Enforcing Segregation of Duties
IT organizations have struggled to identify potential Segregation of Duties (SoD) violations within their IT systems. A violation of this kind occurs if a user is given permissions which combined can be used to subvert a business critical process or in other ways cause harm in breach of corporate policies. A common example is the combination of permissions to manipulate vendor master data and permissions to approve invoice payments to a vendor. This combination leads to risk exposure since a user fraudulently could register a vendor and then approve fake invoices for his own benefit.
The effects of a SoD analysis often leads to costly remediation efforts since conflict resolution may require altering role definitions and related business processes. Alternatively, auditors may agree to accept mediating controls, meaning the risk is accepted but managed through manual controls at regular intervals to verify that permissions in breach of corporate policies are not abused. Attribute Based Access Control (or “ABAC”) assists in the implementation and enforcement of access controls derived from actual business rules, including rules mandating dual controls or segregation of duties.
- How ABAC can help organization become more compliant
- How organizations can minimize fraud with a externalized approach to authorization