How Vanta’s access review tool reduces security gaps with automation

Access reviews are required for all major compliance standards and regulations. Not to mention, they are a security best practice, critical to determining whether users have the appropriate level of access to an organization’s apps and systems.

Yet, at many companies, they are traditionally done manually, introducing all sorts of security and compliance issues, said Christina Cacioppo, CEO of Vanta. 

The automated security and compliance platform today announced a new tool to help organizations tackle this problem: “Access Reviews.” This enables security teams to automatically review, adjust, monitor and report on user access to systems. 

“The fact is that enterprises won’t do business with a company that is not secure, and regulators will crack down on any organization with a weak security posture,” said Cacioppo. 

Proving security

The cloud compliance market is expected to grow from $30 billion in 2022 to more than $59 billion by 2027. And the Identity and Access Management (IAM) market is projected to reach $35.71 billion by the end of 2030. This represents a compound annual growth rate (CAGR) of roughly 13.5%. 

Vanta, which says it has created the continuous security and compliance category, competes in the space with Drata, SolarWinds Service Desk, Secureframe and Sprinto (among others). 

Cacioppo called the continuous security and compliance market a “hot space” that continues to grow, with hundreds of millions in VC funding pouring in.

“With massive breaches on the rise — like Uber, Sony and Equifax — companies understand that proving their security is a must to doing business,” said Cacioppo.

Growing threat landscape

Cacioppo pointed out that companies have dozens, sometimes hundreds, of systems and applications that power their business. 

When performing access reviews of these manually, gaps in security can be introduced by human error, she said. The process also takes time away from more strategic security tasks. Of course it also puts organizations at risk of noncompliance. 

If reviews are done incorrectly or are incomplete, threat actors can use access and credentials to destroy, alter or steal sensitive data. 

“Threats can come from a range of vectors, including external cyberattacks, malicious insiders, and former employees with unrevoked access to company systems,” said Cacioppo. “There are also cases where employees can unintentionally share data externally.”

Vanta’s access reviews: addressing threats both outside and inside

Insider threats are of particular, growing concern. According to Ponemon, they have grown 44% over the past two years, with costs per incident up more than a third to $15.38 million.

Cacioppo pointed out that insider threats are becoming more prominent due to shifts in the workforce such as increases in hybrid and remote work. Risk has become even more pronounced given trends like the Great Resignation, she said, prompting concern over employees sharing company secrets with their next employer.

And, the emergence of social engineering techniques from bad actors such as Lapsus$ has created greater urgency around the need for proper access reviews.

Emerging organizations, in particular, often lack resources and in-house expertise to properly secure their perimeter, she said. This leaves them open to incoming threats and penalties for noncompliance. Furthermore, “In this economy, they have no way to prove to their customers that their critical business assets are safe from threats, which means they risk losing business,” said Cacioppo.

Expanded features

Vanta serves as an umbrella of sorts, that monitors a company’s security and compliance posture. Its compliance automation platform streamlines the ISO, SOC 2 and HIPAA certification process. It also monitors security posture in real time by pulling signals from a company’s security stack. 

The company’s new “Access Reviews” feature — announced today at its inaugural conference, VantaCon — streamlines and automates the entire access reviews process. This helps organizations understand and control employee access rights to applications so they can identify risk and revoke unauthorized usage. 

Key features include: 

• Prebuilt integrations to quickly consolidate system access data and HRIS information
• Process owner workflow to select in-scope systems, system owners/reviewers, deadlines, and automatic reviewer notifications and reminders
• Reviewer workflow with a guided interface to see all accounts, accept/deny account access and add notes
• Automatic flagging of “risky” accounts of employees who have been terminated or recently switched departments
• Task-tracker integration to optionally create tickets for any access changes and provide visibility to the status of tickets
• Reporting to view automated evidence of remediation progress and completion
• Auditor interface so users can log into Vanta to see the history of all completed access reviews

Vanta, whose leadership team is two-thirds women, hit $1.6 billion in valuation this year, and has raised $203 million total to date from Craft Ventures with participation from Sequoia, Y Combinator and other existing investors.

Its VantaCon event today is bringing together hundreds of founders and security pros, with speakers including Gusto CSO Frederik “Flee” Lee and leaders from CrowdStrike and J.P. Morgan.