Comply

We are a financial services company that's regulated by the FDIC, so we must complete a SOC 2 report showing evidence that we regularly review our high-risk applications. 

The solution has been a lifesaver. It has given us a unified platform that allows us to easily demonstrate what we need to do regarding user access reviews for compliance. 

Before Zilla, we were using fairly complicated spreadsheets, and it took a long time for the information security team to update these and send them to the business lines every quarter. We wanted something that was automated and easier for the business lines to review. Ultimately, it ended up saving the InfoSec team 60 hours per quarterly review and the business lines well over 100 hours. 

We had these spreadsheets all over the place, but now we have a library of evidence to consult when needed. Zilla keeps everything in one place. It's not scattered all over anymore. 

Because we must adhere to the SOC 2 framework, we need to manage our user permissions to the least privileged level. Since the spreadsheets were so complicated, many people rubber-stamped permissions. They weren't going to dive into this rat's nest, so they would just say everything is fine. With Zilla, people were able to see more clearly into their permissions, and I feel confident that we're drilling down and adhering to the least privileged rule. 

The manual work needed to track everything on spreadsheets was becoming unsustainable as we added applications. We can import permissions directly into Zilla instead of juggling the data and massaging it so it fits into the spreadsheets. It's probably saved my team about 40 hours per quarter.

Zilla saves us money. We did some calculations during the first quarter and found that some people doing user access reviews were at the VP level, so their time is worth a ton of money. We also found that these folks were spending unnecessary time combing through these spreadsheets. Something that typically took an hour could be completed in 15 minutes with Zilla. 

The interface is highly intuitive, and that helps in many ways because we don't need to explain things to the business lines. It's much easier than other identity and management tools. We were looking for something clear-cut that makes sense to non-technical people. It has greatly improved the controls on our audit procedures by giving people something that's clean and makes sense.

It's extremely important that Zilla provides us with a single pane of glass. When the FDIC asks us for a review, it's easier to have it in one portal than to go to all these spreadsheets scattered over SharePoint. Spreadsheets can also be manipulated, but Zilla has an audit trail that we can follow and show without a doubt that we've done what was required. 

Maybe this is coming with their AI module, but I would like to see a feature that performs baseline analysis of permissions that may not fit into a role, and it attempts to group them into a role. We've run into problems with applications where someone has not created a role but assigned ad hoc permissions to a user. We still need to do some manual work to identify the group that the user belongs to. It would be amazing to have Zilla streamline that. 

I have used Zilla for a year and a half. 

Zilla is highly stable. We've had zero problems with it. 

When we were using spreadsheets, we reviewed about eight applications, but since we added Zilla, we've scaled up to more than 40 and we continue to add to it quarterly.

I haven't needed support since the initial setup, but we have a monthly meeting with our customer success rep. We discuss our needs and upcoming features on the roadmap.

I have seven years of experience with SailPoint. It had the role-analysis feature and was a full-blown IAM solution, but we were looking for something we could use of the InfoSec team and GRC specifically that would enable us to do user access reviews. If I did an apples-to-apples comparison between Zilla and SailPoint regarding user access reviews, I would say Zilla comes out ahead for intuitiveness. It's easier to import permissions and it's simpler for non-technical people to use.

We use a tool called Saviynt that's run in-house by our identity access and management department. That also has user access management, but they hope to move away from it because support hasn't been great. Rather than wait for the IAM team, we decided to go for our own solution. While doing a deep dive into Saviynt, we came across Zilla. Our IAM team told us that if we wanted to switch, it would take only a week or two to get it set up. 

Deploying Zilla was easier than I expected, based on my experience with SailPoint and Saviynt. With those, it was an arduous process. The initial deployment was short, but it took us a quarter to get the solution up to usability. It doesn't require much maintenance aside from regularly updating permissions. It's more administration than maintenance. 

We received support from Zilla's team, which was very helpful. 

The Zilla license is what we expect to pay for a product like this. 

I rate Zilla Security nine out of 10. I recommend that new users follow the advice of their solution engineer. They knew what they were doing and guided us through the installation. 

We use the tool for access reviews. It is mainly for our regulatory SOX compliance. That was the main use case, and why we purchased Zilla back at the end of 2021.

The system is pretty self-explanatory and easy to use. It is menu-driven. You can certainly hide the menu and go with icons that describe the menu items. It is easy to locate the things or categories that you need.

