Zilla AI Profiles™ have been out since September, (read the announcement blog here), to rave reviews. For those who haven’t tried them yet, there have naturally been questions. Here are some of the most common ones, along with answers. For more information check out our webinar on February 13th to see AI Profiles in action.
Q: What do you mean by “AI Profiles”, and where does the “AI” come into play?
Zilla AI Profiles are a simple, efficient way to automate the definition of the permissions that should be associated with different groups of users. Using AI machine learning, Zilla automatically creates profile grants to correlate application permissions with users based upon HR attributes such as user title or job code, department, group, position in the organization, physical location, and more. As a result, up to 75% fewer permissions need to be reviewed by a human when a user is onboarded. It also helps ensure least privilege access when employees move to new roles within the organization.
Q: Why did you take this approach to user permission management?
Artificial intelligence, and in particular machine learning, has revolutionized the way many computing challenges are addressed. Using algorithms that are trained with the right parameters on large datasets, they excel at identifying sophisticated patterns and anomalies. For example, they can identify a human face in a sea of pixels—regardless of the lighting, size, or orientation.
User permissions also present a large dataset that can be overwhelming to human administrators (which include decentralized application owners and business owners across the organization), with combinations of thousands of users, hundreds of applications, and scores of permissions. This environment is ripe for the application of machine learning, especially when compared with the alternative approach–maintaining complex roles manually. The results from using an AI-based approach have been outstanding, with up to 60% fewer tickets needed to provision a new user.
Q: What is the difference between this approach and traditional roles, even if well maintained?
The AI Profiles approach is based upon automated machine learning and pre-approvals by the business owner with the context to make a decision about access. AI Profiles are fast and easy to set up, without extensive ongoing maintenance. Traditional roles, on the other hand, are established by reviewing the landscape of users, applications, and permissions and then manually establishing and maintaining groups (roles) that reflect the settings your organization should strive to maintain. It’s a significant effort, and it has to be an ongoing process as your organization changes and your applications change.
Q: What is the difference between this approach and Okta groups?
Okta groups are a capability of their excellent Identity Provider (IdP) and Single Sign On (SSO) solution. They allow identity administrators to define membership groups for users and to associate those with access to applications that support Okta. An IGA solution such as Zilla, however, provides a much more granular mapping of users to individual permissions within all applications, even ones that don’t support Okta or another IdP.
With an IdP group approach, every application has to support the IdP–and many applications simply don’t. Also, applications that do support the IdP must have a permission group that matches the IdP group and has the exact required permissions for every user in the group. Application-specific permissions that are not associated with application groups are simply ignored. It is estimated that less than 20% of permissions across an enterprise are set by group memberships; the number likely varies by the size of the enterprise and the nature of applications in use.
With a modern IGA approach, you have full support of the applications in your environment plus mapping and control of every permission for every user, even if those don’t fit neatly into a predefined group.
For more insights, check out our blog, The problems with featherweight IGA – what Identity Provider vendors don’t tell you!
Q: What is the difference between this approach and using AI to define roles?
Using AI to define roles is essentially a way to do “bottom-up” role design. It discovers roles where groups of users have similar access, and it proposes roles based on the discovered access clusters. But afterwards, you still have a set of rigid roles that have to be carefully, manually evaluated and painstakingly maintained. Every user must fit within a role, and with many applications needing to be associated with each role, there’s a complex entitlement matrix for each role.
In contrast, AI Profiles associate each user with a set of application permissions based upon their attributes in a much more fluid way, without any need for them to fit perfectly within a specific IGA role. Common or “standard” permissions for a profile are quickly approved and reviewed, and individual permission exceptions are handled easily and gracefully by each application owner/approver. There’s no need for continuous management of a set of roles.
Q: Aren’t there privacy issues if you’re using machine learning?
In many examples of machine learning, training datasets could include information you’d rather not share with other organizations, making privacy a concern. Zilla avoids this issue by implementing proprietary, in-house machine learning while maintaining complete privacy for each organization. No data from one organization is shared with the learning algorithms of another organization. Training datasets are entirely segregated.
For answers to other questions, and to see AI Profiles in action, check out our webinar on February 13th, or schedule a personalized demo today.
