Mastering Separation of Duties (SoD) with Identity Governance and Administration (IGA)

Understanding Separation of Duties in Information Security

Separation of Duties (SoD) is an internal control mechanism enabling the division of tasks and responsibilities among multiple individuals to reduce the risk of error, fraud, or malicious activity. The mechanism is designed to ensure that no single individual has control over all aspects of any critical process, thereby engaging fraud prevention and limiting opportunities for mistakes or intentional wrongdoing. SoD is a critical component of Identity Governance and Administration (IGA) and cybersecurity strategies overall.

Here is an example of how the Separation of Duties mechanism impacts conflicting duties and helps mitigate identity and access management risks:

Consider the example of an administrator or an outsourced IT engineer who has ‘write’ privileges on a database that contains files with proprietary corporate information. If that person changes roles, they likely need access to new systems, new files, and new data. The organization must consider that as roles change, access rights must also change. Throughout an identity’s lifecycle of joining, moving, and leaving an organization, users very likely have varying roles that, when put together, create conflicting access rights. For instance, someone in finance may work multiple jobs where at one point they are responsible for accounts receivable, and at another point, accounts payable. According to the principles of SoD, this cannot happen. No person should have access to both at the same time. Access rights and entitlements must be continuously checked and separated out by whatever that person’s responsibility is at that given time.

The Separation of Duties internal control mechanism is base around these key principles:

1. No Single Control

No individual should have control over all aspects of a critical function or transaction. Tasks must be divided among multiple people to ensure that no single user can perform or approve an entire process from start to finish without oversight.

2. Separation of Authorization, Execution, and Custody

The key components of a process—such as approving (authorization), executing (processing or performing), and recording (custody)—should be handled by different individuals or departments. This ensures that any discrepancies or malicious actions can be caught by another party involved in the process.

3. Independent Verification

A separate individual or team should verify the work that others perform. This ensures that someone not involved in the original task can check for errors, fraud, or irregularities.

4. Role-Based Access Control (RBAC)

Employees must only have the access and permissions necessary for their specific roles, preventing them from performing unauthorized actions. Sensitive tasks or data must only be accessible to those who need it for their job.

5. Dual Control

Certain critical tasks or transactions should require two or more individuals to complete. This ensures that no single person can perform sensitive actions without the knowledge or approval of another person.

6. Periodic Review and Audit

Organizations should regularly review and audit roles, responsibilities, and access controls to ensure compliance with SoD policies. Over time, roles may change, and it is important to ensure that controls remain in place as job functions evolve.

7. Conflict of Interest Avoidance

SoD must mitigate potential conflicts of interest, where an individual’s role or actions could unfairly benefit them or harm the organization. Assigning incompatible roles to different people helps make security risk management more effective.

Understanding the purpose, principles, and importance of Separation of Duties internal control helps auditors and audit compliance professionals see its role in mitigate risks.

Separation of Duties Controls

Managing the relationship between SoD and internal controls effectively contributes significantly to overall organizational security. SoD ensures tasks are divided among multiple individuals to reduce risk and enhance accountability.

Conflicting duties lead to risks when single users control processes that should be separated, like for accounts receivable and accounts payable. For example, if one person can both authorize payments and reconcile bank statements, they could manipulate financial data for personal gain. In other instances, no oversight on administrators with high levels of privileges may lead to “under the radar” overpermissioning themselves or others and put sensitive data at risk.

Internal control processes and procedures safeguard assets, ensure accurate and reliable reporting, and ensure compliance with laws and regulations. They manage and mitigate risks that could harm the organization’s performance and integrity. Organizations use SoD to prevent a single individual from having control over all aspects of a critical task or transaction and reduce the risk of fraud and error. SoD forms a key part of an organization’s overall internal control environment. It works in tandem with other controls (like reconciliations, audits, and physical controls) to create a comprehensive system for identity governance risk management.

