Organizations separate duties in order to prevent the abuse of critical combinations of operations. To avoid criminal activities by one insider, and comply with relevant regulations, management should implement preventive measures, which include separation of duties (SoD).
To prevent abuse of access rights, organizations first need to identify SoD conflicts. This requires analysis, which can be implemented in two different ways—proactively or reactively. A proactive approach analyzes authorization objects that are assigned to each user, before the privileges are given to a user. A reactive approach attempts to detect risky combinations of user entitlements after they are given to a user.
A SoD conflict may occur in any critical business process, but they typically occur in two main financial workflows—Purchase to Pay (P2P) or Order to Cash (O2C). When an individual performs both sides of a function (eg. creating a vendor, and then paying the same vendor) in a process sequence, this is considered a SoD conflict, and it means the individual possibly did not act in the interest of the company.
While not every SoD conflict indicates a user is performing illegal activities, it can help flag behavior as suspicious, to trigger further investigation and remediation.
A SoD conflict is a situation where one role in an organization has permission to perform more than one step in a workflow that has financial implications or impacts an organization’s financial reports. For example, the same person has access to creating new purchase orders and signing them. Thus, a SoD conflict is a theoretical risk, not an actualize risk. SoD conflicts must be identified early to prevent SoD violations.
A SoD violation is an actualized risk that could represent fraudulent or criminal behavior. For example, the same person actually creates a new purchase order and then signs it, raising the concern that they may have falsified the purchase order to steal funds. An SoD violation does not necessarily represent illicit behavior—but it is a strong indication of such behavior, which must be investigated by the organization.
Any measures taken by an organization to prevent SoD conflicts, will, by definition, also prevent SoD violations. Addressing SoD conflicts is an early preventive measure, which can prevent actual SoD violations further down the line. However, no organization can manage to having zero SOD conflicts, because roles are typically defined broadly, and removing all SoD conflicts would create unnecessary drag on the business.
Here are several risks of a poorly implemented SoD management process:
Large organizations track transactional duties by using a separation of duties matrix. This matrix can be used manually but to ensure efficiency it is usually computer-generated. The matrix is based on the roles and functions of users, typically organized in a financial system such as SAP.
For SoD to work, each group of users must match a procedure in the transaction workflow. It is possible to manually assign one task at a time, but it is very impractical and prone to human error. Instead, it is best to assign each function to a specific role in your information system. By analyzing the function of each role in the transaction workflow, you can more easily identify SoD conflicts and prevent a conflict from turning into a risk.
Pathlock Solution Brief
Learn how Pathlock automatically surfaces all SOD issues at the time of provisioning, when access is requested, and during access review cycles.
Here are several steps that can help you implement SoD and prevent SoD conflicts:
1. Define policies and processes clearly
This step is critical to ensure SoD is properly and successfully implemented. You can leverage identity management tools to define your SoD policies and ensure your identity lifecycle is working seamlessly. These tools can help you define and enforce clear access policies across a large number of applications.
2. Create a centralized dashboard for access
A centralized dashboard can help you gain visibility into access and authentication activities across your organization. This is especially important for multi-application and hybrid environments that distribute access across many locations, devices, and users.
While multiple dashboards can help gain insights into each unique environment, to truly implement SoD and prevent conflicts, you need one central dashboard. This can help ensure that users are not gaining more privileges than necessary because they have access to multiple environments.
A centralized dashboard can tell you which user has access to each application across the enterprise, and whether users have too many access permissions or not. You should also be able to gain insights into orphan accounts, which could potentially be used without authorization. When you have all of this information in one place, you can efficiently prevent SoD violations.
3. Use access certification for reviews
Access certifications with a limited time span can help you control access rights granted to each user over time. You can use a certification mechanism to remove any access that is no longer needed, or might cause a conflict of interests. These certifications can help you make sure that users do not have prolonged access rights without appropriate oversight.
4. Use workflows for access requests
Workflows can provide you with a clear structure for approvals. You should only provide access after it is approved. To ensure efficiency, you should create a structured process for all approvals. An identity management tool can help you create multi-level approval workflows, which can help you to easily maintain SoD.
5. Role based access provisioning
Organizations should define each and every role, and then grant the relevant required entitlement. Assigning entitlements provides clear guidance into the access approval process. Automation can help make this process more efficient and accurate. This way, new employees do not have to wait—the system quickly provides them with the assets and privileges relevant to their role.
6. Make sure IT and HR collaborate
Ideally, IT and HR should collaboratively define roles and approvals. This can avoid disparities in the life cycle of roles. Beyond HR and IT collaboration, all relevant stakeholders, including managers and executives, should participate in the process and approve the roles defined for each new employee.
7. Identity management with risk engines
An intelligent risk engine offers continuous monitoring of all access activities. In addition to monitoring, the engine assigns scores to each access event. An access request can get a high-risk score due to various parameters (such as time of day and sensitivity of data accessed). Once this happens, the system prompts manual intervention or initiates an escalation of authentication in order to determine whether to grant or deny access.
Pathlock provides a robust, cross-application solution to managing SoD conflicts and violations. Finance, internal controls, audit, and application teams can rest assured that Pathlock is providing complete protection across their enterprise application landscape.
With Pathlock, customers can enjoy a complete solution to SoD management, that can monitor conflicts as well as violations to prevent risk before it happens:
Interested to find out more about how Pathlock is changing the future of SoD? Request a demo to explore the leading solution for enforcing compliance and reducing risk.
Share