Segregation of Duties - IAM Risk Analyzer

Segregation of Duties (SoD) & Toxic Combinations

1. Overview

Segregation of Duties (SoD) is a foundational control in Identity Governance that prevents a single user from having excessive or conflicting access that could lead to fraud, data misuse, or compliance violations.

In complex enterprise environments, access risk does not arise from a single entitlement — but from toxic combinations across roles, responsibilities, and applications.

BalkanID’s SoD engine enables organizations to:

• Detect toxic access combinations

• Continuously monitor risk exposure

• Prevent policy violations before provisioning

• Provide auditor-ready evidence

• Reduce blast radius from over-privileged identities

2. What Are Toxic Combinations?

A toxic combination occurs when a user has access to two or more permissions that, when combined, allow them to:

• Create and approve payments

• Create vendors and issue payments

• Modify financial records and reconcile them

• Create users and assign privileged roles

These combinations create:

• Fraud risk

• Regulatory violations (SOX, ISO, SOC 2 etc.)

• Insider threat exposure

• Audit findings

3.SoD Lifecycle

Segregation of Duties risk management is not a one-time audit exercise. It is a continuous control process designed to proactively identify, evaluate, and remediate toxic access combinations across the organization.

BalkanID supports the full SoD lifecycle as outlined below:

1. Policy Definition

Organizations begin by defining risk scenarios aligned to regulatory requirements (e.g., SOX) and internal control standards.

These policies identify business-critical conflicts such as:

• Create Vendor + Approve Vendor

• Create Invoice + Approve Payment

• Create User + Assign Privileged Role

Clear policy definition ensures SoD enforcement is based on business risk impact, not just technical entitlement overlaps.

2. Baseline Rule Configuration

Defined policies are translated into enforceable SoD rules within BalkanID.

This involves mapping:

• Roles

• Responsibilities

• Functions

• Privilege inheritance paths

A well-configured baseline establishes a consistent framework for detecting toxic combinations across production and sandbox environments.

3. Risk Detection

BalkanID continuously evaluates user access against configured SoD rules.

Detection includes:

• Direct role conflicts

• Indirect (inherited) privilege conflicts

• Cross-role and cross-responsibility violations

• Cross-application combinations (if applicable)

This ensures real-time visibility into toxic access exposure.

4. Violation Analysis

Identified conflicts are reviewed by designated stakeholders to determine risk severity and business impact.

During analysis, organizations assess:

• Scope of exposure

• Compensating controls (if any)

• User role criticality

• Regulatory implications

This step helps prioritize remediation based on actual risk.

5. Mitigation or Remediation

Appropriate corrective action is taken to eliminate or formally manage the risk.

Common remediation approaches include:

• Removing conflicting access

• Redesigning roles

• Implementing compensating controls

• Documenting risk acceptance with approval

Effective mitigation reduces over-privileged access and strengthens control posture.

6. Continuous Monitoring

SoD risk evolves as users join, move, or leave the organization and as access changes over time.

BalkanID continuously monitors:

• New access grants

• Role modifications

• Bulk provisioning changes

• Campaign outcomes

This ensures that new violations are detected promptly and compliance posture is maintained.