Access Policy & Segregation of Duties

Effectively prevent the abuse of control and any resulting nefarious activity by a single person or by collusion among a group. Build an efficient risk management platform and adhere to compliance regulations.

Segregation of Duties.png
Overview

Access Policy

An access policy in IDHub is a set of rules and permissions that govern the level of access granted to users or entities for specific resources within an organization's infrastructure or systems.

  • Purpose: Our Access policies ensure that access to resources is granted appropriately and securely, based on the principle of least privilege. They define what actions or operations users can perform on specific resources.
  • Scope: Access policies focus on defining and enforcing permissions and access control rules at a granular level, specifying who can access what resources and what actions they can perform.
  • Implementation: Our Access policy involves policy languages, such as JSON-based policies in AWS IAM or policy definition language (PDL) in Entra ID (Formerly Azure Active Directory) RBAC, to define and manage access rules.
Features

Access Policy in IDHub

Access Policy is performed in IDHub in multiple ways. IDHub clearly defines policies for organizations at API level and perform validations so no breach of policy is made if access grant is not permitted by the organization policies. Below is the brief overview of features involved in Access policy.

Control Access

Role-Based Access Control (RBAC)

IDHub RBAC associates permissions with roles and assigns roles to users or groups. Access policies in IDHub includes RBAC capabilities out of the box, allowing administrators to define roles and assign appropriate permissions to those roles.

Attribute Sync

Attribute-Based Control (ABAC)

IDHub ABAC considers attributes of users, resources, and environmental factors to make access control decisions. IDHub support ABAC policies, enabling administrators to define complex access rules based on user attributes, resource attributes, and other contextual information.

Authorization

Fine-Grained Permissions

Access policies in IDHub allow administrators to define fine-grained permissions that specify what actions or operations a user or application can perform on specific resources. These permissions are defined at the API level and at data object level.

Construct

Policy Definition

IDHub provides an option to define organizations access policies. Policies can be based on various factors, such as user roles, attributes, group membership, resource types, and environmental context

Time Based Control

Conditional Policies

IDHub Access policies support conditional logic, allowing administrators to define access rules based on specific conditions or triggers. For example, policies can be set to allow access only during specific time periods, based on IP addresses, or in response to certain events.

Integrations

Policy Evaluation and Enforcement

IDHub has mechanisms to evaluate and enforce access policies during runtime. The enforcement mechanisms includes integration with authentication mechanisms, API gateways, or other security enforcement points.

Overview

Segregation of Duties

Segregation of Duties in IDHub refers to the practice of separating incompatible or conflicting tasks or responsibilities among different individuals or roles within an organization.

  • Purpose: SoD aims to prevent conflicts of interest, reduce the risk of fraud, and ensure proper checks and balances by ensuring that no single user or role has too much control or authority over critical processes or systems.
  • Scope: SoD focuses on defining and enforcing organizational policies and controls to prevent the assignment of conflicting duties to a single user or role. It involves separating key tasks or functions that should be performed by different individuals to maintain accountability and prevent abuse of privileges.
  • Implementation: SoD is implemented through a combination of organizational policies, role-based access controls, and workflow processes. It involves defining and assigning roles and responsibilities in a way that ensures segregation and prevents conflicts.

A common example is when accountants are handling money and they have separate departments that procure funds from vendors and a different department that distributes funds to vendors. These are two different set of permissions for two different department or teams. By making the distinction in IDHub Workflow across these two different teams, organizations can avoid a single party committing fraud and thus minimizing the risk of a crime.

Features

Segregation of Duties in IDHub

Segregation of Duties is performed in IDHub in multiple ways. IDHub not only defines policies on a high as well as granular level, but also allows to perform validations so no two permissions can be assigned to an identity if it is not permitted by the organization policies. Below is the brief overview of features involved in SoD in IDHub.

Workflows

Rule-Based Policies

The IDHub Workflow Condition Node allows administrators to define rule-based policies that specify which duties or roles should be segregated. These policies can be customized based on the organization's specific requirements and compliance standards.

Predefined Flows

OOTB Templates

IDHub offers predefined Workflow templates based on common industry best practices or regulatory requirements that has common SoD rules. These templates provide a starting point for organizations to implement segregation of duties policies effectively.

Role Assignments

Conflict Detection

The IDHub SoD feature actively scans the access assignments and permissions across different roles and users to identify potential conflicts. It detects instances where a user's assigned roles or permissions may result in conflicting duties.

SoD Violations

Exploitation of user access by an individual or a set of individuals which are not allowed by company policy and government regulations is a breach of policy and is considered an SoD violation. However, violations can be accidental as well as gradual. Violations can happen when a user gains access to certain stage of access by a workflow that they should not have access to. This in turn, enhances user ability to perform actions that the organization has deliberately prohibited.

Some of the things that a user can exploit with this unwanted access are:

  • To steal funds from the employer by entering vendor invoices, vendor payment approvals, product ordering and accounting inventory manipulations
  • To take part in corporate espionage to transfer trade secrets to competitors
  • Deliberately harm peers due to something that happened in the past
  • Falsify records and earning forecasts like Enron scandal

SoD, when applied correctly, uses our robust workflow capability to internally control and prevent these conflicts of interest and improve security and compliance for your organization. 

Why SoD is important?

Separation-of-duties inherently improves compliance for organization as it removes the possibility of single-source of truth and control. It also encourages internal process evaluation. By controlling each user’s access to provide only what is required, organizations can better manage their risk. 

Of course, this ordeal can quickly become complicated, especially with an ever growing complexities in the business, so organizations should create a set of standard rules for each type of activity (e.g., accounting, management, etc.) which is a limited set and not exhaustive. SoD will allow you to detect and auto-address violations that occur upon user request early—in adherence to specific compliance regulations, like SOX or GDPR—to avoid more bigger issues moving forward.  

Finally, practicing continual audit is crucial for an effective cybersecurity implementation. With the proper software tools and processes such as IDHub's Workflow based SoD risk analysis and detailed audit controls, organizations can anticipate all possible violations and identify and correct unseen violations quickly and efficiently.   

Resources

You might also be interested in:

https://media.sath.com/featured_cybersecurity_ROI_03335e18ac/featured_cybersecurity_ROI_03335e18ac.jpg

Cost of New Threats on Compliance

Comply with the new NERC CIP, HIPAA and DSS regulations, and escalate the value of cybersecurity by protecting your network. See other trends.

https://media.sath.com/benefits02_05d1be238c/benefits02_05d1be238c.jpg

6 Ways Identity Management Saves Money

See our list of top 6 reasons for having an easy-to-use Identity Management System and why is it a financial necessity.

https://media.sath.com/security_229fb8e6ab/security_229fb8e6ab.jpg

Know How IDHub and SoD policies work in tandem

We make sure that the compliance needs of organizations across the globe are adhered to when identity security is concerned.

Automate tasks and save IT time.

schedule-a-call.webp