What are Separation of Duties and Least Privilege?

When you see this term, SoD, with a little O, what does it mean? It can mean two things — Separation of Duties or Segregation…

Ron LaPedis profile picture
Ron LaPedis

May 15, 20186 minute read

When you see this term, SoD, with a little O, what does it mean? It can mean two things —

Separation of Duties or Segregation of Duties. They actually have the same meaning; splitting a task into parts so that more than one person required to complete it. The principle of least privilege means workers only will be given access to the information and resources that are necessary for a legitimate purpose.

In both cases, the idea is to allow the right people to have the access that they need to do their jobs, but not enough access to bypass controls. Controls are a big idea that we will discuss in a moment.

Alice, Bob, and Ordering PCs

As an example, let’s take a person who is in accounts payable. Their job is to approve and print checks to suppliers for goods. We also have a role in the system for people who manage vendors and are allowed to create new vendor records in the system and enter invoices. Finally, we have people who buy from vendors, such as the IT or marketing departments.

Let’s look at Alice, who is in the IT department, and Bob, who is in the finance department. Alice wants to buy some PCs from ABC company. If Bob is in the vendor management role, he can create a new vendor and enter purchase orders and invoices for ABC company so that Alice can order her PCs. And if Bob also is in the accounts payable role, he would be authorized to approve payment to ABC company for Alice’s PCs. This doesn’t sound like a problem, right? In fact, it streamlines the process for acquiring new PCs.

But if Bob is not as honest as he should be, it is possible for him to create a new vendor called BobCo, enter purchase orders and invoices for BobCo, then approve payment. This situation violates the separation of duties rule and circumvents the financial controls that the organization should have in place. And this is why Separation of Duties is such a big deal.

And of course, neither Alice nor Bob need access to the payroll system nor do they need administrative access to whatever application and database are used to support the purchasing and payment systems.

This is Really Big!

Separation of duties could be a bigger issue than you think it is. In its annual report published in March of 2017, power and robotics firm ABB said losses from the fraud at its South Korean unit discovered last month would total $73 million. How could this happen? Managers failed to maintain sufficient segregation of duties in the treasury unit of its subsidiary in South Korea and did not provide enough oversight of local treasury activities, ABB CEO Ulrich Spiesshofer and Chief Financial Officer Eric Elzvik said.

Think about all of the people and their roles in your organization and how complicated it is to understand what all of them have access to and the possibilities for accidental or intentional fraudulent behavior.

According to EY, a consultancy, organizations must gain an understanding of the scope of sensitive transactions and conflicts that drive their key business processes. These are also the transactions that pose the greatest fraud risk to the organization should someone possess excessive access.

The Matrix

Access thresholds must be determined based on the risk and impact to the organization for each potential SoD conflict.

The output of the definition phase is a matrix of potential conflicts, including the corresponding risk statement related to each conflict. The risk statement answers the question, “Why do we care about this transaction combination?” and demonstrates what could go wrong should someone have too much access or authority. The risk statement might say, “A user could create a fictitious vendor or make unauthorized changes to vendor master data, initiate purchases to this vendor and issue payment to this vendor.” In this case, the “vendor” might be the fraudulent employee with an excessive and inappropriate level of access in the system.

Once the matrix is created, it can be used to assess and flag existing violations so that they can be investigated, or it can be used to prevent access from being granted in the first place. The assessment can be done manually through the use of system access reports and spreadsheets, or the matrix can be loaded into automated systems which will do the work for you. Automated identity and access management software can be used limit SoD violations from the time a worker hires on until they leave or retire.

Organizational Controls

SoD and least privilege are just two examples of organizational controls which are put in place to assure achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. And in fact, most financial laws such as SOX, J-SOX, and Basel II directly address financial controls which mandate separation of duties.

While the European Union’s GDPR isn’t prescriptive, proper implementation of SoD and least privilege can help keep system and database administrators out of user data.

We Can Help

Micro Focus can help you easily implement SoD and least privilege without disrupting your business. Remember that risk matrix that I talked about earlier? Once the matrix is created, it can be used to drive Micro Focus Identity Governance and Administration (IGA) software. IGA implements access modeling and transparency by automating the detection of SoD and excessive access so that management can evaluate the risk and take appropriate action. IGA also will help enforce SoD and least privilege when new employees are brought on board or when their responsibilities change.

To Sum Up

In summary, Separation of Duties is part of compliance and it is good management practice. Micro Focus can make life easier for both IT and people managers by automating a worker’s access from the time they hire on until they leave or retire.

But what if you already have another Identity Manager in place? Micro Focus IGA will work with most of them, allowing you to help secure your environment from fraud without a disruptive rip and replace effort.

Separation of Duties and least privilege can go a long way to help your organization achieve and maintain the security of your data and comply with many government and industry regulations. And Micro Focus software and services can help you get the most out of both, allowing you to implement management best practices, be more secure, and meet compliance rules.

Share this post

Share this post to x. Share to linkedin. Mail to
Ron LaPedis avatar image

Ron LaPedis

See all posts

Stay in the loop!

Get our most popular content delivered monthly to your inbox.