What is Separation of Duties (SoD)?
What is Separation or Segregation of Duties?
Separation of Duties, also known as Segregation of Duties, is the concept of dividing sensitive tasks up amongst more than one person. In the traditional sense, SoD refers to separating duties — such as accounts payable from accounts receivable — to limit insider threats to financial systems and sensitive data. In a practical context, SoD is a set of preventive internal controls in a company’s compliance policy that mitigates the risk of error and fraud by requiring more than one person to complete a transaction-based task. Organizations enforce the separation of duties in order to protect digital assets and prevent theft, fraud, information misuse, and other security issues.
Why is Separation of Duties Important?
The separation of duties prevents an individual from having too much control and taking advantage of a system. Having more than one person involved in executing both sides of a sensitive task reduces the likelihood of a security breach. For example, the “four eyes” principle ensures that organizations “have two sets of eyes” on critical tasks.
Separation of Duties is also important for compliance. In the early 2000s, a series of scandals led the United States Congress to pass the Sarbanes-Oxley Act of 2002 (SOX), which requires SoD compliance across a variety of information security standards and regulations. The compliance risk associated with SoD violations can lead to monetary penalties and audit findings. As information systems have become intertwined with financial reporting practices, business data security audits increasingly focus on access controls that limit users to “least privilege” and SoD policies that prevent conflicts of interest.
For example, the IT Administrator who can add and edit system access permissions should not be allowed to access accounting records. Another IT SoD control ensures that the person who implements firewall controls cannot approve those changes.
How to Manage Separation of Duties
Standardizing your enterprise risk management processes allows you to identify SoD and sensitive access violations within all of your applications — and even identify risks in business processes that can span multiple applications. Guarding application access typically falls within the area of Governance, Risk, and Compliance (GRC). Here are some ways you can manage the segregation of duties in today’s complex hybrid IT environments.
Implement a Modern GRC Platform
Implementing a modern GRC platform is critical to efficiently managing application security risks. An Identity Governance and Administration solution enables you to have a single source of truth for what a user has access to across the enterprise. In order to properly manage SoD risks from a GRC solution, the platform must have the capability to consume the full entitlement hierarchy from connected applications. It must also be able to define SoD and Sensitive Access Rulesets that include fine-grained entitlements.
Regularly Review Business Risks and Separation of Duties (SoD) Rulesets
As you introduce new applications into your environment through digital transformation or M&A activities, you must evaluate how this impacts the risks to your business processes. It’s important to use out-of-the-box segregation of duties tools and sensitive access rulesets provided by your vendors, consulting partners, or system integrators. That said, remember that these rulesets are not one size fits all and must be tailored to your specific business processes — and any customizations you’ve made in the applications. Be sure to hold formal trainings with key business process owners to review high-level risk definitions, identify any missing or unique risks, and to define the severity of each risk to your business. This due diligence helps you efficiently allocate resources during remediation.
Make sure to take a step back and identify any potential SoD risks that may span multiple applications or business processes. It may be a good idea to include risk management professionals or consultants in the ruleset review process because they can bring a wealth of experience and project accelerators to make this exercise more impactful.
Enable the Business to Take Ownership
Within your business, the IT department plays an important role in providing technology solutions to manage application security risk. They can also help stakeholders translate risk definitions into technical security permissions within each application. An IGA solution should allow organizations to define application or entitlement owners and incorporate them into governance processes.
To take full advantage of a governance solution, all entitlements assigned to users should have the owners defined — and those owners should be responsible for maintaining relevant metadata. At a minimum, this entitlement metadata should include a risk severity and an easy-to-understand description. A governance solution should allow business owners to easily view who has access to digital assets and remove users quickly.
Manage and Remediate Access Risk Violations
Managing and remediating separation of duties violations is an ongoing process. Risk owners should be defined, and processes should be formalized to alert them when new risk violations are identified. By customizing the risk severity to match your organization’s business processes (Critical, High, Medium, Low), you can more efficiently focus resources on remediating the most critical risk violations first. You should also work with an internal audit to document mitigating controls and to ensure that they are uploaded into the GRC platform.
SoD and sensitive access violations should be remediated systematically and may require different actions, depending upon the particular situation. You can address risk violations removing unnecessary access assignments, by making adjustments to the security design, or by a combination of these items. All other high-risk items should have an approved and documented mitigating control.
