A three person process for approving payments did not stop a lone insider from stealing $11 million by deceiving a separation of duties (SoD) control. How can an organization prevent this from happening to them? What is needed to insure that separation of duties controls do not fail?
What Went Wrong?
The thief's unauthorized access to unused computer accounts for two other employees allowed her pull the strings and make it appear financial payments had the necessary three “independent approvals” required by the separation of duties control. (a)
“Records showed they were approved by Cawthra and two of her former subordinates who no longer worked there when they supposedly approved the refunds.” (b)The thief was a manager at the Colorado Department of Revenue. She may have taken over user accounts by “forgetting” to request the accounts be terminated when staff left and learned passwords by asking her staff - “just in case of an emergency.”
Controls - People-based vs. Fact-based
Relying solely on people-based controls, such as deprovisioning users on job change or manager review of access rights, can be a recipe for failure because these controls rely on managers, some of whom may be dishonest.
An effective line of defense could be a fact-based control in which user access rights are compared with user activity by an independent party. This control could have prevented or caught this theft by identifying dormant accounts, shared logins, and other rights/access patterns indicative of fraud.
Manual Review is People Intensive
Unfortunately, traditional methods and tools for reviewing access and activity create an enormous amount of work. Someone has to manually comb through user access rights and activity for every sensitive systems and applications in an organization.
Eliminate the Work and Get Actionable Answers
The Veriphyr Identity and Access Intelligence (IAI) service eliminates manual grunt work by applying advanced analytics to an organization’s existing rights and activity data to identify access policy exceptions.
Veriphyr Identity and Access Intelligence Services
Just as importantly, because it is a pay-per-use service, Veriphyr involves no long term contracts, no software to install, no hardware to procure, and no scripts or connectors to maintain.
You just upload the data you already have (in whatever format it is already in) to Veriphyr’s secure data center. The Veriphyr service does the rest and puts user access policy exceptions and actionable remediation into the rights hands.
For more see a video demonstration of the Veriphyr service.
(a) Man Sentenced To 58 Years In $11M Tax Refund Plot
(b) State Employee Accused In $5 Million Fraud Scheme
Thank you to W. Benson Dana for bringing this incident to my attention.