A financial services company is reviewing its security posture for a critical database server that processes sensitive customer transactions. A single senior administrator is currently responsible for user account management, permission assignments, and system auditing. To minimize the risk of fraud and prevent a single point of compromise, which access control concept should be implemented?
The correct answer is segregation of duties (SoD). This is a security principle that aims to prevent fraud, errors, and abuse by dividing critical tasks among multiple individuals. In the scenario, one administrator controls account creation, permissions, and auditing, creating a single point of compromise. Implementing SoD would require splitting these responsibilities among different people, such as having one person manage accounts, another approve permissions, and a third, independent person conduct audits.
Role-based access control (RBAC) is a method of managing access based on a user's job function. While RBAC would be used to implement the new permission structure, it is not the overarching principle itself. A single user could still be assigned multiple conflicting roles, violating the principle of SoD.
Mandatory Access Control (MAC) is a strict, system-enforced access control model based on security labels (e.g., clearance levels). It does not directly address the procedural risk of a single individual holding multiple conflicting responsibilities.
Delegation is the act of assigning authority for specific tasks to others. While it is a necessary action to implement SoD, it is the mechanism of assignment, not the security principle that guides how those assignments should be structured to prevent conflicts of interest.