Automated evidence collection = simplified audit preparation

See how you can shave days (or weeks) off the time it takes to prepare for your audits

September 22, 2020 12:00 PM

In the next episode of Compliance Corner, we'll dive into one of the most cumbersome, manual, and exhausting pieces of audit preparation: evidence collection.

According to a recent survey, 40% of respondents at B2B SaaS companies said that evidence collection took them up to 25 hours per month. And 25% of respondents said that the number was over 25. It's clear, security and compliance teams are spending hours playing the part of Sherlock Holmes, which slows down the audit process and can take time away from other critical compliance projects.

Check out this on-demand webinar to learn:

  • The current challenges of mapping policies to controls to frameworks
  • How to automate evidence collection and attach evidence directly to a control
  • How to map controls across multiple applicable frameworks, reducing that feeling of "deja vu" when it comes to evidence collection

These events are light on PowerPoint and heavy on live demo, so fill out the form to the right to save your spot!

Presented by

Chris Gomes
Product Management


Chris (00:00):

Great to see everyone at another one of our webinars. Hope everyone's enjoying the first day of fall wherever anyone's dialing in from. As Rebecca mentioned my name is Chris, I think some of you we've worked together before, some new faces in here as well. I'm a principal product manager here at Aptible on the Aptible comply product.

Chris (00:20):

And I'm going to share my screen right now to talk you through how Aptible comply, helps automate evidence collection. All right, so basically what we're going to spend this time discussing quick introduction, and then the challenges today around evidence collection.

Chris (00:45):

And then we will demonstrate how we help automate it. And on all of these webinars, we try to keep it slide light and demo heavy. So as Rebecca mentioned, if you have questions, either coming up in the challenges section or as I'm running through the demo, feel free to input those into the Zoom Q&A feature and I might be able to answer some of those live. If not, we'll tackle them at the end, in a dedicated Q&A portion.

Chris (01:12):

That's my smiling face. I think I'm wearing the same shirt too. I really need a wardrobe upgrade. Okay. So what do we mean when we talk about automating evidence collection? This here is the spider web of infamy when you're running a compliance program that scale. It's an alphabet soup of acronyms that I'm sure many of you are all familiar with. And each of these audit frameworks or regulatory standards or government standards has some burden of collecting evidence that the controls of that framework are actually being met and that they are operational and they are applied where they need to be applied and that they're effective.

Chris (01:52):

And for most, some of these, not the regulatory frameworks, but for most of these, there's going to be a third-party audit at least annually to verify that evidence and to review that evidence and to ensure that those controls are operating as expected.

Chris (02:07):

The one thing that's not on this slide, which I'm realizing I should have added in ahead of time is the other area that might cause you to have to sort of gather evidence of your control's efficacy are customers. Going through a customer audit can often involve providing evidence and not just attestations of your control's efficacy. And so that can be a burden to then go and collect evidence for what your customer is asking for and try to deduplicate how does that fit into the spider web of infamy?

Chris (02:38):

How does that fit into the alphabet soup of what controls they're looking for evidence of and how does it relate to these frameworks that we are currently compliant with? And what does it look like when you're trying to gather evidence? Generally looks like this wallpaper. We can send everyone copies if they want to just redo their bathrooms and put this wallpaper up on all four walls. Looks a lot like this.

Chris (03:05):

These are population requests. These are requests for screenshots, requests for copies of policies, requests for organizational charts, network diagrams. They all say high priority. They all needed to be provided yesterday in order to facilitate the speedy audit. And the request lists themselves and the process of taking an auditor's request list and responding to it and then let's not even talk about the portals that you're expected to upload the evidence to, all of that is generally just a welcome to audit season.

Chris (03:45):

This is how it's done and until now there's not been a great alternative or a great challenge to this way of conducting audits and it's generally information overload. There's a lot of tagging people in comments and documents and saying, "Hey, can you provide this?" They write back. "I don't even understand what the heck is being asked of me." And you're going back and forth with them 10 times to try to gather the evidence that you need to hand off to an auditor.

Chris (04:13):

I want to pose this poll question to the audience and then we're going to share some data that we've collected. How many hours per month do you spend on evidence collection? So this could be because you go through an audit season, let's say one quarter per year, this could be because you're gathering evidence proactively ahead of those audits maybe 12 months of the year, or this is, hey, we have a lot of customer audits that we go through where we have to gather evidence for those audits.

Chris (04:45):

So I see that the poll is live and I think you can all see this as well, but the data is flowing in live right now. So we're getting a few in the 10 or fewer, 11 to 25, 26 to 50 hours per month spent on evidence collection. That's great. Yeah. I mean, it's not great. We're here to solve that, but thank you all for participating in that poll.

Chris (05:07):

And we'll keep that going for a little bit further. When we asked this question to a survey of 100 B2B SaaS companies, this was the distribution that we saw and we're seeing something relatively similar on that poll that we got submissions for. So the sort of center of gravity is 11 to 25, 26 to 50 and then there's this long tail of folks who are spending in excess of 50 hours a month. One entire full-time employee's time per month on audit on evidence collection every month.

