Standardizing your enterprise risk management processes allows you to identify SoD and sensitive access violations within all of your applications — and even identify risks in business processes that can span multiple applications. Guarding application access typically falls within the area of Governance, Risk, and Compliance (GRC). Here are some ways you can manage SoD in today’s complex hybrid IT environments.
Implement a Modern GRC Platform
Implementing a modern GRC platform is critical to efficiently managing application security risks. An Identity Governance and Administration solution enables you to have a single source of truth for what a user has access to across the enterprise. In order to properly manage SoD risks from a GRC solution, the platform must have the capability to consume the full entitlement hierarchy from connected applications. It must also be able to define SoD and Sensitive Access Rulesets that include fine-grained entitlements.
Regularly Review Business Risks and SoD Rulesets
As you introduce new applications into your environment through digital transformation or M&A activities, you must evaluate how this impacts the risks to your business processes. It’s important to use out-of-the-box SoD and sensitive access rulesets provided by your vendors, consulting partners, or system integrators. That said, remember that these rulesets are not one size fits all and must be tailored to your specific business processes — and any customizations you’ve made in the applications. Be sure to hold formal trainings with key business process owners to review high-level risk definitions, identify any missing or unique risks, and to define the severity of each risk to your business. This due diligence helps you efficiently allocate resources during remediation.
Make sure to take a step back and identify any potential SoD risks that may span multiple applications or business processes. It may be a good idea to include risk management professionals or consultants in the ruleset review process because they can bring a wealth of experience and project accelerators to make this exercise more impactful.
Enable the Business to Take Ownership
Within your business, the IT department plays an important role in providing technology solutions to manage application security risk. They can also help stakeholders translate risk definitions into technical security permissions within each application. An IGA solution should allow organizations to define application or entitlement owners and incorporate them into governance processes.
To take full advantage of a governance solution, all entitlements assigned to users should have the owners defined — and those owners should be responsible for maintaining relevant metadata. At a minimum, this entitlement metadata should include a risk severity and an easy-to-understand description. A governance solution should allow business owners to easily view who has access to digital assets and remove users quickly.
Manage and Remediate Access Risk Violations
Managing and remediating SoD violations is an ongoing process. Risk owners should be defined, and processes should be formalized to alert them when new risk violations are identified. By customizing the risk severity to match your organization’s business processes (Critical, High, Medium, Low), you can more efficiently focus resources on remediating the most critical risk violations first. You should also work with an internal audit to document mitigating controls and to ensure that they are uploaded into the GRC platform.
SoD and sensitive access violations should be remediated systematically and may require different actions, depending upon the particular situation. You can address risk violations removing unnecessary access assignments, by making adjustments to the security design, or by a combination of these items. All other high-risk items should have an approved and documented mitigating control.
Incorporate Identity Risk Analytics into Business Processes
Organizations should focus on removing excessive access assignments and cleaning up the application security design prior to investing money in automated provisioning. Without performing this cleanup, you’ll increase your risk exposure at a much faster pace. Once you’ve aggregated all of your data into one platform, you can incorporate risk signatures like SoD violations and Outlier Access into the User Access Review process.