Many business processes can be problematic or faulty if they are carried out by a single person in a company. The principle of segregation of duties (SoD) is used to prevent this. Segregation of duties is crucial for effective internal control as it reduces the risk of both erroneous and inappropriate actions.
Automation of Segregation of Duties
Segregation of Duties (SoD) means that no single person should be in a position to perpetrate and then be allowed to conceal errors or fraud in the normal course of their duties. In fact, SoD is a central issue for enterprises to ensure compliance with laws and regulations and is a familiar concept to anyone who has ever worked in finance or banking. In general, the principal duties that need to be segregated are:
- Authorization or approval of related transactions affecting those assets
- Custody of assets
- Recording or reporting of related transactions
The digitization of business processes requires SoD to be enforced by a workflow engine in a fully automated fashion. When migrating these processes to the cloud, SoD-based decision-making code must be guaranteed to have received untampered input, executed untampered, and returned untampered output. Also, the automated process needs to be auditable. This can be achieved by combining a workflow engine (Transaction Security Broker, TSB) with a Trusted Execution Environment, or TEE for short.
The Trusted Execution Environment
A TEE may be realized as a dedicated secure area of a main processor (CPU) that can be isolated at the hardware or software level from the rest of the computer. Also known as enclave, it provides security features such as isolated execution, integrity of applications executing with the TEE, along with confidentiality of their assets. Modern-day computing systems, and especially cloud computing servers, often rely on enclaves. Laptops, desktops, tablets or smartphones use enclaves to safely store an app's passwords or encryption keys, while servers use enclaves to isolate the data of different cloud server tenants.
Currently, enclaves are supported by various underlying hardware-based technologies such as Intel's Software Guard Extensions (SGX), ARM's TrustZone, RISC-V's Keystone, Qualcomm's Secure Execution Environment (QSEE), or KU Leuven's Sancus. Unfortunately, these hardware-based technologies are prone to side-channel attacks. Well documented are especially SGX’s broken isolation promises. There are several software development kits (SDK) available which provide an interface for apps to interact with the underlying enclave technology. Besides interfacing, the role of these SDKs is to also shield the enclave at a software level from malicious code that may be running at the OS level. Specifically, an SDK must be able to detect malicious instructions that may be used in attempts to exfiltrate data from the enclave, which is a non-trivial task: Research teams reviewing these enclave SDKs keep finding exploitable vulnerabilities.
Dedicated TEE hardware appliances avoid these security shortcomings by design. Its well-shielded and tamper-resistant housing combined with its security-minded software architecture render side-channel attacks useless. Strong isolation between tenants is guaranteed by a dedicated hardware and firmware architecture.
Automated Segregation of Duties and Blockchain
SoD is a must have principle in decentralized finance (DeFi) and in blockchain-related businesses in general. In these domains, the workflow engine is often realized as a smart contract on, for instance, the Ethereum blockchain. A fundamental shortcoming of smart contracts, however, is known as the blockchain oracle problem. Smart contracts inherently cannot interact with data and systems outside their native blockchain environment. Blockchains hence obtain properties like approvals of user transactions, guarantees of single spending, or other information from additional pieces of infrastructure called “oracles”. Developers tackle the oracle problem, e.g., by using TEEs on sidechains or other means. Institutions leveraging blockchain and smart contract technology, for instance, set up additional off-chain infrastructure to ensure full regulatory compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) laws, which are translated to auditable code running on a dedicated TEE.
In general, major industries benefit from combining oracles and smart contracts. These include asset prices for finance, weather information for insurance, randomness for gaming, IoT sensors for supply chain, ID verification for government, and much more.
Process automation requires SoD securely integrated in an organization’s IT infrastructure. The execution of decision-making code needs extra protection, especially in industries where transactions cannot be undone or reversed and / or processes need to be auditable. The workflow engine might be realized as TSB software or as a smart contract on a blockchain. For security and auditability purposes, the decision-making code needs to be executed on dedicated TEE devices.