Are Your Duties Segregated?
munching on some snacks. What’s wrong with this scenario? Other than that I didn’t have a blanket or snacks, there was the fact that we had both traveled from different parts of the country, each with our half of the password, only to sit together for hours. This invalidated all the expensive measures taken to segregate the two halves of the password.
Even worse, I had no idea what I was doing or how to do it. I was told the documentation was up to date and easy to follow, but documentation being up to date was one of the biggest lies our team told. So, I ended up having to ask my colleague to help me out–which inevitably meant I gave him my half of the password and asked him to enter it. Yeah, separation of duties kind of fell apart right there.
Having said that, those were simpler times–there was no bring your own device, and there certainly wasn’t anything hosted in the cloud.
Many times when organizations adopt cloud apps, they overlook segregating duties or defining job functions for role-based access control (RBAC). So it ends up with an all-or-nothing approach. This works fine if all employees are trustworthy and never make a mistake, but …
When a single contractor is able to inadvertently leak the personal details of all employees in the database, one has to consider whether one person should have the power to do that or if the access should be segregated.
Similarly, if a rogue trader can make investments and harm a bank, one needs to question why systems were set up in a manner that would allow a person to carry out such trades with little oversight. This also goes for allowing developers to accidentally push code to production environments with one click.
Not too long ago a French cinema chain was tricked by an email in a business email compromise (BEC) scam that resulted in the CFO making payments of $21M to the fraudsters. The question shouldn’t be why the CFO allowed was tricked, but rather why did the systems allow the CFO to make such large payments without any checks and balances in place?
While a host of technologies can help in these situations, a bit of forethought with proper separation and accountability can go a long way
Javvad Malik is a London-based IT security professional and was formerly a senior analyst with 451 Research, providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
This guest blog is part of a Channel Futures sponsorship.
- Page 1
- Page 2