Combating Toxic Combinations Through Separation of Duties (SoD) Controls

In today’s complex organizational landscape, the concept of Separation of Duties (SoD) is more crucial than ever. SoD controls help organizations mitigate the risk of fraud and errors by ensuring that no single user has access to execute conflicting, potentially dangerous actions. Let’s delve into how these controls work and how Veza’s advanced capabilities make it easier to implement and manage SoD across your business processes.

What is Separation of Duties?

Separation of Duties (SoD) is a key internal control that prevents individuals from being able to perform a combination of sensitive tasks that could lead to fraud or errors. These are often referred to as “toxic combinations,” highlighting the security risks involved if such access is exploited. For example:

• Finance and Accounting: If one person can both create new vendors and approve payments, they could potentially make fraudulent payments to fictitious vendors.
• IT Admin: If a user can manage access permissions and also delete system logs, they could hide unauthorized access changes.
• Sales and Revenue: If someone can modify customer contracts and record sales transactions, they could manipulate financial records.

These examples underscore the necessity of SoD controls in various departments and roles within an organization. Effective SoD controls divide these privileged actions across multiple users or teams, significantly reducing the potential for abuse.

Challenges of Implementing SoD Controls

Implementing SoD controls in complex environments presents significant challenges due to the intricate nature of modern IT infrastructures. Organizations often face difficulties in aligning SoD policies across diverse systems, including legacy applications, cloud platforms, and hybrid environments. The integration of these disparate systems complicates the consistent application of SoD rules, increasing the risk of overlooked violations and security gaps. This complexity underscores the need for advanced tools and strategies to ensure effective SoD control implementation and management.

How Veza Enhances SoD Management

Veza’s platform is designed to simplify the implementation and monitoring of SoD controls. Here’s how:

1. Extensive Integrations

Veza supports over 250 apps and systems, including identity providers, cloud infrastructure, on-premises systems, and both SaaS and custom applications. These broad integration capabilities ensure that SoD controls can be implemented across all relevant systems in your organization. Importantly, Veza also integrates seamlessly with existing security tools such as SIEM, SOAR, and IAM solutions, enabling organizations to enhance their security posture without disrupting established workflows.

2. Out-of-the-Box Queries

Veza provides pre-built queries that define SoD rules for popular integrations. These queries are continuously updated to accommodate new systems and requirements, allowing you to quickly set up SoD controls with minimal configuration.

3. Multi-Platform SoD Controls

With Veza, you can write SoD policies that span multiple platforms, ensuring comprehensive coverage. For example:

• Uni-dimensional: Controls within a single application, such as preventing a user with an “approver” role in Zendesk from also being a “submitter.”
• Multi-dimensional: Controls across applications, such as preventing an “approver” in Coupa from also being a “submitter” in Zendesk.

4. Continuous Monitoring and Real-Time Alerting

The importance of continuous monitoring and real-time alerting for SoD violations cannot be overstated. Veza provides in-depth investigation and insights when an SoD violation is detected. It allows platform owners to investigate further by providing detailed information about the user, such as their department, manager, and access to other applications. Continuous monitoring ensures that any violations are detected immediately, reducing the window of opportunity for potential fraud or errors.

5. Granular Access Visibility

Identifying the exact permissions in a role causing an SoD violation can be challenging, especially when dealing with hundreds of roles and permissions. Veza’s Access Platform offers granular visibility, enabling you to pinpoint and address the specific permission in a role that’s out of compliance.

SoD Assessments and Compliance Requirements

In addition to mitigating risks within your organization, Separation of Duties (SoD) controls are a critical component of regulatory compliance. Many industries are governed by strict compliance frameworks that mandate SoD assessments as part of their security and operational standards. These frameworks include:

• Sarbanes-Oxley Act (SOX): This U.S. federal law mandates strict internal controls, including SoD, to prevent financial fraud. Companies must ensure that no single individual has the authority to both initiate and approve financial transactions, among other controls.
• Payment Card Industry Data Security Standard (PCI DSS): For organizations that handle credit card transactions, PCI DSS requires rigorous controls, including SoD, to protect cardholder data. This helps ensure that individuals cannot both access and modify sensitive payment information.
• ISO/IEC 27001: This international standard for information security management systems (ISMS) emphasizes the importance of SoD to protect data integrity and confidentiality, requiring organizations to implement and regularly assess SoD controls as part of their security management practices.
• HIPAA: For organizations handling protected health information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) requires the implementation of access controls to ensure that no single user can compromise sensitive patient data, making SoD assessments a key part of compliance.

Failing to comply with these requirements can result in severe penalties, legal consequences, and reputational damage. Therefore, regular SoD assessments are not just best practices—they are a regulatory necessity.

How Veza Facilitates Compliance

Veza’s platform is uniquely equipped to help organizations meet these compliance requirements through robust SoD management. With its extensive integrations, pre-built queries, and continuous monitoring capabilities, Veza simplifies the process of conducting SoD assessments and generating the necessary reports for compliance audits.

By leveraging Veza’s Access Platform, you can ensure that your organization not only adheres to regulatory standards but also proactively mitigates the risks associated with toxic combinations of access. This dual focus on security and compliance makes Veza an essential tool for any organization looking to maintain operational integrity while staying within the bounds of industry regulations.

Implementing SoD Controls with Veza

Implementing SoD controls in Veza is a straightforward process that involves defining violations, using pre-built queries, and customizing dashboards for monitoring and reporting. Here’s a step-by-step guide to setting up SoD controls:

1. Define SoD Violations: Use Veza’s Separation of Duties product to specify the toxic combinations of permissions that constitute a violation. The query builder interface allows you to create detailed conditions and logical operators (AND/OR) to group access levels.
2. Run and Review Queries: After defining the SoD violations, you can run the query to preview potential violations. Veza provides a detailed record table that shows the results, allowing you to verify and adjust the rules as necessary.
3. Customize Display Output: Tailor the output to include relevant attributes like identity type or risk score, ensuring that you have all the necessary information for effective decision-making.
4. Save and Automate: Once satisfied with the query results, save the query with a name, description, and risk level. You can also add rules to trigger alerts or orchestration actions when violations are detected.
5. Monitor and Report: Veza’s customizable dashboards allow you to track SoD violations and resolutions, providing continuous monitoring and alerting to ensure that any issues are promptly addressed.

Example SoD Violations

Here are two examples of how SoD violations can be managed in Veza:

• GitHub Access Control: A simple SoD rule might ensure that personal accounts in a GitHub organization cannot be assigned to both the developer or QA teams and also be admins.
• Cross-Platform Controls: A more complex query might involve preventing users with access to both Salesforce and ServiceNow from having write permissions in critical tables within Snowflake.

Reviewing and Remediating SoD Risks

Regular access reviews are essential to maintaining SoD compliance. Veza enables organizations to create review configurations based on saved SoD queries. During a review, users can approve or reject access based on the results, ensuring that any SoD violations are promptly addressed.

Veza also supports automated remediation by integrating with tools like ServiceNow and Jira. By setting up rules based on the severity of the violation, you can trigger alerts and orchestrate actions to address risks promptly.

Conclusion

Separation of Duties is a cornerstone of robust security practices. By implementing SoD controls using Veza, organizations can effectively mitigate the risks associated with toxic combinations of access. With powerful tools for defining, detecting, and remediating SoD violations, Veza helps you safeguard your business from internal threats and maintain compliance with industry standards.