Why Identity and Segregation of Duties Are the New Perimeter
in Blog Article by Jeff HareManaging identity has become one of the most critical elements of enterprise security in today’s complex digital environment. As businesses adopt more cloud-based solutions, identity and access controls not only have not just a compliance checkbox; they are also the new security perimeter. The challenge lies in ensuring that the right people have access to the right systems and activities within those systems —and nothing more.
To protect the modern enterprise to ensure least privilege access, taking segregation of duties (SoD) into account, needs to be part of the holistic IGA approach. The following will explain how least privilege access can be part of an organizational strategy to effectively manage identities and enable a compliant security posture.
The Criticality of Least Privilege Access and Segregation of Duties
Traditionally SoD focused on separating conflicting duties in financially significant activities. For example, ensuring one person cannot both create and approve payments. What began as a compliance demand following Sarbanes–Oxley has now also become a security consideration due to the complexity of today’s systems. However, most compliance programs only look at SoD and do not fully take into account the concept of least privilege access.
Organizations need to think about how to extend ‘good security’ beyond finance and across the entire enterprise for two reasons:
- Compliance issues arise when a user has conflicting roles across ERP, procurement, or CRM systems like Salesforce. Managing SoD across systems is crucial to prevent individuals from performing conflicting functions.
- From a least privilege perspective, each of these applications vary greatly on what a permission can mean. Beyond compliance, organizations must clearly understand who has access to what in order to lock down access to sensitive activities and information. Additionally, they need to be sure no user is over-provisioned with excessive permissions.
Why is Identity the New Security Perimeter?
The proliferation of cloud applications and today’s hybrid infrastructure of legacy on-prem systems and cloud apps has made identity crucial. Identity has become the primary gateway to an organization’s most sensitive data and systems. Everything is at risk for exposure.
While organizations try to ensure best practice controls such as multi-factor authentication (MFA) are present, authentication controls are not good enough in today’s environment. For example, the recent breaches related to Snowflake were more complicated than the MFA policy oversight initially appeared to be. This situation involved both the failure to enable MFA within the user interface and added complexity from the way those users were originally provisioned. Additionally, there was a lack of understanding about whether an inactive local account could bypass MFA.
These types of breaches are likely to keep happening as many of these legacy systems migrate and transform into the Cloud / SaaS-based applications. Modern SaaS applications implement MFA in vastly different ways. Current cyber security providers cannot help organizations because their expertise is ‘securing the perimeter’ and they do not have the domain expertise in each of the SaaS applications that the organizations are running.
Protecting the enterprise requires complete visibility into who has access to what systems. That includes everything from finance systems to HR and procurement applications. But because of disparate systems and app owners, most organizations lack this transparency, which is compounding the security risks.
Building and Sustaining Least Privilege Access and SoD: From Initial Implementation to Daily Operations
Compounding this issue, system integrators—whose primary goal is to deliver the system on time, on budget, and with the intended functionality—typically do not include security controls within their project scope.
But even when everything is sorted for deployment, the work doesn’t stop. This is especially true in SaaS environments, where providers regularly push out updates and patches, introducing new functionalities or changing existing ones. Every update requires continuous monitoring for potential oversights or misconfigurations that threat actors can exploit.
Automating Access Controls and Managing Joiners, Movers, and Leavers
Another security consideration in daily operations is managing access rights across the digital ecosystem, especially with constant personnel changes. This is where automation becomes a game-changer, particularly when dealing with joiners, movers, and leavers. A big challenge today is the lack of visibility, which means people often carry over access from previous roles.
Bridging the Gap Between Teams
Another common challenge is the disconnect between identity, security, and compliance teams. When these groups are not aligned, gaps in security emerge, potentially exposing the organization to significant risks.
Identity and security operations teams often have different objectives, creating security gaps. Regular communication and proper tools help align goals and minimize risks, oversights and vulnerabilities.
Executive Buy-In is Crucial for Effective Identity Governance
Strong identity governance ensuring least privilege, and SoD controls don’t just happen. They require resources and commitment from leadership. When executives see the value of controls, they’re more likely to allocate the budget and support needed for security. Securing executive support ensures that your identity governance efforts receive proper resources and align with broader business objectives.
Where to Begin: Visibility as the Foundation
To get started, you need to gain visibility into your existing identity and access controls landscape.
In our experience most software providers provide over-provisioned seeded roles, and most System Integrators do not know how to refine and reduce those roles. Without a mature risk advisory and cybersecurity partner, the implementation likely lacked security and compliance.
ERP Risk Advisors excels at implementing automated controls, addressing SoD controls, and building roles based on least privilege. We also address cybersecurity risks, enhance access reviews, and manage movers, joiners, and leavers effectively. Contact us to schedule a meeting and advance your organization’s security and controls program from crawling to running.
Additional Resources: