Why Identity and Segregation of Duties Are the New Perimeter 

Why Identity and Segregation of Duties Are the New Perimeter 

in Blog Article by Jeff Hare

Managing identity has become one of the most critical elements of enterprise security in today’s complex digital environment. As businesses adopt more cloud-based solutions, identity and access controls not only have not just a compliance checkbox; they are also the new security perimeter. The challenge lies in ensuring that the right people have access to the right systems and activities within those systems —and nothing more. 

To protect the modern enterprise to ensure least privilege access, taking segregation of duties (SoD) into account, needs to be part of the holistic IGA approach. The following will explain how least privilege access can be part of an organizational strategy to effectively manage identities and enable a compliant security posture. 

The Criticality of Least Privilege Access and Segregation of Duties  

Traditionally SoD focused on separating conflicting duties in financially significant activities. For example, ensuring one person cannot both create and approve payments. What began as a compliance demand following Sarbanes–Oxley has now also become a security consideration due to the complexity of today’s systems. However, most compliance programs only look at SoD and do not fully take into account the concept of least privilege access. 

Organizations need to think about how to extend ‘good security’ beyond finance and across the entire enterprise for two reasons:  

  1. Compliance issues arise when a user has conflicting roles across ERP, procurement, or CRM systems like Salesforce. Managing SoD across systems is crucial to prevent individuals from performing conflicting functions.
  1. From a least privilege perspective, each of these applications vary greatly on what a permission can mean. Beyond compliance, organizations must clearly understand who has access to what in order to lock down access to sensitive activities and information. Additionally, they need to be sure no user is over-provisioned with excessive permissions.

Why is Identity the New Security Perimeter? 

The proliferation of cloud applications and today’s hybrid infrastructure of legacy on-prem systems and cloud apps has made identity crucial. Identity has become the primary gateway to an organization’s most sensitive data and systems. Everything is at risk for exposure. 

While organizations try to ensure best practice controls such as multi-factor authentication (MFA) are present, authentication controls are not good enough in today’s environment. For example, the recent breaches related to Snowflake were more complicated than the MFA policy oversight initially appeared to be. This situation involved both the failure to enable MFA within the user interface and added complexity from the way those users were originally provisioned. Additionally, there was a lack of understanding about whether an inactive local account could bypass MFA.

These types of breaches are likely to keep happening as many of these legacy systems migrate and transform into the Cloud / SaaS-based applications. Modern SaaS applications implement MFA in vastly different ways. Current cyber security providers cannot help organizations because their expertise is ‘securing the perimeter’ and they do not have the domain expertise in each of the SaaS applications that the organizations are running. 

Protecting the enterprise requires complete visibility into who has access to what systems. That includes everything from finance systems to HR and procurement applications. But because of disparate systems and app owners, most organizations lack this transparency, which is compounding the security risks.  

Building and Sustaining Least Privilege Access and SoD: From Initial Implementation to Daily Operations 

When implementing new systems like ERP or SaaS applications, ensuring that access controls are correctly established from the outset is one of the most critical challenges. Unfortunately, people often overlook this. ERP software providers excel in system functionality but often fail to deliver roles meeting specific security and compliance needs. Over-provisioned or poorly tailored roles expose organizations to risks in compliance, cybersecurity, data security, fraud, and operations.

Compounding this issue, system integrators—whose primary goal is to deliver the system on time, on budget, and with the intended functionality—typically do not include security controls within their project scope.  

But even when everything is sorted for deployment, the work doesn’t stop. This is especially true in SaaS environments, where providers regularly push out updates and patches, introducing new functionalities or changing existing ones. Every update requires continuous monitoring for potential oversights or misconfigurations that threat actors can exploit.  

Automating Access Controls and Managing Joiners, Movers, and Leavers 

Another security consideration in daily operations is managing access rights across the digital ecosystem, especially with constant personnel changes. This is where automation becomes a game-changer, particularly when dealing with joiners, movers, and leavers. A big challenge today is the lack of visibility, which means people often carry over access from previous roles. 

Automation ensures that joiners receive the right access, movers have their rights updated as roles change, and leavers are fully deprovisioned to remove lingering risks. By automating these processes, your organization reduces human error, streamlines access reviews, and keeps access rights aligned with current roles.

Bridging the Gap Between Teams 

Another common challenge is the disconnect between identity, security, and compliance teams. When these groups are not aligned, gaps in security emerge, potentially exposing the organization to significant risks.

Identity and security operations teams often have different objectives, creating security gaps. Regular communication and proper tools help align goals and minimize risks, oversights and vulnerabilities.

Executive Buy-In is Crucial for Effective Identity Governance 

Strong identity governance ensuring least privilege, and SoD controls don’t just happen. They require resources and commitment from leadership. When executives see the value of controls, they’re more likely to allocate the budget and support needed for security. Securing executive support ensures that your identity governance efforts receive proper resources and align with broader business objectives.

Where to Begin: Visibility as the Foundation 

To get started, you need to gain visibility into your existing identity and access controls landscape.

In our experience most software providers provide over-provisioned seeded roles, and most System Integrators do not know how to refine and reduce those roles. Without a mature risk advisory and cybersecurity partner, the implementation likely lacked security and compliance.

ERP Risk Advisors excels at implementing automated controls, addressing SoD controls, and building roles based on least privilege. We also address cybersecurity risks, enhance access reviews, and manage movers, joiners, and leavers effectively. Contact us to schedule a meeting and advance your organization’s security and controls program from crawling to running.


Additional Resources:

  1. 3 Billion Reasons To Do More Than Just Securing The Perimeter (erpra.net)
  2. Auditors Are Talking About SoD Too Much!
Share this post:
ERPRA Become Our Partner

Please select your preferred datasheet and download it: