Regular User Access Reviews are required for regulatory compliance with standards such as SOX, HIPAA, GLBA, PCI, NYDFS, NYSDOH, and SOC 2. Additionally, increasing numbers of information security teams are now mandating reviews as part of an organization’s identity security posture management. In order to satisfy the increasingly stringent standards set by auditors, access reviews require high levels of both completeness and accuracy. This includes, but is not limited to, robust evidence packages, revocation proof, and before-and-after screen shots from in-scope applications. 

The result is that governance teams and reviewers alike find access reviews to be tedious, time-consuming, and never-ending. We have heard that access review campaigns can take up to five weeks or more to complete and involve time-consuming and unwieldy spreadsheets. And, even if there is an existing user access review automation solution in place, it likely isn’t able to fully integrate with all corporate applications.

The Difference Automation Makes for User Access Reviews

Curious about what an access review should look like? We’ve broken the process down into five steps, to show you the difference that automation makes. 

1. Get Ready for the Campaign with Checklists: In order to prepare for an access review campaign, teams first need to collect the tens or hundreds of thousands of entitlements, and associated data, from all of the applications in scope for the review. Auditors need proof that current data was collected from all systems under review. To speed this process, Zilla offers easy, comprehensive application integration and readiness features.
   • Comprehensive app integration with Robotic process automation-powered options: Integrate SaaS, on-prem, and in-house apps – regardless of whether they have an API available – to automate entitlement data collection from these applications.
   • Checklist features: Manage the process of filling in any incomplete data, such as permissions descriptions, by creating checklists for each application and the associated data. A campaign owner can assign readiness tasks to application owners and remind them to complete the requests. Then, the campaign owner is notified when the tasks are complete.
2. Eliminate Redundancy with Pre-Approvals: Often, access review campaigns involve the review of standard, job-appropriate permissions that are commonly granted to many employees; they are not permissions that anyone would want to revoke, but they still require regular review. This creates tedious redundancy for reviewers who are stuck paging through long lines of basic access lists. It also introduces the temptation to “rubber stamp” reviews that appear routine in nature. Zilla’s Modern IGA approach leverages AI Profiles to facilitate pre-approval for routine, job-appropriate permissions. The result is that reviewers have considerably fewer items to review (typically a 60% – 75% reduction) and the remaining review items are focused on exceptional access only.
3. Make it Easy for Reviewers: While access reviews are centrally managed by the information security or governance, risk, and compliance teams, they are completed by large numbers of reviewers, often every employee, supervisor and/or application owner across the business. Access reviews are not part of these stakeholders’ day jobs, and are therefore almost always viewed as time-consuming distractions. Our approach makes it easier for reviewers by providing clear reviewer communication and one screen from which to review permissions and quickly revoke or maintain them.
4. Document Revocation Activity: It is not sufficient for auditor or information security standards to merely complete an access review; teams must provide evidence that permissions identified for revocation were revoked. Our recent State of IGA Survey found that 52% of organizations reported that more than 11% of user entitlements reviewed during audits were unnecessary, orphaned, or excessive. Ensuring that your access review solution can integrate with ITSM tools to automate revocation ticketing as part of an audit evidence package will be critical.
5. Provide Robust Evidence: Robust evidence is required to certify the completeness and accuracy of a user access review. User access review evidence packages typically include before and after screen shots, audit logs, and review activity timestamps. Collecting all of this information manually is a massive undertaking. Ensuring that you can automatically compile evidence from the applications reviewed and also allow for custom upload of evidence will be a major benefit during the review process.

Zilla understands the access review process end-to-end, and is aware of how painful it can be for everyone involved when done using spreadsheets. Designed to make access reviews automated, approver-ready, and auditor-friendly, we urge you to consider Zilla’s modern IGA solution in order to be spared from the drudgery of manual access reviews.