The Emergence of Zilla AI Profiles: A Modern Solution to Roles and Groups

by | Oct 1, 2024

A few weeks ago, I published a blog about the role-based approach to identity governance and the many problems inherent with roles. Last week, Zilla introduced Zilla AI Profiles™, which provide a modern solution that combines the power of AI with the required federated approval model necessary for navigating access in today’s complicated application ecosystem. Zilla AI Profiles enables identity teams to automate most of the manual work associated with managing roles, and as a result, simplify identity governance processes dramatically.

Profiles offer a fresh approach to access control, addressing many of the shortcomings of traditional organizational roles.

Let’s explore how Profiles are different from traditional approaches to access control via roles and groups, and why they are more effective.

What’s in a Profile?

Profiles are an organization’s current mapping of which users should have access to specific resources, based on their business function within the organization. Profiles are automatically suggested in Zilla by evaluating metadata such as department, title, job code, and location, and profiles can be viewed from the lens of users or applications.

From the user lens, a user profile is based on one or more user characteristics that represent their function or responsibility. For example, Abby Smith is joining Access-Ventures on the Development Team as a Senior Engineer.

Abby’s profile would be a combination of her attributes; she is an employee of Access Ventures and therefore gets access to payroll and other company-wide apps. However, she is also a member of the Development team as a Senior Engineer.

See examples below:

All Access-Ventures employees get these permissions:
A table of apps like ADP and Slack, with the permission level
The Development Team gets these:
A table of apps like Github and JIRA, along with Permission
Senior Engineers on the Development Team also get these:
A table of apps like Confluence and JEnkins, with Permission and Level
The ability to classify elements of Abby’s user profile at such a granular level subsequently enables a level of automation and approval for user and application access at Access-Ventures.  Profile grants can be easily reviewed, adjusted, and approved by relevant stakeholders as needed, which makes them a sustainable and auditable solution throughout the user lifecycle. Furthermore, profiles are always current and relevant because the system highlights any changes or anomalies and recommends a review and subsequent adjustment in profile grants based on the current state of access.

This automated process reduces the need for flawless user attribute data and eliminates the need for dedicated role designers.

Let’s now dive into how profiles evolve throughout the user lifecycle.

AI Profiles Enable Efficiency in Onboarding and Managing Users

AI-powered profile creation allows for rapid deployment of access for new employees without extensive preparation due to the insights that we gain about user attributes. Using the previous example, because we know what an Engineer on the Access-Ventures Development Team should have access to, Abby was given the correct permissions to start her work immediately upon joining the company.

In a few months, when the company performs their semi-annual entitlement certification, Abby’s supervisor will only have to review Abby’s permissions that are not part of her profile.

If Abby changes jobs or departments, her new supervisor and, if possible, her former supervisor, will review Abby’s permissions using her new post-move profile as a template.  This will ensure that Abby has a smooth transition and is able to access all the resources she needs for her new position.

Let’s suppose that Abby is directly given privileged access to an application, and the access is not included in her profile.  This could trigger a configured policy in Zilla that looks for exceptional privileged access and the administrator could immediately review and address the issue.

How do AI Profiles Work? 

Zilla generates profiles very quickly by leveraging AI for profile generation and a federated approval model for profile acceptance and activation.

Profiles are generated with the push of a button – and proposed to an administrator who does not need to have knowledge of business roles. The AI-based profile evaluation looks at every possible combination of user attributes and permissions then suggests the most effective and precise combinations.

The administrator may adjust the results by changing what gets considered and adjusting metrics for profile precision and reach. In any case, the result is a proposed list of powerful access profiles that can be activated by the administrator, or more likely automatically forwarded to the right system or app owner for review.

Zilla automatically identifies a list of owner/approvers for each access granted by a profile.  If there is an owner for a permission, resource or group they are the primary approver, otherwise the application owner is notified.  Zilla allows for quick and easy delegation to other stakeholders.  This means we are asking the right person to validate the profile grant being proposed.

The data owner approval is what makes profiles so practical to deploy and maintain, and so clear and valuable for review and audit.

Reduced Manual Effort for Access Reviews

In addition to their benefits for user lifecycle management, the other major advantage of profiles is their application for User Access reviews. Zilla AI Profiles provide an updated and accurate map of who should have access to what resources based on their role in the organization. With that information – we can make user access reviews simpler, more focused, and more powerful.

Access reviews have many different flavors, but always have some individuals reviewing users’ access to a set of permissions and then approving or removing each granted permission.  Reviewers are usually either supervisors of the users being reviewed or the owners of the permissions being reviewed. Profiles enable pre-approval for permissions explained by a user’s role in the company.

Say this is the profile grant:

A single table row showing Profile (Department = Engineering), Users (361, Application (Github) and Permission (Members)

This means it is always ok for users in the Engineering department to have basic “Members” access to the application Github.  This relationship was proposed automatically and was approved and made active by the Application owner of Github.  Over time, this grant has been regularly re-evaluated and regularly re-approved by the appropriate owner – so we know that it is current and the approval history is logged for auditors.

Any user entitlement reviews that contain Engineering users or Github permissions would leverage this single profile grant to remove 361 user permissions from the review – as they are already authorized.

The result is that reviewers have considerably fewer items to review (typically a 60% – 75% reduction) and then are focused on exceptional access only.  This means they are spending their time looking at the permissions that truly need reviewing and are less likely to just approve all of a user’s access.

Conclusion

Traditional organizational roles have served their purpose.  Their limitations are increasingly apparent in today’s dynamic business environment. Profiles offer a modern, efficient, and adaptable solution to the challenge of building and maintaining pre-approved user access based on user attributes.  By leveraging AI and automating the creation and maintenance of profiles, organizations can achieve faster, more accurate, and sustainable access control, ensuring that users have the right permissions at the right time.

The shift from traditional roles to profiles marks a significant evolution in access control, providing a robust framework that keeps pace with the ever-changing needs of modern businesses.

Want to learn more about Zilla AI Profiles? Download the AI Profiles solution brief

Author

  • Dan Peterson

    Dan Peterson is a Senior Advisor and Product Strategist at Zilla Security. He has spent more than 30 years successfully developing and delivering software and services.

    Prior to Zilla, Dan was a Founder and VP of Product Management at Aveksa. In this role, he was instrumental in growing the company into the market leader in Identity Security and Access Governance. RSA acquired Aveksa in 2013.

    Previously, he held various senior management roles at organizations, including Engage Technologies, Banyan Systems, Hewlett Packard, and IBM, in various senior management roles. Peterson has a BS from Northeastern University.

    View all posts Product Strategist

Recent Posts

Leveraging AI to Identify Birthright Access

Onboarding Pain Onboarding pain is an all-too-familiar scenario. You start a new job and are excited about making an impact on day 1. You get your new laptop, log on with your new company email, but unfortunately encounter a major problem. You are lacking all of the...

Why Identity and Segregation of Duties Are the New Perimeter

Jeff Hare recently joined Zilla Channel VP Garrett Long to discuss the importance of identity governance best practices to an organization’s security posture. Check out the webinar recording here. Managing identity has become one of the most critical elements of...