Overcoming “Segregation of Duties” Challenges in 2019 and Beyond


As growing numbers of users need access to more on-premises and cloud resources, identity and access management (IAM) has become increasingly challenging. It’s virtually impossible to keep up with access requests using manual processes, so errors are bound to creep in. This can lead to orphaned accounts that remain active after the user changes roles or leaves the organization, and “privilege creep” when users are granted more access than they need to do their jobs. Overburdened IT teams can also fail to follow best practices, resulting in “backdoor” grants of access outside normal channels.

One of the greatest identity risks stems from toxic combinations of access resulting from “segregation of duties” (SoD) violations. SoD is designed to prevent a single user from having access privileges that would enable him or her to commit fraud — for example, having the ability to issue purchase orders as well as cut checks to vendors. SoD can also apply to privileged users who have administrator access to multiple critical systems.

SoD begins with the development of policies defining sets of entitlements that should not be held by the same user. User provisioning and access change requests should be compared to those policies and rejected if they don’t comply. However, users are often granted entitlements before SoD policies are defined or the organization implements an IAM system. In addition, new applications and services can be deployed without a rigorous review of SoD principles.

This is particularly true for cloud services. Often, the time from evaluation to implementation of cloud applications is short, and many users must be given access quickly. The individuals charged with approving user access typically lack full visibility into the cloud service, causing excess privileges to be granted. Cloud business processes are often undocumented, so there’s little insight into SoD risks.

To reduce those risks, organizations must analyze the reach and impact of cloud entitlements and develop SoD policies that can be incorporated into an IAM system. Organizations also need an access governance solution that can automatically detect and remediate policy violations after the fact.

To meet that need, RSA Identity Governance and Lifecycle (IGL) automates user access review and certification processes and integrates with access fulfillment systems to facilitate the management and audit of access request changes. It streamlines the implementation of SoD controls and the enforcement of policies across the extended enterprise.

IT security teams and access certifiers can define business rules for enforcing compliance with policies associated with users, roles, and entitlements. RSA IGL then automates the monitoring of access entitlements against those business rules for rapid identification and notification of SoD policy violations. Access certifiers can remediate the violations by blocking access or granting a legitimate business exception. RSA IGL maintains a complete audit trail of those access decisions.

Given the rampant growth of users and IT resources, organizations need automated tools for preventing, detecting, and remediating SoD violations on-premises and in the cloud. Clango is an authorized reseller and Certified Partner specializing in RSA IGL, SecureID Access, and Archer. Let us help you leverage RSA’s robust identity governance tools to reduce access risk in your organization.


For more information about implementing segregation of duties principles, please send us an email at (

Comments Closed.