What is Segregation of Duties (SoD)?

What is Segregation of Duties?

Segregation of Duties (SoD), sometimes referred to as Separation of Duties, is an internal control mechanism identity governance and administration practitioners use to facilitate the division of tasks and responsibilities among multiple individuals to reduce the risk of error, fraud, or malicious activity. The mechanism is designed to ensure that no single individual has control over all aspects of any critical process, thereby engaging fraud prevention and limiting opportunities for mistakes or intentional wrongdoing. SoD is a critical component of Identity Governance and Administration (IGA) and cybersecurity strategies overall.

Why Segregation of Duties is Important for IGA

Imagine this scenario: an administrator or an outsourced IT engineer has ‘write’ privileges on a database that contains files with proprietary corporate information. If either of these individual’s roles within the organization were to change for any reason, they would most likely require access to new systems, new files, and new data to do their jobs. In these cases, the organization must account for the reality that as users’ roles change, their access rights must also change to align to new conditions. In the identity lifecycle in which users join, move, and leave an organization, users are very likely to have varying roles that, when combined, create conflicting access rights. These are called toxic combinations.

Let’s say a user in finance works multiple jobs in an organization and at some point, this user is responsible for accounts receivable and accounts payable simultaneously. According to the principles of SoD, this cannot happen. No person should have access to both at the same time. Access rights and entitlements must be continuously checked and separated out by whatever that person’s responsibility is at that given time.

Core Principles of Segregation of Duties

No Single Control

No single user should have control over all aspects of a critical function or transaction. Organizations must ensure that tasks are divided among multiple users so no single person can perform or approve an entire process from start to finish without oversight.

Segregation of Authorization, Execution, and Custody

The organization must ensure that different user or departments handle the principal components of a process—such as approving (authorization), executing (processing or performing), and recording (custody). This guarantees that another party can see any discrepancies or malicious actions throughout the process.

Independent Verification

The work that any user performs must be verified by a separate individual or team. This enables someone not involved in the original task to check for errors, fraud, or irregularities.

Role-Based Access Control (RBAC)

Employees, vendors, contractors, and other stakeholders must only have the access and permissions necessary for their specific roles, preventing them from performing unauthorized actions.

Dual Control

Particularly sensitive tasks or transactions should require two or more individuals to complete. This ensures that no single person can perform sensitive actions without the knowledge or approval of another person.

Periodic Review and Audit

Organizations should regularly review and audit roles, responsibilities, and access controls to ensure compliance with SoD policies.

Conflict of Interest Avoidance

SoD must mitigate potential conflicts of interest, where an individual’s role or actions could unfairly benefit them or harm the organization. Assigning incompatible roles to different people helps make security risk management more effective.

Segregation of Duties in Practice

Here’s how a SaaS-based IGA solution manages SoD:

• Identities are evaluated to detect any potential toxic resource combinations based on the SoD constraints.
• If a detected violation occurs, because a resource has been recently assigned an individual, the access will not be provisioned until the violation has either been approved or resolved.
• If a detected violation is due to an assignment that had already been provisioned before the new constraint was created, then a deprovisioning task will not be created immediately. The IGA system will postpone actions until the violation is approved or resolved.
• The manager will receive a task to approve the violation. To approve the violation, a reason must be given, and a compensating control selected.
• The user group security officers receive a task to approve the violation. They cannot override the manager’s decision but can reject the task and return it to the manager with a comment.
• Approved toxic combinations will be provisioned or kept and resolved conflict assignments will be disabled or deprovisioned.

Benefits of Segregation of Duties

Enhanced Governance and Risk Mitigation

Effective SoD policies reduce the incidences of access-related risks, prevent unnecessary privilege accumulation and access creep, and improve policy violations and anomalies detection.

Streamlined Compliance and Audit Processes

SoD helps organizations meet identity governance regulatory requirements, simplify the audit process related to specific identity-related regulations, and demonstrate strong identity governance practices.

Operational Efficiency and Identity Lifecycle Management

SoD clearly defines roles and access rights throughout the identity lifecycle, improves the user provisioning and de-provisioning processes, and enhance transparency in access request and approval workflows.

Where to Learn More and Get Help

Regular SoD testing mitigates the risks of toxic combinations and ensures business continuity. Working with a trusted solutions partner offering robust IGA capabilities like Omada to automate and streamline effective SoD management and testing will ensure you are getting the most value from your SoD strategy.

See a demonstration of how Omada Identity Cloud streamlines SoD testing and enhances overall identity and access governance.