‘Separation of church and state’ is a term largely attributed to Thomas Jefferson which was aimed at keeping government out of how people worship and pray, and vice versa. The idea is to enable religious freedoms, and in doing so, makes sure that the government has no say in how people pray, and conversely that religion does not permeate how states are governed. This term, which first appeared in 1802, is an early example of what we might consider a ‘toxic combination,’ in that those two entities need to be separate; and if someone has access to power in both areas, could lead to a damaging result. This type of scenario, where certain combinations of access leads to massive downside, is easily applicable to how organizations today govern and administer identity access and entitlements.
One of the most classic business examples of a toxic combination would be the financial dealings of Enron, where accountants and business leaders conspired to cook the books and publicly misrepresent the financial stability of the company. It is a fairly lengthy tale of what happened, but essentially can be boiled down to the fact that people at the firm had too much access to financial reporting without proper checks and balances and it led to one of the biggest corporate scandals in US history. Since then, the Sarbanes-Oxley (SOX) Act of 2002 was enacted to mandate certain practices in financial reporting for publicly traded companies in the United States. Other such legislation has also been passed as a way of safeguarding against these types of unfettered corporate dealings in other countries across the globe. However, guarding against these toxic combinations is not only just a popular item on auditors’ checklists, but also should be a key consideration in any organization’s cybersecurity strategy.
Consider for a moment that an administrator or an outsourced IT engineer has ‘write’ privileges on a database that contains files with proprietary corporate information. If that person then changes roles, they likely need access to new systems, new files, and new data. It is imperative that the organization realize that as roles change, access rights change too. Throughout an identity’s lifecycle of joining, moving, and leaving an organization, they may have varying roles that, when put together, have conflicting access rights. For instance, someone in finance may work multiple jobs where at one point they are responsible for accounts receivable, and at another point, accounts payable. It does not require a degree in high finance to realize that this cannot happen, and that no person should possess access to both at the same time. Access rights and entitlements need to be continuously checked and separated out by whatever that person’s responsibility is at that given time.
Without a system in place to verify that a person has changed roles and therefore has new access requirements, it is likely to result in entitlements creep, which can then lead to toxic combinations. Modern Identity Governance & Administration (IGA) tools are designed to monitor access rights and ensure that the right users only have access to the right things. This particular control is often referred to as Separation of Duties (SoD) and acts to prevent fraud.
As mentioned, SoD controls have both compliance ramifications and cybersecurity ones. To maintain SOX compliance and pass corresponding audits, as an example, organizations must prove to auditors that they have proper controls in place, where they are applied, and that the organization has proper visibility into who can do what (and why). For security purposes, if someone has accrued too many privileges, like a stock trader having access to see holdings of accounts for clients they manage, they can not only be easy targets for attackers, but also can cause damage themselves if motivated. It is clear that any types of access or privilege accruals need to be continuously checked for, with policies in place to remove toxic combinations. Enforcing that access rights are separated, like Mr. Jefferson imagined in the 1800s, should be a critical component of any organization’s Identity and Access Management programs. For more on how Omada can help organizations remain compliant and secure, check out our Compliance Management page.