cloud security requires separation of duties


This post was originally published here by Rich Campagna.

Separation of duties (SoD) is an increasingly common concept in internal controls that essentially requires more than one person to complete a transaction or task in an effort to reduce fraud. An example you might be familiar with is a safety deposit box at a bank, which requires both your key, as well as a key held by bank personnel, for access.

Behind the scenes at that same bank, SoD comes into play when (according to Wikipedia) receiving cheques (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay cheques, etc. These schemes work because they require more than one person to be “in on” fraud in order for it to work – much more difficult to pull-off versus going along.

Increasingly, SoD is a concept making its way into IT shops. Why? According to Kevin Coleman in his recent ComputerWorld article, “separation of duties is a fundamental principle of many regulatory mandates such as Sarbanes-Oxley and the Gramm-Leach-Bliley Act. As a result, IT organizations must now place greater emphasis on separation of duties across all IT functions, especially security.”

Regardless of whether SOX and GLBA apply to your organization, SoD must absolutely be considered when migrating to public cloud apps like Office 365 or AWS. The current debate over platform vs. CASB-based cloud encryption is a perfect example. Platform encryption refers to the “built-in” encryption capabilities provided by cloud app vendors, sometimes sold as an add-on service to the app itself. CASB cloud encryption is exactly as it sounds – encryption provided by a third party CASB, independent of the application vendor (and correspondingly, application admins). 

With platform encryption, the application administrator(s) have full control over both the application and the data – i.e., no separation of duties. With CASB encryption, the application administrator(s) have control over the application and the security team has control over the data – separation of duties built right into the deployment. 

Inability to achieve SoD, as well as a whole host of additional shortcomings, including inability to completely shield data from a cloud app vendor, inability to support connected ecosystem apps, and more, means that platform encryption isn’t quite the panacea many had hoped. CASB encryption will ultimately be the answer for most.



No posts to display