Stop deploying compromised roles
There are various reasons why an enterprise might have deployed security roles that have inherent segregation of duties (SOD) conflicts built into a role's design. Maybe you have roles that were created ten years ago but the rules were different and you just haven’t had the time to clean it up. Or, maybe during the rush to complete an SAP implementation as quickly as possible, security became an afterthought and compromised roles were deployed.
Regardless of how these compromised roles got deployed into your system, the fact that they exist can destroy your productivity and pose a big threat to your enterprise’s bottom line. The risks from compromised roles have to be mitigated and that takes time and money. Auditors require more work to prove the mitigations are adequate and they will insist on gathering larger sample sizes to prove mitigations are adequate because deploying compromised roles can be a sign of control weakness.
To remove these costs( and vulnerabilities), we recommend organizations stop deploying roles that have inherent SOD conflicts.
But, where do you start and how can you do this cost effectively? After all, if the primary reason you are eliminating compromised roles is to save money on SOD management, then it doesn’t make sense to spend more money removing SOD conflicts then you will save by simply living with them.
The simplest first steps, and the most politically safe steps, are:
- Identify the roles with an inherent conflict.
- Rank the roles based on frequency deployed (which conflicted roles are deployed the most).
- Split each one of the top 10 most frequently deployed roles into two (sometimes three) different roles so that each new role is clean.
- Add to each role all of the SOD irrelevant transactions.
- Deploy the new roles to each user who had the original (conflicted role) so their access rights remain unchanged.
- Work with role and business owners so that the new clean roles are named in such a way that the distinction between the roles is clear.
Do this for an hour or two every month and, over time, you will have fewer and fewer compromised roles in production. By being careful how you name them, and by involving business owners in the naming process you can further reduce how often the conflict is assigned. Of course, there’s still the possibility that a specific user could have a conflict from the combination of several roles, but that is much easier to manage.
A quality SOD tool like our Separations Enforcer module can help you avoid deploying compromised roles with relative ease. For example, the module has a simulation feature that allows security administrators to simulate the impact of changes to a role before those changes are actually made. In other words, it can test roles for inherent conflicts prior to administrators actually creating the role so time is not wasted in QA with a poorly designed role. Separations Enforcer’s role analysis reports also help security administrators quickly identify any SODs within a role's design after a role is put into production.