Skip to main content

Why Segregation of Duties is Important for Information Security

When we talk about IT security, the first things that come to mind are programs such as firewalls or malware detection software. However, security is as much about the organization systems and process your company has in place as anything else. Of those organizational structures, one of the most important matter is how companies assign responsibility for certain IT-related tasks. This is called Segregation of Duties.

What is Segregation of Duties

Segregation of Duties is an internal control that prevents a single person from completing two or more tasks in a business process. Separation of Duties, as it relates to security, has two primary objectives. The first is the prevention of conflict of interest, the appearance of conflict of interest, wrongful acts, fraud, abuse and errors. The second is the detection of control failures that include security breaches, information theft and circumvention of security controls. Organizations require Segregation of Duties controls to separate duties among more than one individual to complete tasks in a business process to mitigate the risk of fraud, waste and error (for example in financial enterprises).

SoD processes break down tasks, which can be completed by one individual, into multiple tasks. The goal is to ensure that control is never in the hands of one individual, either by splitting the transaction into 2 or more pieces, or requiring sign-off approval from another party before completion.

Breaking tasks down prevents risks, however, it doesn’t come without other costs. For one, it can negatively impact business efficiency. Payroll management, for example, often faces error and fraud risks. A common SoD for payroll is to ask one employee to be responsible for setting up the payroll run and asking another employee to be responsible for signing checks. This way, there is no short circuit where someone could pay themselves or a colleague more or less than they are entitled to.

The Importance of Segregation of Duties

The concept behind Segregation of Duties is that the duty of running a business should be divided among several people, so that no one person has the power to cause damage to the business or to perform fraudulent or criminal activity. Separation of duties is an important part of risk management, and also relates to adhering to SOX compliance.

Segregation of Duties is recommended across the enterprise, but it’s arguably most critical in accounting, cybersecurity, and information technology departments. Individuals in these roles can cause significant damage to a company, whether inadvertently or intentionally. Therefore, finance and security leaders should pay attention to separation of duties. It is important to build a role with IT security capabilities so that no one can abuse it.

Segregation of Duties in IT security

The issue of separation of duties is of a great importance. A lack of clear and concise responsibilities for the CSO and chief information security officer has fuelled confusion. It is imperative that there be separation between the development, operation and testing of security and all controls. Similarly, if one individual is responsible for both developing and testing a security system, they are more likely to be blind to its weaknesses.

To avoid these situations, responsibilities must be assigned to individuals in such a way as to establish checks and balances within the system. Different people must be responsible for different parts of critical IT processes, and there must be regular internal audits performed by individuals who are not part of the IT organization, and report directly to the CEO or board of directors. SoD in the IT department can prevent control failures that can result in disastrous consequences, such as data theft or sabotage of corporate systems.

An important part of SoD implementation is the principle of least privilege, as well. Everyone should have the minimum permissions they need to perform their duties. Even within a certain IT system, individuals should only have access to the data and features they specifically require. Permissions should be regularly reviewed, and revoked in case an employee changed role, no longer participates in a certain activity, or has left the company.

SOD in risk management

Segregation of Duties is a fundamental internal accounting control prohibiting single entities from possessing unchecked power to conceal financial errors or misappropriate assets in their specific role. SOD controls require a thorough analysis of all accounting roles with the segregation of all duties deemed incompatible. For example, someone responsible for inventory custody can’t also oversee transactional recordkeeping regarding inventory.

SOD policies can also help manage risk in information technology by preventing control failures around access permission. By segregating workflow duties, your team ensures the same individual or group isn’t responsible for multiple steps in the access permission process.

When it comes to risk management in Governance Risk and Compliance, effective SOD practices can help reduce innocent employee errors and catch the not-so-innocent fraudulent filings. Both can elevate compliance risk by violating regulations like the Sarbanes Oxley Act of 2002, penalizing companies for filing incorrect financial information capable of misleading investors

Including a Segregation of Duties control component in your risk management strategy helps reduce risks that can be costly to your organization – whether it’s financial, damage to your brand, or the stiff penalties imposed for regulatory infractions. By segregating duties to minimize errors and potential fraud, your organization can remain at or below its desired risk threshold.  Working with experienced cybersecurity experts is crucial for companies of all sizes, across all industries. That is why businesses have to take charge of their own protection and implement strategies designed to limit the damage a single attack is capable of.