They are getting there in terms of the unified identity platform. We were one of the early adopters of Zilla, and I have seen it grow over the past couple of years. They are innovative and forward-thinking in their enhancements and development of the tool. They are adding things onto the tool to expand what it can do, whether it is additional application APIs or security findings and policies. 

I don't know if it has helped to consolidate applications, but it has made it easy to implement access reviews for critical applications. Previously, there was no process at all for an access review. It was a manual process, and now we have been able to automate it. We have not utilized everything that Zilla can do now to its complete ability. We are still growing in terms of the opportunities in the system.

We have looked at some of the policy-based information provided in Zilla but have not yet fully utilized it. I do look at some of the critical policies relevant to our environment that may pop up, and try to utilize them, such as if a terminated privileged user still has access to some systems. Whether that is true or false, it gives me that identification. I can then explore and validate if it is still true or not.

There are prebuilt APIs for many well-known applications. We have a few applications for which they have prebuilt their APIs. Others in our environment require the use of a CSV file upload to import user lists, which Zilla makes easy to do.

For our use case, when we initially purchased it, we did see the benefit right away or within the first few months of using it.

Zilla Security  has helped improve controls when automating manual work. Some of these review processes were nonexistent or manual spreadsheet-based types of interactions. Being able to automate the process was a key factor.

Zilla Security  has enabled me and one colleague to do more with less. It may have freed up some time for the business users, but it has enabled my smaller team to accomplish a lot more. 

I am sure Zilla Security has helped us save costs. We have been able to use limited resources to do more. We have not had to increase the team to manage the access reviews we perform. I haven't put a quantitative number on savings, but it has streamlined processes.

I enjoy the ease of setup and creation of a review. Being a user of the tool or an admin of the tool, the ease of setup of an access review is valuable. End users find out, after they complain about having to do it, how simple and easy it was for them to complete their reviews. It's as simple for them to click on a link in an email, check a few boxes, and submit their review. I tell most reviewers that the process of review, depending on the number of items reviewed, can take you less than 5 minutes to complete. 

The ability to sync applications via an API on a scheduled basis, if you choose, it also valuable in time savings because a admin doesn't have to remember to login and perform the function. 

There is still no automated way to de-provision access due to a review completion, but they are getting there in terms of making it unified.

Right now it is just a one-way integration, importing user lists. I believe they working on it. I can pull a user list in, but when I do a review, the results get sent to a ticket which requires a person to execute. As a result of the review, there is no automation for the removal of access. They are going there, and the next step is to continue to streamline the process operationally and resource-wise. The review process is great. The scope for improvement is more at the results end. It would be great if it could systematically communicate with that end system and remove the requested access automatically.

We first started using it in 2021.

We have had lagging-related issues on very rare occasions accessing the system pages, but I cannot say if it was on the Zilla side or our own network side. If there is a major issue, which over the past 2.5 years I can only think of 1, Zilla proactively communicates that they know about and are working on. 

We have applications with 50 users in them, and we also have applications with 4,000 users that we review. It scales well across all of those applications. 

I have contacted them a bunch of times. They react pretty quickly and they respond fast to take care of things or inquire for clarification of what the issue may be. I have had positive responses from the support team and I would rate them a nine out of ten.

Positive

We have not used any other solution besides spreadsheets. I have seen other tools in my career and would say that Zilla still seems the simplest to use and setup when it comes to the review process. 

Zilla is a cloud-based solution. It was fairly easy to set up. We had to pick a primary directory or source of truth for users. 

If you have applications that they don't currently have APIs for, it is a manual input process. But once you have done a manual input file once or twice, it is fairly easy to use.

We purchased Zilla at the end of October or November of 2021. I had it up and running our first access review within a month.

One key is the need for collaboration with others who own applications. One or two people could manage the system, but you have to have that collaboration with others.

In terms of maintenance, I would say that the system mostly can maintain itself. I would call myself the admin user of the system. I am in it every day. I keep an eye on certain things, especially scheduled APIs to ensure they execute.

We implemented it in-house with our teams and Zilla. 

It has been fair because we have been in from the beginning or close to the beginning. I know it is not truly an identity access management system yet, but its price was one of the appealing factors for us to purchase it at the time. It was reasonably priced.

We did not, mainly based on the size of our organization at the time. 

I would advise knowing the source of truth that you are going to use upfront. If you need to change, that can be more complicated. Educating end users is always the biggest challenge with any process, but spending time to learn it is worth it.

I would rate Zilla Security a nine out of ten. It has been very easy to use. I have liked working with their team on different things, and they are very responsive.