Divide and Reduce Risk: Segregation of Duties in the Cloud
Author: Todd Thiemann
Plenty of regulatory regimes mandate that enterprises have a segregation of duties or separation of duties (we will use the terms interchangably in this post) as a required internal control mechanism. Separation of duties divides the responsibility of a critical task among different people and provides “checks and balances” against fraud or error.
ISACA has a nice journal article about Segregation of Duties here and Nick Szabo writes about the concept here. Internal controls and Separation of Duties apply to compliance regimes including Sarbanes-Oxley (read here about internal control reporting), PCI DSS, FERC, etc. Your favorite industry analysts like Forrester and Gartner regularly comment on it as well.
Separation of Duties applies inside an enterprise private cloud as well as externally in the public cloud. A potential internal cloud use case is that lines of business would need to ensure appropriate change controls to sensitive data and access to it are controlled and managed by the appropriate personnel. Securing the data would supplement an identity and access management (IAM) solution and enable LOB users to access their data without IT administrators being able to access it.
In the public cloud, IT Operations wants to start up an application, but IT Security would want a compensating control to authenticate that the public cloud application is following policy (mounted in the right place, at right time, in right geography, etc). This has been evident within the physical datacenter where established policies/procedures permit the necessary Separation of Duties, but cloud computing poses some new challenges for which established procedures may not fit.
The concept of Separation of Duties also comes into play in a different way with external partners in the computing supply chain such as Infrastructure as a Service (IaaS) cloud service providers. In the realm of encryption and the cloud, the Cloud Security Alliance Security Guidance v2.1 section dealing with encryption key management makes the recommendation:
Segregate the key management from the cloud provider hosting the data, creating a chain of separation. This protects both the cloud provider and the customer from conflicts when compelled to provide data due to a legal mandate.
These are the sorts of new Separation of Duties challenges which the security industry needs to address, and for which emerging solutions like SecureCloud provide answers.