How Automating SOD Controls Monitoring and Management strengthens Compliance and Security
Segregation of Duties (SOD) is a fundamental building block to manage risk of internal fraud and error by requiring different people to perform different tasks in order to complete a business process. Modern enterprises operate in an environment where roles and tasks proliferate, business processes are rapidly changing, and regulatory environment is constantly evolving. This has resulted in managing and enforcing SOD principles a growing challenge for most enterprises. Furthermore, many organizations realize the need to extend SOD management beyond the traditional realms of ERP and finance. Yet industry analysts estimate that only 30% of organizations use automated SoD controls. The rest manually analyze and monitor SOD using spreadsheets and consulting services, an approach that is both inefficient and inaccurate. With today’s data driven workflows running in complex hybrid IT environments, using an automated is the only way to keep up with risk monitoring and compliance audits. But what does an automated solution do, and what capabilities should it have?
Saviynt classifies this as Application Governance Risk and Compliance (GRC) solution that enables organizations to manage risk effectively by analyzing SOD violations, monitoring for fraudulent transactions and managing access to privileged users. This solution performs these key functions:
- SOD Analysis: With out -of-the-box SOD rulesets mapped to business processes, the solution helps in identifying SOD conflicts across Enterprise and Cloud applications ((SAP, Oracle EBS, PeopleSoft, Workday etc.). These rulesets are defined at a granular level and offers more detailed SOD conflict management. Part of the analysis process is striking the right balance between granularity of rules and meeting SoD operational requirements.
- Automated Compliant Provisioning: By performing real-time policy analysis, the solution prevents users from acquiring conflicting access. At the same time, intelligent role and attribute based provisioning greatly simplifies managing access for users within the organization.
- Emergency Access Management: One of the critical aspects of the solution is to manage and monitor access for privileged users. By automating the process of granting exception access on a temporary, time limited basis and monitoring the activity significantly reduces exposure to data breaches.
- Risk based Certification: This essential part of compliance is usually seen as an overhead. However, if the solution can launch certifications based on conditions such as user risk profile, criticality of the application, department/business unit etc., the campaigns can be effective and avoid fatigue
- Transaction Monitoring: Organizations can streamline auditing and quickly respond to unauthorized transactions with this capability.
The solution integrates three types of controls to perform the above mentioned functions: detective controls, preventive controls, and reactive controls. Detective controls monitor and compare access and permissions against actual usage to ensure that monitored activity aligns with the authorizations granted. Preventive controls examine policies and peer groups to determine if a problem could potentially arise. If an inconsistency is detected, then reactive controls take over and send alerts to notify the appropriate owners so the issue can be corrected in near-real-time, before it becomes a larger risk to the organization.
When I analyze the solution providers in this space, either they offer products designed to work with specific ERP or financial management systems or provide capabilities at a high-level that is insufficient to meet audit requirements. We have built a robust SOD management and continuous compliance capability into our IGA solution, which we refer to as IGA 2.0. One great advantage of having Application GRC built into an IGA solution is that the same powerful analytics used in Identity Governance can be applied to SoD management seamlessly. Beyond that, however, is the real value gained by consolidating Identity Governance and Application GRC into a single platform that works across all applications.
To learn more about Saviynt Application GRC solution and what it can do, visit our products page.