Data-driven and incremental approach to separation of duties (SoD)
of SoD policy
One of our clients, active in the utilities industry, was confronted with the task of defining and implementing an SoD policy.
The task seemed too overwhelmingly big to start. The machinery to enforce the SoD rules was already in place, but they struggled to get a hold on the rules themselves.
The traditional approach of conducting numerous interviews with business and applications owners to reveal the SoD requirements was too slow and too costly, not only for this client but for many modern organizations.
Instead, we applied a risk-based, data-driven and iterative approach and provided our client with a first set of SoD rules in just a few weeks, allowing them to prove that they were working on it.
Data-driven: We put the identity data to work, allowing for a more cost-efficient, but most importantly, a more intuitive approach to design SoD rules, understand the current situation and address the violations.
Risk-based: For each iteration the scope is defined based on risk to aim for maximal risk reduction.
Automated: Each iteration ends with putting automated monitoring in place, ensuring that every sprint adds value that will never go away as you get notified when a violation does slip through the governance processes.
5 Step Approach
Define scope: To define the scope of the first iteration, two things were decided: a department and a set of applications. First, our client decided on a department in which fraud could have a high impact and separation of duty was of high importance. Once that was decided, they listed the applications that played a key role in executing the sensitive tasks.
Collect data: We collected the relevant identity data from the applications listed in the previous step in our platform. Thanks to the out-of-the-box connectors and the flexibility of our platform, this data was collected and ready after only 2 days.
Investigate: Our platform for identity intelligence visualized this data for easy understanding, for example in a matrix highlighting the combinations of entitlements that occur most and least frequently. It’s often the case that those combinations that occur a lot are not toxic. Hence, we started by looking at the outliers. For those, the client identified whether they were toxic or not. This way we built a list of SoD rules, which were both combinations of entitlements within one application and across multiple applications.
Address: Following the initial investigation and prioritization, our platform allowed our client to look into the violations and assess the current situation. They could see who had the most SoD violations on its record, whether the violating accounts were still active, who was the manager, and so on. To address this set of violations, our client used mainly two methods: remediation and mitigation.
Tactical clean-up: They used Elimity’s identity and role analytics capabilities to identify whether a role should and could be revoked, an account deleted, and so on.
Strategic redesign: In case certain violations could not be addressed tactically, for example because conflicting entitlements are part of one role, strategic redesign comes into play. This is typically a more sophisticated project because roles must be redesigned.
Automate monitoring: Once the customer started addressing the violations, we helped them set up the necessary governance activities such as monitoring. This enabled them to:
follow up the progress that was being made in cleaning up the violations,
and ensure that the situation does not rise again once the violations are addressed.
This step ensures that the effort they spent in this sprint is secured. Our client could now easily enforce the rules in for example an IGA system, and even if an SoD violation would slip through, they’ll get notified. This enables them to fix the exception immediately to avoid another large clean-up later on.
In the end, we used our platform to enable a fundamentally different approach to separation of duties. An approach that is risk-based, data-driven, iterative and ends in automation. We offered our client a combination of technology and methodology that already gave them a set of SoD rules in just a couple of weeks.
Our client now uses our platform to increase their SoD policy coverage by executing multiple iterations, each enlarging the set of SoD rules. But also to address the SoD violations.
Choosing manageable chunks to take care of in multiple sprints allowed our client to see value immediately - in terms of risk reduction - and enabled them to prove to auditors that they were working on it.
On top of that, putting their identity data to work did not only allow for a cost-effective way of working, but also enabled an approach where backsliding is immediately detected.