Over in the Careers area we had a thread kicked off by @Lamont29 on the issues of differences in career tracks in information technologies and information security, which spawned a second discussion on the principle of separation or segregation (SoD) of duties. Mouli @iluom asked me a good question there on how to apply SoD in a particular situation. I am repeating his question here, so we can address it in the more appropriate Tech Talk arena:
Lets take the scenario where customer agents in an organization who provide white glove services
i mean org provide some services/ tools to support premium customers to help them in removing their PII data from hundreds of Broker sites with the customers consent. The customer registers to the White Glove service and then the agent will get access to their PII data and other details like Driving Licence, SSN etc. in order to search in the broker sites and remove them from these web sites.
Now my question is how does an Org make sure the agent will not misuse the data they are accessing
Can you help me to understand how can we apply SoD in this case? here the data masking can not be used since the agent should copy and past it in their searching tool from one browser tab to other.
i'm curious how do control this kind of PII data exposure to the internal agents without hampering the process?
Mouli @iluom, thank you for a great setup for discussion.
First, let's be sure we have grip on what SoD is about:
Critical actions should not be allowed such that the same entity can approve the action, take it, and check on it. Those three authorities (approve, act, check) should be held by separate, independent entities.
In the earlier thread, Grandpa Rob @rslade, referring to the Clark-Wilson model in computer programming, stated,
"Separation of duties is an important security principle, first established by the Clark-Wilson model, and initially applied to programs, mandating that the agent responsible for doing the task, is not the agent responsible for checking the task.”
Note that I added a third action, approval, based on the pre-computer history of SoD in the world of financial management and accounting. Think of approve as meaning authorize, and check as the same as audit.
For Mouli's example, he is concerned about misuse of PII data mined by an agent responsible for cleaning broker sites. The authorize step was made by the hiring organization, who contracted for the agent to perform the PII mining action. The hired agent is, of course, responsible for the action step. You question asked how do you make sure the action agent does not misuse the data. The first part is to explicitly cover how to handle the data, and what constitutes misuse, in the contract between the hiring organization and the action agent. We are now at the check or audit step. You will need to determine what must be audited, based on our contractual definition of misuse in the contract with the action agent. With that determination, you can select an audit capability either within your organization, or hire a third party to perform the audit. Either source for audit keeps it in SoD relationship with the action agent. Finally, if the auditor needs access to the action agent's systems, that access for purposes of audit must be spelled out in the original contract wit the agent.
Messy? yes. Gotta have your contract lawyers in on the process? Yes, definitely.
If you have the budget for it, you could implement two-person integrity (TPI). Two people do the work, with each one watching the other to ensure that neither does anything unauthorized. This assumes that only one of the two workers is potentially malicious.