Separation of duties (SoD), also sometimes referred to as segregation of duties, is the principle that no user should be given a combination of privileges that would allow them to misuse a system on their own. SoD is often practiced in cybersecurity to combat insider threats as well as minimize the likelihood of errors when handling sensitive data.
In addition to being good practice, ensuring SoD is a legal requirement for publicly traded companies and their wholly owned subsidiaries, who are obligated to be compliant with the Sarbanes-Oxley act (commonly known as SOX). To maintain compliance with SOX, these organizations must present evidence of responsible financial practices, including SoD, or face major legal ramifications.
SoD can be enforced by clearly defining conflicting roles and ensuring they cannot be carried out by the same individual. By identifying where your sensitive data resides and who has the ability to access, alter, and influence that data, you can implement strict controls for SoD.
What are some common struggles with enforcing SoD?
While SoD is an effective, and in some cases necessary, security measure, putting it into practice can be challenging. Common struggles for IT teams include:
- Balancing security with efficiency: Separating duties can be crucial to preventing misuse of controls and insider threats. However, breaking down roles into different components can hinder employee efficiency—a trade off companies are often reluctant to make.
- Higher associated costs: While SoD can help mitigate potential fraud, it may also contribute to additional process complexity and require increased staff and higher operational costs. Prioritizing systems from most to least mission critical and implementing SoD over time can help keep associated costs in check.
- Employee count: For smaller organizations, SoD may seem not worth the effort because it requires multiple employees to perform tasks or sequences of events that could otherwise be completed by a single individual. Leveraging automation in combination with SoD is a great way to ensure employees can perform tasks efficiently while still securing processes.
Key considerations when implementing SoD
Some IT and security practices you can implement to enforce SoD:
Role based access controls (RBAC): This refers to the principle of only granting employees access to systems and information they need to effectively carry out their job function. By clearly defining role responsibilities and removing generic/birthright access, you can ensure no individual has authority across the full cycle.
Time-based approvals: Implementing time-based controls for employee access to critical systems can ensure that individuals only have access to sensitive data for the period they require it. In addition, having employees submit a log of what they need access for and designating another individual with the role of the approver allows you to maintain dual authorization and safeguard the integrity of your information.
Regular risk assessments: Despite having previously identified critical systems and roles within the organization, it’s important to reassess risk at least annually. Any major organizational changes such as replacement of critical infrastructure, major employee count change, and mergers and acquisitions can have an impact on security posture. By maintaining a dynamic process and consistently reviewing, identifying, and auditing cyber risks, you can safeguard processes and systems vital to the security of sensitive information.
Automating controls: Consider implementing automation for access controls involving mission-critical systems. This will allow you to limit certain activities based on predetermined rules. By doing so, you can limit the breach of SoD, even if someone attempts to bypass the established policies and controls.
Separation of Duties and Access Controls
Separation of duties (SoD) is a cybersecurity principle practiced by companies to mitigate risk, misuse, and fraud associated with critical systems. By dividing responsibilities among different employees, organizations can minimize error and detect process breaches more frequently.
SoD is just one component of effectively strengthening access controls. Leveraging other methods such as well-defined and automated approval processes and frequent reviews in tandem with SoD can ensure your company’s controls are airtight.