Why IT security should be worried about Segregation of Duties
Segregation of Duties, also known as Separation of Duties (SoD), is not a new concept. It has been used in finance and accounting for many years and gained increased scrutiny after passing the Sarbanes–Oxley Act of 2002. And organizations are again looking at the principle of SoD to help them confront the incursion of identity-related access risks within the current threat landscape.
In this blog, we will explore SoD within your IT organization, why insufficient SoD policies are so detrimental, and how policy-based identity governance can ensure that proper internal controls are established to reduce adverse impacts on the organization.
What is Segregation of Duties?
According to NIST, Segregation of Duties is the "principle that no user should be given enough privileges to misuse a system on their own." For example, the same person should not be responsible for developing and testing a security system. The primary objectives of SoD in security are:
Prevent conflicting responsibilities or transaction rights, criminal acts, fraud, abuse, and errors, and
Detect control failures like security breaches, data theft, and bypassing security controls
Today, the control environment encompasses business processes and the systems used to carry out those business processes. It is relatively easy to define a business process to ensure proper SoD. However, business processes also have a system counterpart that must be reinforced by SoD control. While these are often in place within a single application, they must also span multiple systems.
The increasing reliance of business processes on IT systems to support their execution underscores the risks from the lack of proper SoD caused by granting excessive system access. Setting an appropriate division of responsibilities and reflecting it in the access privileges granted to users of IT systems becomes necessary for the secure execution of business processes.
How can Segregation of Duties enforce security?
Consider the following scenario to highlight why an effective SoD policy is necessary for IT security. Imagine a Purchasing Clerk in your company creates an urgent purchase order requested by the Sales department. In your company, it is standard for a Purchasing Manager to review purchase orders but suppose they are out of the office. To move the purchase order along, the junior Accounting Clerk goes into the ERP and approves the purchase order themself. In this example, the Purchasing Clerk's ability to create and approve the purchase order indicates that there is no SoD control in place to prevent abuse and fraud.
Having an SoD access policy prevents toxic combinations of access within your organization that can lead to fraud and abuse. Another benefit of implementing proper SoD is to reduce the risk of error. For example, if you only have one person responsible for defining user permissions and assigning permissions, that person could define super-user permissions to themselves and cause major damage. Having multiple people involved in the permissions process helps avoid insider threats.
Identity governance and effective access controls
Organizations that regard SoD as an integral control rely on identity governance and administration (IGA) to enable them to centralize the continuous monitoring, management, and review of access. IGA solutions ensure that access to data and systems is tightly controlled and allow organizations to demonstrate that they are meeting IT General Controls requirements through access certification and policy-based user provisioning.
Access certification is the process of validating access rights to systems. Access certification is indispensable for organizations to enforce their SoD policies, comply with global regulations and meet increasing auditor demands. Access certification can also be used by IT Security to review the access of temporary users with special permissions. For example, if IT security grants temporary administrator access to their Systems Integrator, that level of access should be periodically reviewed to ensure that it is still appropriate.
Access certification is critical to maintaining security, particularly in safeguarding against SoD access violations that could lead to security incidents. Reviewing user access ensures that users are assigned the minimum access necessary to perform their jobs. Periodic access certification will ensure that employees who join, leave, or change roles do not accumulate access as they move throughout the organization and that users do not retain access after they depart the organization.
Manual access certification is tedious and error-prone. However, a policy-based IGA solution improves accuracy and avoids using spreadsheets or lists to review user access. An automated solution also provides certification managers visibility into specific attributes of the users and an increased ability to spot anomalies. And this leads to greater accuracy across the organization because certification managers understand what they are reviewing.
Organizations seeking to simplify the access review process with an automated solution should look for the following capabilities:
Quickly review and manage user access
Timely remediation of inappropriate access
Perform complete access certification across applications, and
Meet audit demands and maintain an audit log
Policy-based user provisioning
PBAC Identity governance also helps identify Segregation of Duties conflicts during user provisioning. User provisioning grants and manages an organization's access to applications, systems, and data. Organizations should define access policies and entitlements to enforce SoD policies during user provisioning and provide a seamless access approval process. Automating the provisioning process makes it efficient and accurate, ensuring new employees do not have to wait to access the system and that the privileges are appropriate for their role.
Best practice SoD IT security policies
Each organization is unique, but to ensure that IT security controls are appropriately enforced, a policy-based IGA solution is needed. A policy-based IGA solution offers the flexibility to create and implement any separation of tasks the business requires. A role-based IGA solution can’t handle distributed identities (contactors, employees from a merger, etc.) and depends on creating roles for every business function, granting that role permission to access specific resources, and assigning a user to the role. A role-based IGA is not flexible and extremely limited for large-scale use.
Examples of best practice IT security SoD policies are:
Security system analysts should be the only people to have access to system logs and audits
Security system designers should not have the ability to test or validate the systems they design
End users should not have the ability to access or modify production data without a system log
System security administrators should be the only people who can monitor for excessive, unauthorized, or unused privileges
Database Administrators should not have superuser or administrator privileges
Functional users and programmers should not have the ability to access or modify source or application code
Network security analysts should be the only people to have access to firewalls and network security systems
System security administrators should be the only people who can create, update, or delete user accounts
These SoD controls create vigorous checks and balances that prevent any individual or role from:
Altering sensitive data within production systems
Changing security features, like disabling audit functions
Modifying system logs or audit reports
Granting a user account excessive privilege, like permission to view or change sensitive data
The problem of SoD in IT security will likely continue to increase as identity access becomes the primary defense against fraud, error, and cyber-attacks. There must be a separation of responsibilities to reduce the risk of unauthorized activity or access to data. System access and privileges must be carefully granted and reviewed to enforce checks and balances within business processes and systems to minimize the opportunity for unauthorized access and cyber-attacks.
The importance of SoD in cyber security
Cybersecurity has moved to the top of the list of priorities of CISOs and not just because of the astronomical cost of cyber insurance. According to Gartner organizations will spend a collective $188.3 billion on information security and risk management products and services in 2023. And a Gartner survey reported that 61 % of CIOs are boosting their cybersecurity investments. But what if there was a cybersecurity solution that was low-investment and relatively easy to implement? Luckily there is, and it's a solution that can be stolen right out of the CFOs playbook: Segregation of duties.
Insider Threats and how to prevent them
Cybersecurity budgets have grown exponentially over the past five years. Many analysts predict worldwide cybersecurity spending to exceed $1.75 trillion between 2021 and 2025. If trillions of dollars are being spent on cybersecurity, why are insider threats increasing, who is responsible for them, and what can your organization do to prevent them?
Policy-based Access Governance
Identity Governance and Administration (IGA) systems do not provide fine-grained risk management capabilities which are critical for compliance reporting, auditing, and forensics. IGA systems are unable to control access risks growing from face-paced, digital business landscapes, a mix of on-premise and cloud application environments, and an increase in hybrid work models.