Key Benefits of Separation of Duties in Cybersecurity

Implementing SoD reduces the risk of fraud, improves audit trails, and enhances security posture. By clearly defining roles and responsibilities, SoD contributes to business efficiency. Effective SoD also supports compliance with regulatory requirements and standards. Other benefits include:

Enhanced Governance and Risk Mitigation

1. Reduction of access-related risks
2. Prevention of privilege accumulation and access creep
3. Improved detection of policy violations and anomalies

Streamlined Compliance and Audit Processes

1. Meeting regulatory requirements specific to identity governance
2. Simplifying identity-related audit processes
3. Demonstrating strong identity governance practices

Operational Efficiency and Identity Lifecycle Management

1. Clear definition of roles and access rights throughout the identity lifecycle
2. Improved user provisioning and de-provisioning processes
3. Enhanced transparency in access request and approval workflows

Lack of Separation of Duties: Risks and Consequences

Potential negative outcomes that can arise from a lack of proper SoD implementation include heightened financial, operational, and reputational risks and failure to comply with regulatory and compliance standards.

Increased Vulnerability to Access-Related Risks

Here are several Separation of Duties examples and scenarios of breaches that have occurred due to inadequate SoD practices:

1. A former employee at a financial firm was able to download and exfiltrate sensitive customer data. Due to insufficient SoD controls in identity governance, the individual had excessive access rights and could perform actions without oversight or separation of approval and execution.
2. In many large organizations, IT administrators with excessive privileges can create, modify, and approve their own user accounts, allowing them to escalate privileges without detection. This occurred in multiple breaches, such as the Edward Snowden incident at the NSA, where access control was not sufficiently segmented. The lack of SoD allowed individuals to both assign themselves higher-level access and carry out unauthorized actions without being detected or requiring approval from another person.
3. In one organization, lack of SoD between authorization and execution allowed an employee to commit financial fraud by manipulating the payroll system to issue additional payments to themselves. The person had control over both the payroll system (execution) and the authorization for payroll adjustments.
4. When there is no clear separation between the roles of managing user accounts (administration) and auditing data changes (review and control), an individual can bypass proper checks. In this case, a user can grant themselves or others unauthorized access to modify financial data. For example, a 2011 fraud case involving a multinational accounting consultancy revealed that employees could manipulate financial reports due to inadequate SoD.
5. In a healthcare organization, inadequate controls on with high-level access privileges enabled IT administrators to access sensitive health records without any monitoring or independent checks, leading to the breach of millions of patient records.
6. An organization that failed to enforce SoD in its accounting processes allowed employees to cover up billions of dollars in expenses by manipulating records. They were able to authorize transactions and execute them without independent checks.
7. No clear SoD between code access and monitoring of high-value intellectual property allowed an engineer to steal valuable proprietary code over a period of months before detection.

Compliance Violations and Identity Governance Issues

Organizations that have difficulty demonstrating proper identity controls during audits devote a disproportionately high level of resources to the process. In the event of compliance failure, they face numerous potential penalties related to identity and access governance failures, some of them severe.

Identity Management and Access Governance and Compliance Inefficiencies

Confusion in access rights and entitlements within the organization dramatically increased the potential for access-related errors and misconfigurations making compliance demonstration more difficult and time-consuming.

How to Implement SoD

To implement SoD successfully, organizations must engage in a discovery process through which they can identify the areas where conflicting roles present the most risk. They must identify these risks, prioritize their importance, and document the appropriate roles and responsibilities.

Next, organizations must map these established roles and responsibilities to internal controls and “pressure test” the process using walk-throughs and testing to optimize performance.

Step by Step Guide to SoD Implementation

Review job roles and workflows

Identify the key business processes where Separation of Duties is crucial and determine the specific risks associated with each business process if duties are not properly separated. Document who is responsible for each task in the process. Use an organizational chart or role matrix to visualize how responsibilities are distributed across the team. Cross-check with system permissions and access rights to ensure they align with documented responsibilities.

Analyze Access Controls

Review user access controls in systems to determine whether access is properly restricted based on job roles. Run reports to see if there are any users with excessive privileges).

Perform Walkthroughs

Conduct walkthroughs of key processes by interviewing process owners and observing how the duties are being carried out. Verify if the controls and duties specified in policy documents are being followed in practice.

Test for Conflicting Roles

Automation helps accelerate the process of identifying instances where individuals may have access to conflicting roles or duties.

Sample Transactions Testing

Select a sample of transactions and trace their approval and execution process to ensure no individual had complete control over critical steps. For each transaction, validate that different individuals handled each key stage.