How to Successfully Conduct Recertification of Access Rights

From our practice, we know that every company has employees that have been there from the beginning and worked in different departments. They know everything about the company’s processes, and it makes them valuable employees. But at the same time, they can also access sensitive data, and that makes them dangerous and a periodic user access review can mitigate this danger.

The user access review, otherwise known as access recertification, is an essential part of access management and is an important practice for each organisation. As a critical component of your Identity and Access Management strategy, this control mechanism ensures that your Information System users have legitimate and consistent access rights to your systems and applications.

In this article, we discuss the definition and importance of user access recertification and review the best practices to make the process fast and effective.

What is Access Recertification?

As said above, recertification, is a key component of your IAM strategy, closely linked to identity lifecycle management and to account and rights provisioning. The goal is to ensure that information system users have the access rights they should have, and to certify them, or – if necessary – carry out remediation operations in the event of non-compliance with the company’s authorisation policy.

This IAM element helps provide good governance and authorisations control, in order to ensure the expected compliance guarantees. It allows companies not only to achieve compliance with their security policy and to limit operational risks, but also to meet a wide range of regulatory challenges, including those relating to regular audits by the parent company or by official auditors.

If not reviewed periodically, privileged access can fall into the hands of bad actors, whether on purpose or on accident. The risks involved with the wrong person having access can be great and potentially disastrous for an organization and its reputation.

Why is it important to review access rights?

The ultimate aim of a user access review is to reduce the risk of a security breach by limiting access to critical data and resources. To prevent situations such as security breach or data theft, is one of the reasons to conduct a recertification. It also eliminates threats such as the following:

  • Excessive privileges. In a perfectly secure world, access privileges can be granted only to users that need them only to do their jobs. In reality, permanent access is often granted when an employee needs access just once or may (or may not) need it in the future. A timely review helps to revoke unneeded user access rights.
  • Access misuse and employee mistakes. According Data Breach Investigations Reports, 15% of data breaches happen because of access and data misuse. A user access review helps to limit access and, therefore, reduce the possibility of a costly mistake.
  • Insider threats. The key danger of insiders comes from the fact that they have access to sensitive data and know about security measures implemented in the organization. Insider threats can be partially mitigated by revising and restricting access according to the principle of least privilege. However, the best practice is to couple reviews with the creation of an insider threat policy and deployment of user monitoring, access, and identity management software.

Figure 1: Functions of recertification

Which best practices should be followed for effective recertification?

To mitigate the potential risks and keep your access management routine efficient and secure, it’s in your organization’s best interest to conduct periodic user access reviews. And if you don’t have regular access recertification done already, here are some user access review best practices to help you set up an efficient process.

  • Develop a user access review policy

Developing a user access review policy is crucial for any organization’s security. A thorough policy can help save an organization time and money while mitigating cybersecurity risks and protecting sensitive information. It’s best to consider policy development as the information-gathering stage of the process, with a lot of asking questions and finding answers. For example: Who has access to what? What is the most important information that needs protecting? Who and what is most vulnerable to risk? What software exists to mitigate those risks?

The development of a user access review policy should always be geared toward achieving a Zero Trust policy, meaning, a policy that allows users access to only the bare minimum needed for job duties.

  • Implement role-based access control (RBAC)

This access control model allows for creating user roles for positions instead of configuring each user’s account individually. Each role is assigned a list of access rights. RBAC speeds up a user access review because, with this model in place, you can review roles instead of separate profiles.

In PATECCO, role-based access is easy to set up and manage: you can add users with similar privileges to groups and manage their privileges in a few clicks.

  • Implement the principle of least privilege

The principle of least privilege dictates that users should have access to data only if they absolutely need it. The fewer privileges a user has, the less time you need to spend reviewing them.This principle is easily implemented with PATECCO: new users have a minimum number of access rights or privileges by default. An administrator can assign a user to a privileged user role by adding them to a specific group or can provide constant or temporary access to resources.

  • Provide temporary access instead of permanent

During an access review, revoking such access rights takes a lot of time. Whenever possible, one of the best practices is to use features like one-time passwords instead of assigning a user a new role or granting permanent access rights. Another option for providing temporary access is to implement privileged access management (PAM). This approach is based on granting access only when users need it to complete their jobs and revoking it when the task is finished.

Conducting a user access review is an important part of the access management process. It reduces the risk of a data breach and reduces a wide range of security issues. With the support of PATECCO, you can take your access management to a higher level, as this solution provides:

How to Implement a Zero Trust Model?

