Separation of Duties, also known as Segregation of Duties, is the concept of dividing sensitive tasks up amongst more than one person. In the traditional sense, SoD refers to separating duties — such as accounts payable from accounts receivable — to limit insider threats to financial systems and sensitive data. In a practical context, SoD is a set of preventive internal controls in a company’s compliance policy that mitigates the risk of error and fraud by requiring more than one person to complete a transaction-based task. Organizations enforce SoD in order to protect digital assets and prevent theft, fraud, information misuse, and other security issues.
SoD prevents an individual from having too much control and taking advantage of a system. Having more than one person involved in executing both sides of a sensitive task reduces the likelihood of a security breach. For example, the “four eyes” principle ensures that organizations “have two sets of eyes” on critical tasks.
Separation of Duties is also important for compliance. In the early 2000s, a series of scandals led the United States Congress to pass the Sarbanes-Oxley Act of 2002 (SOX), which requires SoD compliance across a variety of information security standards and regulations. The compliance risk associated with SoD violations can lead to monetary penalties and audit findings. As information systems have become intertwined with financial reporting practices, business data security audits increasingly focus on access controls that limit users to “least privilege” and SoD policies that prevent conflicts of interest.
For example, the IT Administrator who can add and edit system access permissions should not be allowed to access accounting records. Another IT SoD control ensures that the person who implements firewall controls cannot approve those changes.
Standardizing your enterprise risk management processes allows you to identify SoD and sensitive access violations within all of your applications — and even identify risks in business processes that can span multiple applications. Guarding application access typically falls within the area of Governance, Risk, and Compliance (GRC). Here are some ways you can manage SoD in today’s complex hybrid IT environments.
Implementing a modern GRC platform is critical to efficiently managing application security risks. An Identity Governance and Administration solution enables you to have a single source of truth for what a user has access to across the enterprise. In order to properly manage SoD risks from a GRC solution, the platform must have the capability to consume the full entitlement hierarchy from connected applications. It must also be able to define SoD and Sensitive Access Rulesets that include fine-grained entitlements.
As you introduce new applications into your environment through digital transformation or M&A activities, you must evaluate how this impacts the risks to your business processes. It’s important to use out-of-the-box SoD and sensitive access rulesets provided by your vendors, consulting partners, or system integrators. That said, remember that these rulesets are not one size fits all and must be tailored to your specific business processes — and any customizations you’ve made in the applications. Be sure to hold formal trainings with key business process owners to review high-level risk definitions, identify any missing or unique risks, and to define the severity of each risk to your business. This due diligence helps you efficiently allocate resources during remediation.
Make sure to take a step back and identify any potential SoD risks that may span multiple applications or business processes. It may be a good idea to include risk management professionals or consultants in the ruleset review process because they can bring a wealth of experience and project accelerators to make this exercise more impactful.
Within your business, the IT department plays an important role in providing technology solutions to manage application security risk. They can also help stakeholders translate risk definitions into technical security permissions within each application. An IGA solution should allow organizations to define application or entitlement owners and incorporate them into governance processes.
To take full advantage of a governance solution, all entitlements assigned to users should have the owners defined — and those owners should be responsible for maintaining relevant metadata. At a minimum, this entitlement metadata should include a risk severity and an easy-to-understand description. A governance solution should allow business owners to easily view who has access to digital assets and remove users quickly.
Managing and remediating SoD violations is an ongoing process. Risk owners should be defined, and processes should be formalized to alert them when new risk violations are identified. By customizing the risk severity to match your organization’s business processes (Critical, High, Medium, Low), you can more efficiently focus resources on remediating the most critical risk violations first. You should also work with an internal audit to document mitigating controls and to ensure that they are uploaded into the GRC platform.
SoD and sensitive access violations should be remediated systematically and may require different actions, depending upon the particular situation. You can address risk violations removing unnecessary access assignments, by making adjustments to the security design, or by a combination of these items. All other high-risk items should have an approved and documented mitigating control.