Evaluate Automated Controls

Organizations using automated systems to accelerate SoD (such as ERP systems with built-in SoD monitoring) must consistently evaluate the configuration of these systems. This is important to ensure it prevents users from performing incompatible tasks (e.g., an error message when trying to approve a transaction that they initiated).

Review Exception Handling

Review how exceptions to SoD are handled.

Report Findings and Recommendations

Document any violations or weaknesses in SoD you identified during testing and provide recommendations for mitigating the risks.

Identifying Critical Identity Governance Processes and Roles

Map key IGA functions and workflows and define sensitive access points to enforce the least privilege principle.

Analysing Current Identity and Access Rights

Conduct a thorough review of user entitlements and access policies to identify potential conflicts in user roles and permissions

Implementing Best Practices SoD Testing Procedures in IGA

Use role-based and attribute-based approaches for SoD analysis and leverage IGA tools for automated SoD testing and reporting.

Addressing SoD Conflicts in Identity Governance

Resolving identified SoD conflicts within IGA requires careful planning, collaboration across departments, and the implementation of effective controls. Here are some tips on resolving these conflicts:

1. Assess the Nature and Scope of the Conflict

Determine if it is related to access controls, roles, or user permissions that allow an individual to perform incompatible tasks and the potential impact of the conflict.

2. Define and Revalidate Role Structures

Revisit and analyze the roles defined within the IGA system to ensure they are designed with SoD principles in mind. Ensure roles do not overlap in ways that introduce SoD conflicts and reconfigure role-based access control (RBAC) when necessary.

3. Automated SoD Conflict Detection and Alerts

Continuously scan for conflicts and toxic combinations and flag them in real-time.

4. Conduct Access Recertification Campaigns

Conduct periodic recertifications where managers, role owners, or system administrators review and approve the access rights of each user. When users change roles or responsibilities, their access should be reviewed and adjusted to eliminate conflicts that might arise from role transition.

5. Remediation of High-Risk Users

For users who have access to conflicting duties, work with relevant stakeholders (managers, HR, IT) to reassign, remove, or split access rights.

6. Design Custom SoD Policies

Create custom SoD rules that define incompatible combinations of roles and access rights. Review and update SoD policies to adapt to changes in organizational structure, regulatory requirements, and business processes.

7. Implement Workflow-Based Access Requests

Use workflow-based systems for managing access requests that require multiple levels of approval before granting sensitive access rights.

8. Train and Educate Stakeholders

Provide training to employees on the importance of Separation of Duties and why certain access and authorization controls are in place.

9. Engage Stakeholders

Work closely with business process owners, HR, and IT to design SoD resolutions that are both secure and operationally feasible.

If SoD is not feasible due to resource constraints, implement compensating controls such as independent reviews by management and dual signatures or approvals for critical tasks.

Continuous Monitoring and Improvement of Identity Governance

Set up a regular auditing process that includes testing access controls and SoD configurations to ensure compliance with policies. After conflicts are resolved, continue monitoring the users and processes involved to ensure that similar conflicts do not arise again.

Leveraging IGA Platforms and Solutions

Omada Identity Cloud supports SoD implementation and testing. This SaaS-based solution enforces Separation of Duties policies by automating the continuous evaluation of SoD policies and ensuring that individuals are not granted toxic combinations of access rights. Automated processes detect violations and allow managers to determine whether access should be allowed, with justifications, or removed.

Integrating SoD into Identity Lifecycle Management

Incorporating SoD checks into provisioning and access request processes ensures SoD compliance during role changes and user transfers through the identity lifecycle management process.

Addressing SoD Conflicts with IGA

IGA tools enable organizations to configure automatic alerts that notify administrators when a potential conflict arises so that it can be addressed immediately. These tools also run regular review access and role assignments to detect and prevent new conflicts from emerging.

Conclusion

It is important to conduct regular SoD testing to mitigate risks and ensure business continuity and modern IGA solutions are essential in executing these functions.

To ensure you are getting the most value from your SoD strategy, work with a trusted solutions partner offering robust IGA capabilities like Omada to automate and streamline effective SoD management and testing.

Explore Omada’s IGA solutions and see a demonstration of how Omada Identity Cloud streamlines SoD testing and enhances overall identity and access governance.

Let’s get in touch