How Sun Country Airlines Saved 50 Hours Per Quarter and Slashed Overhead Costs with Lumos
Manual, time-consuming user access reviews for SOX compliance. Endless IT tickets for software requests. Rising software costs with limited visibility into license usage
Sun Country Airlines is an American ultra-low-cost carrier headquartered in Minneapolis, Minnesota.
Our Challenge
Jeffrey Holschuh, Sun Country’s Chief Information Security Officer.
When Sun Country Airlines went public in 2022, Sarbanes-Oxley compliance (SOX) became a requirement. One of the required controls was to conduct access reviews for any application that was within the audit’s scope.
However, our existing process for conducting access reviews was painstakingly manual:
- Application owners were sent screenshots of user accounts.
- My team manually entered the data into Excel.
- Emailed the owners to verify all the users and collect responses.
- After review, tickets were created for access removals.
- Took screenshots again to cross-verify access removals.
- All updates were manually re-entered into spreadsheets.
It was an inefficient and time-consuming process. I knew traditional IGA solutions often came with long deployment timelines and the need for large dedicated teams to manage them. With just one dedicated team member, we needed a more lightweight and streamlined approach. We also needed the new solution to work with our existing on-premise systems.
The Priorities
1. Automation
Reduce the manual workload of reviewing privileged accounts.
2. Compliance
Certify for key systems under SOX scope like Microsoft 365 applications, SaaS solutions provisioned via Okta, and on-premise applications not synced with any cloud identity provider with sufficient evidence.
3. Time-to-value
Deliver fast and cost-effective access reviews without the complexity, time and cost of traditional IGA platforms.
The Solution
1. Automated Data Gathering
Instead of needing to gather and input permissions manually via screenshots and data entry, Lumos compiled the reviews automatically through integrations with Okta, Active Directory (AD), Azure, and the target systems.
2. Streamlined Reviews
Reviews were automatically assigned to the appropriate managers or application owners, complete with due dates and reminders to drive on-time completion.
3. Simplified Evidence Tracking
Rejected access could be automatically revoked, or evidence of removal could be easily attached to the review to maintain a single source of truth.
4. Audit-Ready Reporting
Lumos produced comprehensive, audit-ready reports with summary data of apps and identities reviewed, permissions modified or rejected, and evidence of access removal.
The Impact
1. 50 Hours Saved Per Quarter
Automating access reviews freed up valuable IT resources to focus on other strategic initiatives. Lumos supports “delta” reviews, allowing reviewers to focus primarily on access that has changed since the previous review cycle - eliminating redundant and repetitive work.
2. Comprehensive Compliance
Managed service accounts and privileged access are now fully certified, without slowing us down.
3. Startup-Level Agility
Instead of a drawn-out and expensive project to set up a traditional IGA tool, we implemented a tightly scoped access review program in a short period and were able to complete their next required SOX review without delays. Lumos’s collaborative approach made all the difference.
Ready to streamline your access reviews like Sun Country? Book a demo!
Try Lumos Today
