Simplify and Automate User Access Reviews with a Modern IGA Solution

Since joining Zilla, I have spent hundreds of hours speaking with GRC, IAM, and Information Security teams about their access review processes. What stands out to me most from these conversations is that access reviews can be a significant burden on the organization, especially for teams who are completing them manually with spreadsheets and taking up valuable time from. However, I have also heard firsthand the significant and immediate improvement Zilla offers to teams who automate their user access reviews with Zilla’s Modern IGA. 

For anyone who is still on the fence about using an automated user access review solution, I wanted to highlight the differences that automation brings to user access reviews. 

Why are User Access Reviews Important? 

Regular User Access Reviews are required for regulatory compliance with standards such as SOX, HIPAA, GLBA, PCI, NYDFS, NYSDOH, and SOC 2. Additionally, increasing numbers of information security teams are now mandating reviews as part of an organization’s identity security posture management. In order to satisfy the increasingly stringent standards set by auditors, access reviews require high levels of both completeness and accuracy. This includes, but is not limited to, robust evidence packages, revocation proof, and before-and-after screen shots from in-scope applications. 

The result is that governance teams and reviewers alike find access reviews to be tedious, time-consuming, and never-ending. We at Zilla hear from customers that, before using Zilla, access review campaigns took up to five weeks to complete and involved time-consuming, tedious spreadsheets. And, even if there is an existing user access review automation solution in place, it likely isn’t able to fully automate the process due to the inability of legacy IGA solutions to integrate with all corporate applications. 

The Difference Automation Makes for User Access Reviews

Curious about what an access review looks like with Zilla? We’ve broken the process down into five steps, to show you the difference that automation makes. 

1. Get Ready for the Campaign with Checklists:In order to prepare for an access review campaign, teams first need to collect the tens or hundreds of thousands of entitlements, and associated data,from all of the applications in scope for the review. Auditors need proof that current data was collected from all systems under review. To speed this process, Zilla offers easy, comprehensive application integration and readiness features.
   • Comprehensive app integration with Robotic process automation-powered options: Integrate SaaS, on-prem, and in-house apps – regardless of whether they have an API available – to automate entitlement data collection from these applications.
     
   • Checklist features: Zilla helps manage the process of filling in any incomplete data, such as permissions descriptions, by creating checklists for each application and the associated data. A campaign owner can assign readiness tasks to application owners and remind them to complete the requests. Then, the campaign owner is notified when the tasks are complete.
2. Eliminate Redundancy with Pre-Approvals:Often, access review campaigns involve the review of standard, job-appropriate permissions that are commonly granted to many employees; they are not permissions that anyone would want to revoke, but they still require regular review. This creates tedious redundancy for reviewers who are stuck paging through long lines of basic access lists. It also introduces the temptation to “rubber stamp” reviews that appear routine in nature.Zilla’s Modern IGA approach leverages AI Profiles to facilitate pre-approval for routine, job-appropriate permissions. The result is that reviewers have considerably fewer items to review (typically a 60% – 75% reduction) and the remaining review items are focused on exceptional access only.
3. Make it Easy for Reviewers:While access reviews are centrally managed by the information security or governance, risk, and compliance teams, they are completed by large numbers of reviewers, often every employee, supervisor and/or application owner across the business. Access reviews are not part of these stakeholders’ day jobs, and are therefore almost always viewed as time-consuming, tedious distractions. Zilla’s approach makes it easier for reviewers by providing clear reviewer communication and one screen from which to review permissions and quickly revoke or maintain them.
4. Document Revocation Activity:It is not sufficient for auditor or information security standards to merely complete an access review; teams must provide evidence that permissions identified for revocation were revoked (Our recent State of IGA Survey found that 52% of organizations reported that more than 11% of user entitlements reviewed during audits were unnecessary, orphaned, or excessive). Zilla integrates with ITSM tools to automate revocation ticketing and also has options for automatic revocation via APIs. Then, Zilla captures the re-synced application data that documents the revocation for the audit evidence package.
5. Provide Robust Evidence:Robust evidence is required to certify the completeness and accuracy of a user access review. User access review evidence packages typically include before and after screen shots, audit logs, and review activity timestamps. Collecting all of this manually can be a massive effort, but Zilla makes this much easier by automatically compiling evidence from the applications reviewed and also allowing for custom upload of evidence.

Zilla understands the access review process end-to-end, and how painful it can be for everyone involved when done manually. We are committed to relieving access review pain by fully automating the entire experience and giving time back to governance teams, campaign owners, application reviewers, and supervisors across the business. Designed to make access reviews automated, approver-ready, and auditor-friendly, we invite you to schedule a demo of Zilla’s modern IGA approach to access reviews. Because no one has time for outdated spreadsheets.