How to Reduce Segregation of Duties Related Audit Findings

Issues related to “Segregation of Duties” are among the most common audit findings, often rising to the classification of ‘significant audit finding.’

File integrity monitoring (FIM) and “segregation of duties” (SoD) are two distinct concepts in cybersecurity and internal controls, but they can work together to enhance an organization’s security posture. Let’s delve into each concept and then discuss their interrelation:

1. File Integrity Monitoring (FIM): FIM is a technology that monitors and detects changes in files, ensuring their integrity. It can notify administrators of unauthorized changes to critical system files, configuration files, or sensitive data files. By doing so, FIM can alert organizations to potential malicious activity, misconfigurations, or unintended changes.
2. Segregation of Duties (SoD): SoD is an internal control strategy that ensures no single individual has the authority or capability to execute all parts of a critical transaction, process, or operation independently. The idea is to distribute tasks and privileges among multiple people or systems to prevent fraud, errors, and abuse of power.

How does FIM relate to SoD?

Detection of Unauthorized Changes: If proper SoD controls are in place, no single individual can make significant changes without oversight or approval. FIM serves as a tool to detect when this principle is violated, i.e., if someone makes changes they shouldn’t be able to make alone. 

Accountability: With FIM, organizations can trace back file changes to specific accounts or individuals. In the context of SoD, you can verify that only the appropriate parties, as per the segregated roles, are making authorized changes.

Enhanced Oversight and Control: FIM is complementary to SoD. While SoD divides tasks and privileges to prevent undue concentration of power, FIM ensures that even with those divisions, changes don’t go unnoticed. This double-layered approach strengthens the security posture.

Validation of SoD Effectiveness: If FIM continually detects unauthorized changes, it could indicate a breakdown in SoD processes, signaling that roles aren’t as segregated as they should be or that individuals are bypassing or circumventing controls.

In essence, while FIM and SoD serve different primary purposes, FIM acts as a verification and enforcement mechanism for SoD. It ensures that even with duties segregated, there’s continuous oversight over critical file changes, fostering accountability and reducing risks.

Reducing Audit Findings Due to DevOps

The shift to DevOps has resulted in many optimizations and benefits to organizations. However, from an audit perspective, it introduces many complications and is often the source of audit findings.  The shift to DevOps amplifies the significance of File Integrity Monitoring (FIM) in several ways:

Rapid Changes: DevOps emphasizes continuous integration and continuous deployment (CI/CD), which means code and configurations are being pushed frequently, sometimes multiple times daily. With such rapid changes, it becomes crucial to have a system like FIM in place to monitor and validate these changes.

Infrastructure as Code (IaC): In DevOps, infrastructure setups are often treated as code, allowing for programmable and versionable infrastructure. While this brings agility and consistency, it also means that any malicious or erroneous changes to the infrastructure code can have widespread effects. FIM can monitor changes to these IaC configurations to ensure they remain secure.

Automated Environments: As DevOps relies heavily on automation, unauthorized changes in the environment might not just be manual edits by a developer or administrator; they could also stem from a misconfigured automation tool or script. FIM helps detect such unintended changes.

Microservices and Containers: Modern DevOps practices often use microservices architectures and containers. These can be spun up or down dynamically, leading to a complex environment. FIM adapted to such environments can help ensure the integrity of services and their configurations.

Shared Responsibility: DevOps often embodies a “shared responsibility” model where both developers and operations teams share responsibilities for the application’s lifecycle, including security. FIM can act as a common ground of trust and validation, ensuring that changes made by any party maintain the integrity of the system.

Validation and Oversight: As DevOps blurs the traditional boundaries between development and operations, ensuring proper oversight becomes critical. FIM provides an extra layer of validation and oversight, ensuring that all changes—whether they come from the development side or the operations side—are authorized and intentional.

Regulatory and Compliance Needs: Many industries have regulations that require evidence of who changed what and when. In dynamic DevOps environments, FIM can provide the necessary logs and alerts to fulfill these regulatory requirements.

While DevOps aims to increase speed and collaboration, it should not come at the expense of security and oversight. FIM becomes a critical tool in the DevOps toolkit to ensure that as organizations increase their agility, they also maintain the necessary checks and balances to keep their systems secure and compliant.

CimTrak Provides Oversight and Validation for Segregation of Duties and DevOps

CimTrak is an integrated security, integrity, and compliance suite that provides File Integrity Monitoring (FIM), among other capabilities. Here's how CimTrak can provide insight and support for both "Segregation of Duties" (SoD) and DevOps:

Segregation of Duties (SoD)

1. Monitoring and Alerts: CimTrak can monitor critical files, directories, and configurations for any changes. Alerts can be generated in the event of an unauthorized or unexpected change. This feature aids in enforcing and verifying SoD by ensuring that no unsanctioned changes occur without oversight.
2. Detailed Change Reports: CimTrak provides comprehensive reports on what changed, how it changed, who changed it, and when it was changed. This granularity ensures that even if multiple roles are involved in the lifecycle of a file or a system configuration, each change can be traced back to an individual or a process, reinforcing accountability in an SoD setup.
3. Baseline Snapshots: CimTrak can create secure, cryptographic baseline snapshots of your critical assets. Any deviation from this baseline can be immediately identified, providing an added layer of control in enforcing SoD.

DevOps

1. Integration with DevOps Tools: CimTrak can integrate with popular DevOps tools and platforms, ensuring that as code and configurations move through the CI/CD pipeline, CimTrak can monitor and verify the integrity of the changes.
2. Infrastructure as Code (IaC) Monitoring: Given that DevOps often uses IaC for programmable infrastructure, CimTrak can monitor these configurations to ensure that no unauthorized changes occur, thus maintaining the desired state of the infrastructure.
3. Real-time Monitoring in Dynamic Environments: In a DevOps environment, containers, microservices, and cloud resources may be temporary, CimTrak's real-time monitoring capabilities ensure that even short-lived assets are checked for integrity.
4. Forensic Capability: In the event of a security incident or an operational issue in a DevOps environment, CimTrak's detailed logs and change reports can provide forensic capabilities, helping teams trace back the source and nature of the problem.
5. Automated Response: CimTrak can be configured to take automated actions in response to detected changes. This feature aligns with the automation-centric ethos of DevOps, ensuring rapid response to potential threats or misconfigurations.

CimTrak provides a robust layer of oversight and validation for both SoD and DevOps environments. Continuously monitoring for changes and offering detailed insights into the nature of those changes aids organizations in maintaining security, compliance, and operational integrity, even in complex and dynamic IT landscapes.