Segregation of duties is a fundamental information security practice. In simple terms, it means you split out important tasks between two or more people. This prevents one person getting drunk on all the power they wield, and also prevents one person from making a mistake that can have undesired consequences.
One of the best examples of segregation of duties can be seen in movies when it comes to launching nuclear missiles. The system relies on two people on opposite sides of the console to put in and turn their keys at the same time. This segregation or separation of duties ensures that one person can’t launch a nuclear missile on their own.
Segregation of duties works best when there is a clearly defined function and where there is some physical separation.
For example, in a call centre or a banking app, a low junior administrator may be able to authorise payments up to $500, but anything above that would need supervisors’ approval. The junior admin can enter in the details, and send it off to the supervisor who can then approve or decline it.
But in many cases, the broader application can sometimes have some flaws.
In one of my first jobs in IT Security, our team had implemented a process for separating duties whenever a new HSM key (key change ceremony) needed to be loaded.
I worked in the team that would have half the password to complete this task, and another team would hold the other half. Much like the end of the film Bulletproof Monk; I even had my half of the password tattooed on my back – I still don’t know what it says to this day.
Once a project was underway, it meant I’d have to travel across the country to the data centre with my half of the password in order to change the key with the help of a colleague.
The only problem with that is - have you ever worked on a project? It’s never on time - always delayed. And datacenters are COLD!
So here I was sat in a datacenter with this other guy who was about 50, but was clearly experienced in these projects as he was sitting under a blanket he’d brought, reading his book and munching on some snacks.
What’s wrong with this scenario? Other than the fact I didn’t have a blanket or snacks - that we’ve travelled from different parts of the country, with half of a password, only to be sat together for hours. Invalidating all the expensive measures taken to segregate the two halves of the password.
Even worse, I had no idea what I was doing or how to do it. I was told the documentation was up to date and easy to follow - but documentation being up to date is one of the biggest lies our team told. So, I ended up having to ask my colleague to help me out - which inevitably meant I gave him my half of the password and asked him to enter it… yeah, separation of duties kind of fell apart right there.
Having said that, those were simpler times, there was no bring your own device, and there certainly wasn’t anything hosted in the cloud.
Many times when organisations adopt cloud apps, they overlook segregating duties, or defining job functions for role-based access control (RBAC). So, it ends up with an all-or-nothing approach. Which works fine if all employees are trustworthy, and never make a mistake. Unfortunately, it’s all too easy to make a mistake.
When a single contractor is able to inadvertently leak the personal details of all employees in the database, one has to consider whether one person should have the power to do that, or if the access should be segregated.
Similarly, if a rogue trader can make investments and harm a bank, one needs to question why the systems were setup in a manner to allow them to carry out such trades with little oversight.
Or allowing developers to accidentally push code to production environments with one click…
Recently a French cinema chain were tricked by an email in a business email compromise (BEC) scam which resulted in the CFO making payments of $21M to the fraudsters. The question shouldn’t be why the CFO allowed themselves to be tricked, but why did the systems allow the CFO to make such large payments without any checks and balances in place?
While a host of technologies can help in these situations, a bit of forethought with proper separation and accountability can go a long way. Did these people learn nothing from Bulletproof Monk? Seriously, you should watch that movie – it’s got a lot going on.