Why Identity and Segregation of Duties Are the New Perimeter

by | Sep 17, 2024

Jeff Hare recently joined Zilla Channel VP Garrett Long to discuss the importance of identity governance best practices to an organization’s security posture. Check out the webinar recording here.

Managing identity has become one of the most critical elements of enterprise security in today’s complex digital environments. As businesses adopt more cloud-based solutions, identity and access controls have not just a compliance checkbox; they are also the new security perimeter. The challenge lies in ensuring that the right people have access to the right systems and activities within those systems — and nothing more.

To protect the modern enterprise, ensuring least privilege access, including taking into account segregation of duties (SoD) needs to be part of a holistic IGA approach. Here’s how least privilege access can be part of an organizational strategy to effectively manage identity and enable a compliant security posture.

The Criticality of Least Privilege Access and Segregation of Duties

Traditionally, SoD focused on separating conflicting duties in financially significant activities, for example, ensuring one person cannot both create and approve payments. What began as a compliance demand following Sarbanes–Oxley is now also a security consideration due to the complexity of today’s systems.

Organizations need to think about how to extend ‘good security’ beyond finance and across the entire enterprise for two reasons.

  • From a compliance perspective: There are scenarios where a user may have conflicting roles across ERP, procurement systems, or CRM such as Salesforce. In these instances, managing SoD across multiple systems is critical to ensure that no one individual can perform conflicting functions in different systems.
  • From a least privilege perspective: Each application can have varying definitions about what a permission can mean. Beyond compliance, organizations need to understand and identify who has permission to what, to lock down access to sensitive activities and information, and be sure that no one user is over-provisioned.

Why is Identity the New Security Perimeter?

The proliferation of applications in the cloud, and the nature of today’s business infrastructure, a hybrid mixture of legacy on-prem systems and cloud apps — has made identity the primary gateway to an organization’s most sensitive data and systems. Everything is at risk for exposure.

While organizations try to ensure best practice controls such as multi-factor authentication (MFA) are present, this is not good enough in today’s environment. For example, the recent breaches related to Snowflake were more complicated than the MFA policy oversight that they initially appeared to be. This situation involved not only the enablement of MFA in the user interface, but there was additional complexity in terms of how those users were originally provisioned, and understanding if a latent local account within the system could be used to bypass MFA.

These types of breaches are likely to keep happening, as many of these legacy systems migrate and transform into the cloud / SaaS-based applications such as ERP Cloud, Workday, Salesforce, and NetSuite. How MFA is implemented differs greatly in these modern SaaS applications.

Protecting the enterprise requires complete visibility into who has access to what systems. That includes everything from finance systems to HR and procurement applications. But because of disparate systems and app owners, most organizations lack this transparency, which is compounding the security risks.

Building and Sustaining Least Privilege Access and SoD: From Initial Implementation to Daily Operations

When implementing new systems, such as ERP or SaaS applications, one of the most critical steps is ensuring that access controls are correctly established from the outset. Unfortunately, this is often overlooked. ERP software providers, while experts in system functionality, typically fall short in providing roles that meet the specific security and compliance needs of your organization. For example, base roles are over-provisioned or not tailored to a company’s unique security requirements, exposing an organization to risks related to compliance, cyber security, data security, fraud, and operations.

Compounding this issue, system integrators—whose primary goal is to deliver the system on time, on budget, and with the intended functionality—typically do not include security controls within their project scope.

But even when everything is sorted for deployment, the work doesn’t stop. This is especially true in SaaS environments, where updates and patches are regularly pushed out by the provider, which can introduce new functionalities or change existing ones. Every update requires continuous monitoring for potential oversights or misconfigurations that threat actors can exploit.

Automating Access Controls and Managing Joiners, Movers, and Leavers

Another security consideration in daily operations is managing access rights across the digital ecosystem, especially with constant personnel changes. This is where automation becomes a game-changer, particularly when dealing with joiners, movers, and leavers. A big challenge today is that lack of visibility means that people often carry over access from previous roles.

Automation helps ensure that joiners are onboarded with the correct access, movers have their access rights adjusted as their roles change, and leavers are fully deprovisioned to prevent lingering risks. Zilla addresses these issues by automatically flagging sensitive access risks and potential SoD violations when new access is requested, which helps prevent risks before they happen.

By automating these processes, your organization can reduce human error, streamline access reviews, and ensure that access rights are always aligned with current roles.

Bridging the Gap Between Teams

Another common challenge is the disconnect between identity, security, and compliance teams. When these groups aren’t aligned, gaps in security can occur—potentially exposing an organization to significant risks.

Identity teams and security operations teams often have different objectives, and this lack of alignment can leave security gaps in place for far too long. Regular communication and the right tools can help ensure that everyone is working towards the same goals, minimizing the risk of oversights or vulnerabilities.

Executive Buy-In is Crucial for Effective Identity Governance

Strong identity governance practices including ensuring least privilege, and SoD controls don’t just happen—they require resources and commitment from leadership. When executives understand the value of these controls, they are more likely to provide the necessary budget and support for building a secure environment. Securing executive support helps ensure that your identity governance efforts are properly resourced and aligned with broader business objectives.

Where to Begin: Visibility as the Foundation

To get started, you need visibility into your existing identity landscape. That means understanding who has access to what systems, where potential SoD conflicts exist, and how personnel changes are impacting access. Just knowing what you have today—who has access to it and what that access looks like—is a must-have requirement. Only once you have that visibility can you further build upon that foundation to provide an even stronger security posture.

Get a demo. Learn how to implement automated controls to enforce SoD controls, speed up access reviews, and effectively manage movers, joiners, and leavers.

Make sure to check out the webinar on this topic for more insights from Jeff Hare and the Zilla team!

Author

  • Jeff Hare

    Jeff Hare, CPA CIA CISA, is the founder and CEO of ERP Risk Advisors. His background includes public accounting, 6.5 years in industry in CFO and Controller roles, and Oracle Applications consulting experience. Jeff has been working in the ERP space since 1998 with implementation, upgrade, risk advisory, and audit experience. He is a Certified Public Accountant (CO/AZ), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA). Jeff currently teaches many ERP Armor: Learning courses, including those related to Oracle’s ERP Cloud and E-Business Suite applications, those related to ERP risks, and general ITAC and ITGC topics. Jeff taught the PCAOB several times providing them insight into how auditors can improve auditing ERP systems.

    Jeff is a graduate of Arizona State University. He lives in northern Colorado with his wife Julie and has three daughters. He is an avid endurance junkie, having finished his first full Ironman race in November 2021 after rehabilitating from a heart attack in March 2019. He has worked in various countries including Austria, Australia, Brazil, Canada, Germany, Ireland, Mexico, Oman, Panama, Qatar, Saudi Arabia, United Arab Emirates, United Kingdom, and the United States.

    View all posts Founder & CEO of ERP Risk Advisors

Recent Posts

Leveraging AI to Identify Birthright Access

Onboarding Pain Onboarding pain is an all-too-familiar scenario. You start a new job and are excited about making an impact on day 1. You get your new laptop, log on with your new company email, but unfortunately encounter a major problem. You are lacking all of the...