Today, we see increasingly distributed workforces and work regularly outsourced to contractors, partners and freelancers alike. As a result, the traditional company network perimeter has altered dramatically and many businesses have struggled to keep up with the rate of change. All that is a prerequisite for external cyberattacks and potentially harmful internal data breaches.

At its core, Zero Trust is a framework in which an organization forgoes one large perimeter in favour of protection at every endpoint and for every user within a company. This approach relies on strong identity and authentication measures, trusted devices and endpoints, and granular access controls to protect sensitive data and systems.  Zero Trust requires granular visibility.

So, implementing a Zero-Trust framework does more than increasing the security. It also helps your data management and accessibility efforts by providing the visibility into connected endpoints and networks that a great percentage of organizations lack.

Implementing a Zero Trust Model

While establishing a Zero Trust architecture can increase security, many organizations find the implementation challenging. Understanding the steps involved, can help move toward a zero trust security approach.

  • Establish strong authentication processes (Identity and Authentication)

Identity authentication is the foundation of a zero-trust security strategy. To continuously evaluate access to resources, you must first centralize user management and establish strong authentication processes. In order to track and manage all users across your systems, user identity must be centralized in a user and group directory. As employees join the company, change roles or responsibilities, or leave the company, the databases should update automatically to reflect those changes. The user and group database acts as the single source of truth to validate all users that need to access your systems.

A single sign-on (SSO) system, or centralized user authentication portal, can validate primary and secondary credentials for users requesting access to any given resource or application. After validating against the user and group directory, the SSO system generates a time-sensitive token to authorize access to specific resources. A centralized user database supporting a single sign-on system is essential. Data in a SaaS application environment must be assumed vulnerable unless access is limited to an endpoint that you control. Once that database is in place, you can introduce an authentication process such as 2FA (two-factor authentication) or MFA (multi-factor authentication) to harden your system and ensure that the users accessing your applications are who they say they are.

  • Define and implement policies around Access Management

Building on the identify and authentication mechanisms, the next step is to define and implement policies around who can access specific data and when they can access it. What makes the Zero Trust approach unique is that in order to minimize the ‘perimeter’ of any given individual and isolate the risk associate with that user, the Zero Trust approach supports the idea that an employee should only be given the minimum access and permissions needed for that employee to do their job. By limiting access in this way, risk is minimized. Should an attacker gain access to the credentials of a user in marketing, for example, that perpetrator is ‘laterally’ limited in that they cannot gain access to any of the tools, assets, or information outside of that user’s specific role.

There are several ways to ensure that an employee’s access is restricted to the tools and assets required for their job. The first is granular, role-based access and permission levels. These should be defined for each role within your organization, with cross-functional input agreement. Your organization’s appetite for risk and the breadth of access needed to effectively collaborate across teams will determine the level of granularity needed for team and individual role-based access levels. Once these role-based access levels have been defined, you can begin to map out the controls needed for each system and vendor in your organization. While your SSO or identity provider may be able to support some of your access control needs, you may find that not all applications provide the level of granularity needed to limit access in this way. Access controls are an important part of any vendor risk management assessment and integral to the long-term implementation of Zero Trust.

In order to adhere to the “continuous verification” tenant of the Zero Trust model, you will also need a way to consistently analyse audit logs to verify access controls and identify suspicious or unsanctioned activity in your systems. This information helps detect suspicious activity within your systems and supports the application of access and permission levels by allowing you to verify that those levels are implemented correctly and that there aren’t any suspicious actors that have gained access to a user’s credentials.

  • Monitor and audit everything

In addition to authenticating and assigning privileges, it is vital to monitor and review all user activity across the network. This helps organizations to identify any suspicious activity in real-time. Deep visibility is especially important for administrator accounts which have rights to access a wide spectrum of sensitive data.

  • Implement Principle of Least Privilege

Every Zero Trust architecture should include Principle of Least Privilege, which is based on the concept that individual users should only be granted sufficient privileges to allow them to complete specific tasks. For example, an application developer should not be allowed to access financial records. For maximum effectiveness, PoLP should be extended to “just-in-time” access, which restricts users’ privileges to specific time periods.

Implementing the Zero Trust security model is no simple task. For many organizations, especially large, established enterprises, implementation can take a considerable amount of time and effort. But the upsides are significant. Beginning to implement the foundational elements of Zero Trust Security is the key to securing your sensitive company data in the midst of the proliferation of cloud applications, devices, and user identities.