Incorporate Identity Risk Analytics into Business Processes
Organizations should focus on removing excessive access assignments and cleaning up the application security design prior to investing money in automated provisioning. Without performing this cleanup, you’ll increase your risk exposure at a much faster pace. Once you’ve aggregated all of your data into one platform, you can incorporate risk signatures like violations of segregation of duties and Outlier Access into the User Access Review process.
How do IGA Solutions Enforce Separation of Duties (SoD) Compliance?
Modern IGA platforms built for cloud-based, hybrid environments prevent SoD violations with automation and intelligent analytics. They achieve this by applying context-aware, risk-based controls to access requests. Let’s dig into some IGA features that will help you manage SoD:
Identity Reconciliation
Intelligent analytics enables organizations to standardize identity and access definitions across the ecosystem, tying all user access to a single, holistic identity. This access visibility surfaces cross-application SoD violations which might be overlooked amidst different dashboards and definitions.
Fine-Grained Access Controls
As your organization engages in digital transformation, the principle of “least privilege” must be applied to and within your IaaS, PaaS, and SaaS services. Choosing an automated tool with fine-grained rulesets for individual applications and cross-application checks enables your organization to enforce field-level read/write privileges within these ecosystems, limiting actions that lead to fraud.
Context-Aware Reviews
Digital transformation changes the way organizations view identity. In the past, using Role-Based Access Controls (RBAC) in static, on-premises infrastructures provided appropriate SoD controls. However, the proliferation of identities and locations across on-premises, hybrid, and cloud-based architectures requires context and risk-aware Attribute-Based Access Controls (ABAC). Peer- and usage-based analytics enable organizations to create stronger policies that better prevent SoD violations.
User Access Requests
Automation streamlines the access request/review/certification process by enabling you to create risk-based rules and approval paths.
Enforcement
Automated tools can also enforce your authoritative identity source with risk-based, context-aware rules. Intelligent analytics can automatically compare access requests to policies and peer access, send potential violation alerts, and suggest remediation to reduce your compliance risk.
Documentation for Audit
As identity analytics continuously monitor for anomalous access requests, automation removes the “rubber-stamping” that can lead to SoD violations. Your IAM policies can be applied automatically across the identity lifecycle, triggering escalations when a request needs to be purposefully examined by a person in the organization.
Saviynt & Separation of Duties Tools and Features
Today’s enterprise requires both IGA and GRC (SoD management) capabilities to meet compliance requirements in hybrid environments. Saviynt has had this vision since the beginning, and is flexible enough to consume multiple complex application security architectures regardless of the technology vendor. Let’s look at some of the segregation of duties tools and features:
Saviynt’s Control Exchange
Saviynt’s Control Exchange is a library of out-of-the-box SoD rulesets and continuous controls that customers can use when deploying our solution. Saviynt provides SoD rulesets for all of the major applications, including SAP, Epic, Oracle EBS, Oracle Cloud, Workday, Microsoft Dynamics, PeopleSoft, and Infor — to name a few (this is not an exhaustive list). You can also import any existing SoD rulesets that you may have, customize our out-of-the-box rulesets, or create new risks from scratch.
SoD Workbench
Saviynt’s SoD workbench provides a single place to manage risk violations for all applications across the enterprise. Users can filter or search for specific SoD violations, apply mitigating controls, view violation details, and remove the unwanted entitlements causing the SoD violation. Saviynt also provides dashboards to quickly give a high-level view of the health of your application security risks.
Cross-Application SoD
Because Saviynt provides fine-grained visibility that goes deep into the security models of many applications, Saviynt enables you to identify SoD violations across multiple applications. This level of protection isn’t available with GRC solutions that only address a single application or only provide coarse-grained visibility across a few applications.
Risk-Based Access Request System
Seamlessly including a preventative risk analysis — before an end-user even submits an access request — is a key feature in any Identity Governance solution. Saviynt allows you to identify a number of different risk factors during the access request process, including SoD violations, sensitive or privileged access, and peer group analytics. You can easily set up the approval workflow to route the request differently based on the risk posture of the access request.
To summarize, organizations today are saddled with hybrid IT environments and are struggling to manage application security risks across varying technologies. Saviynt can help provide a platform to standardize your risk management activities by managing SoD violations across the enterprise — regardless of the technology vendor.
Wherever your organization is on its digital transformation journey, Saviynt’s cloud-native Identity Cloud platform provides flexible security solutions for both on-prem and cloud-based deployments.