New research: key trends in compliance, emergency access risks, and automation

Author: Eric Zimmerman, Product Marketing Manager

While many organizations are shifting to a unified identity security approach to improve compliance and proactively mitigate risk, few companies have fully arrived.

To help understand some of the most pressing governance, risk, and compliance challenges – especially those related to separation of duties, also called segregation of duties, and emergency access scenarios – SailPoint partnered with an external research firm to explore these common pain points.

We heard from more than 300 security and IT professionals about the most challenging compliance gaps, potential areas of increased risk, and how manual compliance approaches are disrupting already strained teams and management processes. Here’s a snapshot of our findings.

Want to see all the stats in one place? Download the full report.

What we talk about when we talk about separation of duties

Separation of duties breaks tasks into at least two parts to help ensure that no single individual can unilaterally perform actions when the impact of irreversible effects exceeds an organization’s tolerance for risk.

Applying separation of duties for key functions helps protect organizations from risks to their money, inventory, and sensitive information due to various forms of fraud, human error, misuse of information, sabotage, and other malicious activities.

Based on our survey of IT professionals, it is unsurprising that 92% of organizations surveyed require some form of separation of duties. It is an essential security function of a robust access management strategy. What is striking, however, is that 43% of organizations reported that they have failed requirements for separation of duties at some point, which suggests a significant gap in protection.

A failure in compliance can often be the result of poor processes and procedures, as well as an inadequate access and identity security solution. Among those who were non-compliant, 85% indicate that it is difficult to determine why.

One person’s emergency is another’s opportunity

Invoking emergency access is one scenario where separation of duties violations can easily occur, and our research finds that 60% of companies have had to provide this at some point. Among the organizations surveyed, this access was typically needed for one of three reasons. The first is the unavailability of necessary team members, including those who are on extended absences (56%), temporarily unavailable (44%), or departed from the company (43%).

The increased risk of providing emergency access is not just theoretical. Among our survey respondents, some of the leading consequences were audit issues (35%), conflict with separation of duties (27%), and lack of documentation for auditing purposes (25%).

The study also showed that the granted emergency access was often not revoked in a timely manner (33%), generating ongoing risk and new violations. What’s more, emergency access appears to break companies’ processes and procedures, allowing sensitive actions without proper review (32%) and bestowing inappropriate access (30%).

Given the serious risk increase associated with providing emergency access, organizations will benefit from having well-documented, tested, and appropriate access processes. When done properly, this will help reduce the time it takes to respond to and resolve an emergency event, leading to less downtime and mitigating potential disruptions.

Want to learn more?

Download the full report to:

• Understand common identity and access management challenges
• See how your organization’s compliance strategy compares to others
• Help your organization prioritize compliance and identity security gaps
• Explore the impact of automation and centralized governance

How SailPoint can help

SailPoint Access Risk Management (ARM) helps organizations centralize access risk governance, delivering seamless GRC integration and extensive enter­prise visibility to forecast and help prevent separation of duties violations across ERP systems, including SAP Fiori.

By leveraging Access Risk Management’s robust feature set, organizations can prevent potential compliance breaches and safeguard sensitive data.

See the Access Risk Management product page.