Hitachi ID Bravura Identity includes the most advanced segregation of duties (SoD) policy subsystem on the market. It actually works, whereas SoD policy checks in competitor IAM products can be bypassed in cases where there are nested roles and/or nested groups.

The Bravura Identity SoD policy subsystem supports:

  • Policy definition:
    • An SoD rule is defined as a toxic sets of entitlements.
    • Entitlements that participate in the SoD rule may themselves be roles, login IDs on specified target systems or membership in specific security groups.
    • Users who have at least N of the M SoD entitlements are considered to be in violation.

    This is a very general model. It supports rules such as "No user shall belong to more than 2 of these 30 groups."

  • Approved exceptions:
    • Users may be allowed to violate SoD rules, so long as an authorized person has approved the violation.
    • Access certification is used to periodically renew approved SoD exceptions.

    This is a practical model. It allows organizations to knowingly violate rules where there is a strong business reason to do so and where suitable compensating controls are in place.

  • Proactive enforcement:
    • SoD policy is an integral part of workflow in Bravura Identity.
    • Change requests that pass through Bravura Identity workflow must either:
      1. Satisfy all SoD rules (i.e., violate none); or
      2. Include a request for an approved exception to every violated rule.
    • Requesters -- via the Bravura Identity UI, API or automation system -- simply cannot ask for violations without also asking for an approved exception.

    SoD should be proactive rather than after-the-fact, wherever possible. This is supported by Bravura Identity.

  • Reporting on out-of-band and pre-existing violations:
    • It is still possible to have users with entitlements that violate SoD:
      • Pre-existing conditions, where a user violated the SoD rule before Bravura Identity was implemented or the rule was defined.
      • Out-of-band changes, made using administrative tools and login IDs outside of Bravura Identity.
    • In these cases, there is no general way for Bravura Identity to know which of the offending entitlements is inappropriate, so it cannot automatically remediate the violating users.
    • Instead, Bravura Identity includes reports to identify violating users and help security staff make appropriate remediating changes.

    SoD reporting is the defense of last resort.

  • Deep inspection:

    Roles can be nested into other roles. Groups can include among their members other groups. The result of these two hierarchies is that an SoD policy may be defined at one level of a hierarchy of roles or groups, but a violation may take place at another level of the hierarchy. The Bravura Identity SoD policy mechanism decomposes roles and locates parent groups in order to reliably detect policy violations. Competitor IAM products fail to find such such violations.