Are Your Duties Segregated?

Written by AT&T Cybersecurity Guest Blogger
December 18, 2019

Organizations sometimes forget to segregate—or separate--duties. It’s a dangerous information security oversight.

Segregation of duties is a fundamental information security practice. In simple terms, it means you split out important tasks between two or more people. This prevents one person from getting drunk on all the power they wield, and also prevents one person from making a mistake that can have undesired consequences.

One of the best examples of segregation of duties can be seen in movies when it comes to launching nuclear missiles. The system relies on two people on opposite sides of the console to put in and turn their keys at the same time. This segregation, or separation, of duties ensures that one person can’t launch a nuclear missile on his or her own.

Segregation of duties works best when there is a clearly defined function and where there is some physical separation.

For example, in a call center or banking app, a junior administrator may be able to authorize payments up to $500, but anything above that would need supervisor’s approval. The junior admin can enter details and send them off to the supervisor, who can then approve or decline payment.

But, in many cases, the broader application can sometimes have some flaws.

In one of my first jobs in IT security, our team implemented a process for separating duties whenever a new HSM key (key change ceremony) needed to be loaded.

I worked on a team that had one half of the password to complete this task, while another team held the other half. Much like the end of the film “Bulletproof Monk,” I even had my half of the password tattooed on my back. (I still don’t know what it says to this day.)

Once a project was underway, I’d have to travel across the country to the data center with my half of the password in order to change the key with the help of a colleague.

The only problem with that was … Have you ever worked on a project? They’re never on time–always delayed. And data centers are cold!

One time I sat in a data center with another guy who was clearly more experienced than I with this kind of thing. He was sitting under a blanket he’d brought, reading his book and