Mastering the SoD Process (McWhirter, 2020)

Author

Stephen J. McWhirter (Author)

Title

Mastering the SoD Process

Version

1.0

Summary

This article covers the SoD process in relationship to Identity and Access Management deployment. The successful deployment helps reduce the Cyber Security hacking threat plain. Key areas covered Segregation of Duties, Information Security. Birthright Access, Data Roles, RBAC, Access Roles, IAM, and PAM. The author developed the automatic Access Revocation process that is use in commercial IAM use. (US Patent 9,268,962 B1).

Mastering the SoD Process

SoD (Segregation of Duties) or (Separation of Duties) is a methodology to protect corporate assets, company reputation, and financial loss from human capital acting inappropriately whether intentionally or unwittingly with assigned system access. The goal of SoD controls is to create a least privileged environment for users to work with a focus on data protection.

There are at least three SoD dimensions to explore, application roles, enterprise roles, and hybrid SoD. Hybrid SoD role analysis looks at roles within an application(s), in relation to overall network and other software role access. This review will focus on Application SoD role management as a start. Modern IAM software especially with Cloud services has become more complex. IAM (Identity & Access Management) originally was the “who” user identity and the “what” actions the user can do.

The new IAM attribute added to the security model is the which (what data the user can see). The implementation of SoD principles is required to stay in compliance with GDPR, PII, SOX, and HIPPA regulations. Modern IAM software features help reduce the threat plane via automatic provisioning-deprovisioning of “employee role” access. Automation helps to limit the scope of custom SoD governance policy work. It is estimated that 30-40% of the SoD compliance focus can be automated without a lot of changes once installed. Always review at least annually. This automation allows organizations to focus more resources on a deeper SoD analysis of applications that have privileged access type roles. Examples of the birthright (day-one) access is email, Office Tool suite, HR employee tools, Microsoft Tools, and network type access.

SoD Governance Framework

The difference between a successful SoD program or not is governance. The measure to setup is organizing activities that each role can perform. The data point to begin with is role-responsibility. In more modern IAM technology a role-privilege access structure may be more common. The more features and security access flexibility an IAM tool has built in the software the higher level of complexity deploying IAM management will be. Most commercial IAM tools usually have a SoD analysis feature to perform analysis with different levels of usefulness. It is not uncommon for the SoD analysis feature to be an add on to your software.

The above recommendations are a starting point and can be adjusted to align to your enterprise identity management technology structure. The base artifacts list is also a starting point and can be interchange for corporate tools or reports that may exist at your company.

Most organizations start in SoD compliance with a new IAM software deployment. During implementation roles are adjusted and custom roles are created. Custom roles require the SoD review process to be implemented each time the application or data roles are changed.

Governance IAM Tools

  1. Master corporate* SoD Guideline (conflicting activities) document

  2. SoD identifier worksheet

  3. Role conflict searching tool

  4. Mitigating Control Form

*. Approved via executive management

Governance Measurement

  1. Each department or division should have a starting point SoD out of Compliance score

  2. The formula is the conflicting role count divided by the total role count
    Example: 10 conflicting roles / 50 total roles = 20% out of SoD compliance

  3. Any role conflicts that cannot be resolved via IAM security must have a mitigating control form in place

Access Management Process Notes

This process can also be applied to check SoD compliance for data roles. Look for data access points by searching for fields that have PII or confidential information (i.e. social security number, EU identifier, name, address, non-public financial number, etc.).  Data roles can be adjusted limiting access by user or country location to resolve any data viewing violations. In these data viewing situations data masking technology may be required to restrict the data viewing. Also remember to check any report access for data disclosure violations.

Strengthening the SoD program overall helps reduce the security threat plain and reduces the Cyber Security threat.

Best SoD success!

Stephen J. McWhirter

Fortress365 Consulting


Related Pages

List of pages with the SoD label.


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.


This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.