“What is segregation (or separation) of duties, and how does it fit into identity security?”
A while back, one of our readers asked what segregation (or separation) of duties was and it fits into identity security. When responding to this question, we thought other readers may also be interested.
Segregation of duties (SoD) - sometimes called separation of duties - is a military principle that made its way into the corporate world long ago. The defining principle of SoD is simple: “No one person should have the ability to authorize an order and execute an order without another person involved.” In terms of corporate responsibility, that means that the person who creates an accounts payable entry to be paid out must not be the same person who actually pays the vendor. Doing so would leave too much of a possibility for abuse and fraud, as false accounts payable entries could be made, then paid without any review if only one person does both.
When the term crossed over into the IT security world, SoD became a method to refer to permissions on data, files, and access to digital resources; but the overall meaning of the term has not changed very much. SoD in identity security means that no one person should have the entitlements and permissions that would allow them to perform two functions that must be performed by two individuals instead. In addition to becoming the digital version of the accounts payable example, SoD also refers to not allowing the person who pushes code to a production server being the same person who authorizes that the code can be pushed.
Think of it this way; if a person both controls the movement and publishing of software, and also controls the approval to push that software live, then it is far too easy for a bad actor to get malicious code put into production. These SoD violations also create targets for social engineering or blackmail, since a bad actor need only co-opt that one person to do major damage.
The same theory also prevents other security issues in an organization. The person who requests that a user be given access to something must not also be the person who grants that access. If that were to happen, then a bad actor could create a request to make themselves an administrator and also grant themselves those permissions with no review.
SoD becomes more difficult the more complex the company data systems become. As more and more user groupings are created in platforms like Active Directory; the chances that a user could be put into too many groups and end up violating SoD becomes more likely. In many cases, SoD violations occur not because anyone is trying to damage the company; but rather because - over time - users accidentally gain conflicting permissions that over-elevate their privileges.
Tools - like the SecureAuth Access Assurance Suite - help your company ensure that everyone stays within their “swim lanes” and doesn’t have the ability to violate SoD by gaining too many privileges on your data systems. They do this by reviewing permissions within the organization to look for instances where individuals have accidentally gained permissions that let them control both “sides” of any operations - bookkeeping, facility access, or data management alike. This also brings to light any instances of someone purposely violating SoD, so both accidental and deliberate violations can be addressed quickly and efficiently - and most importantly without doing anything that could stop a legitimate user from doing their job.
Segregation of duties can help keep your organization safe by making sure that any process that could cause harm has one user doing actions and someone else doing a review of those actions. If you should notice that is not the case - even for your own access privileges - you should alert your IT administration immediately so they can correct the problem. First, this helps your company stay safe, and second, it means you won’t become a target for bad actors trying to attack your company.