access and the actions they can perform in your customer tenant. Tools such as roles, security groups, and business process configurations allow administrators to implement your company’s security policies and update them as you scale.