Organizations should focus on removing excessive access assignments and cleaning up the application security design prior to investing money in automated provisioning. Without performing this cleanup, you’ll increase your risk exposure at a much faster pace. Once you’ve aggregated all of your data into one platform, you can incorporate risk signatures like SoD violations and Outlier Access into the User Access Review process.
Modern IGA platforms built for cloud-based, hybrid environments prevent SoD violations with automation and intelligent analytics. They achieve this by applying context-aware, risk-based controls to access requests. Let’s dig into some IGA features that will help you manage SoD:
Intelligent analytics enables organizations to standardize identity and access definitions across the ecosystem, tying all user access to a single, holistic identity. This access visibility surfaces cross-application SoD violations which might be overlooked amidst different dashboards and definitions.
As your organization engages in digital transformation, the principle of “least privilege” must be applied to and within your IaaS, PaaS, and SaaS services. Choosing an automated tool with fine-grained rulesets for individual applications and cross-application checks enables your organization to enforce field-level read/write privileges within these ecosystems, limiting actions that lead to fraud.
Digital transformation changes the way organizations view identity. In the past, using Role-Based Access Controls (RBAC) in static, on-premises infrastructures provided appropriate SoD controls. However, the proliferation of identities and locations across on-premises, hybrid, and cloud-based architectures requires context and risk-aware Attribute-Based Access Controls (ABAC). Peer- and usage-based analytics enable organizations to create stronger policies that better prevent SoD violations.
Automation streamlines the access request/review/certification process by enabling you to create risk-based rules and approval paths.
Automated tools can also enforce your authoritative identity source with risk-based, context-aware rules. Intelligent analytics can automatically compare access requests to policies and peer access, send potential violation alerts, and suggest remediation to reduce your compliance risk.
As identity analytics continuously monitor for anomalous access requests, automation removes the “rubber-stamping” that can lead to SoD violations. Your IAM policies can be applied automatically across the identity lifecycle, triggering escalations when a request needs to be purposefully examined by a person in the organization.
Today’s enterprise requires both IGA and GRC (SoD management) capabilities to meet compliance requirements in hybrid environments. Saviynt has had this vision since the beginning, and is flexible enough to consume multiple complex application security architectures regardless of the technology vendor. Let’s look at some of the features:
Saviynt’s Control Exchange is a library of out-of-the-box SoD rulesets and continuous controls that customers can use when deploying our solution. Saviynt provides SoD rulesets for all of the major applications, including SAP, Epic, Oracle EBS, Oracle Cloud, Workday, Microsoft Dynamics, PeopleSoft, and Infor — to name a few (this is not an exhaustive list). You can also import any existing SoD rulesets that you may have, customize our out-of-the-box rulesets, or create new risks from scratch.
Saviynt’s SoD workbench provides a single place to manage risk violations for all applications across the enterprise. Users can filter or search for specific SoD violations, apply mitigating controls, view violation details, and remove the unwanted entitlements causing the SoD violation. Saviynt also provides dashboards to quickly give a high-level view of the health of your application security risks.
Because Saviynt provides fine-grained visibility that goes deep into the security models of many applications, Saviynt enables you to identify SoD violations across multiple applications. This level of protection isn’t available with GRC solutions that only address a single application or only provide coarse-grained visibility across a few applications.
Seamlessly including a preventative risk analysis — before an end-user even submits an access request — is a key feature in any Identity Governance solution. Saviynt allows you to identify a number of different risk factors during the access request process, including SoD violations, sensitive or privileged access, and peer group analytics. You can easily set up the approval workflow to route the request differently based on the risk posture of the access request.
To summarize, organizations today are saddled with hybrid IT environments and are struggling to manage application security risks across varying technologies. Saviynt can help provide a platform to standardize your risk management activities by managing SoD violations across the enterprise — regardless of the technology vendor.
Wherever your organization is on its digital transformation journey, Saviynt’s cloud-native Enterprise Identity Cloud (EIC) platform provides flexible security solutions for both on-prem and cloud-based deployments.