Chris (05:43):

And this is what we hear from customers often inevitably after they've started to comply with multiple frameworks, we hear something like this. We are trying to reduce the friction of creating a large collection of evidence artifacts for these different types of audits across these different frameworks. This is that aha moment when customers realize there must be a better way.

Chris (06:05):

I feel like I'm collecting the same stuff again and again. It's time consuming and it's slightly different for each of these frameworks. So I need to know what I can reuse versus not across these frameworks. And so these are the specific problems that we've identified with the current way of gathering evidence. The first is pulling evidence at a point in time rather than continuously.

Chris (06:28):

Hey, it's audit season. We got to pull all this evidence. That's how you get this bathroom wallpaper effect of suddenly you're inundated with requests and you're not even sure what you're going to see when your control owners provide that evidence back to you. How many of our poll requests did not get approved by somebody other than the author prior to being merged and deployed? What is the status of our employee off boarding procedure? How many employees are we off boarding within 24 hours and we're booking their access accordingly?

Chris (07:02):

You're discovering that at a point in time, right before the audit, rather than having that continuous view of that controls efficacy year-round. Herding cats when you need to request evidence. So in the audit, you get that request list that bathroom wallpaper, and you realize, hey, I need to call upon a few people to help provide this evidence. Enter project management mode, where your job is now less about subject matter expertise and more I just got to nudge people on a certain cadence because the auditor can't make progress.

Chris (07:35):

Maybe they're billing us or maybe the project is just spilling over deadlines, but you're relying on the input of a lot of people in order to satisfy those audit requests. And that makes evidence gathering quite difficult. And then lastly, there's this deja vu sense of a lack of memory across audits or over time. So we know ourselves at Aptible from going through many of these audits that when you're looking and trying to interpret an auditor's request, one of the first things that you ask, if it's not your first audit is, "Well, what did we provide last time the auditor asked for this?"

Chris (08:09):

Because we know that that's what they were looking for and that's how we were able to translate that request into a specific piece of evidence. And yet it can be very hard to look backwards, and it's amazingly difficult to retain that data over a period of time, let alone to say, "Well, how does this relate to a request that we got in another audit, and can we reuse evidence that we already pulled for another audit?" So that lack of memory and that lack of reusability of evidence across audits over time is the other pain point that we often see.

Chris (08:43):

Enter the slide that's a different color, signaling just like gold pouring on my face. What if you could gather evidence 24/7, 365 without bothering control owners? What if there was an easy way to work with your team that didn't require loads of training? "Hey, we're using a new tool for evidence management. Everybody clear your calendars because we're going to spend two weeks training you how to use it, and lo and behold, you're going to forget when it comes back to the audit and we're going to have to retrain you." What if you could easily look back to past audits or reuse evidence across audits and audits were 10 times faster? That is our bold claim, and this is what we have to demo for you today, is this golden landscape of Aptible Comply. So what you're going to see in the demo that I give is an overview of how we help automate control monitoring across all of your controls and across all of your frameworks, 24/7, 365.

Chris (09:33):

You're going to see our collaboration and delegation features, some of which are quite new. So even if you're a long-standing Aptible customer, you'll see things like the ability to ingest evidence via an email. That way you can automate that collection, even when you're relying on input from a control owner. And you're going to see how everything that you're doing is giving you credit across multiple frameworks. And you can easily look back to past audits to understand, what you provided the last time your auditor asked you that. So that's what you see in the demo today, and I'm just going to pop open my environment here and I'll dive right into it.

Chris (10:17):

All right. Here we go. So this is the controls overview of Aptible Comply. What this is telling you is what is the state of all of our evidence gathering for a given period of time across all of our internal controls, agnostic to the particular framework that we're complying with? And if you've been on past webinars with me before, you know that I love this screen, and I always lead with this screen because I think it tells the story really well of how we're helping you gather those evidence artifacts, just like that quote that we shared earlier, that disparate set of evidence artifact across all these different audits with slightly different framework requirements continuously. So what you're seeing here is a timeline of evidence that's been fed into the system in any means. That could be by integrations and automations, or that could be the results of your control owners just manually providing evidence on a cadence that you've set up for them.

Chris (11:39):

And what you're seeing down here then is your list of internal controls, and for each of these, what evidence do we have over the time period that's in question. And this data, what's nice about this is you can pivot this based on a framework, like ISO 27001, let's look at every single requirement of ISO and just pivot that same data through the lens of say an ISO auditor. So an ISO auditor is going to seek evidence of these ISO requirements, these annex A controls, like a.6.2.1, your mobile device policy, A.10.1.2, your key management. And that's an example of a control where you'd see, "Ooh, we don't have evidence in the system already over the period of time in question." That might be okay, but that just means you're going to have to gather that anew come the audit.

Chris (12:31):

So this is how you have that lens into all of your controls that are being continuously monitored. So I know I'm still being kind of handwavy as to how does this evidence get into the system if we're talking about integrations and automations. So I'll jump to that now. So we have two different types of integrations that we offer. The first are turnkey integrations, and you're seeing that this environment has three installed Okta, JAMP, and GitHub. And there are several more that we offer. GitLab, G Suite, JumpCloud. When I say turnkey, I mean the flow, if I were to go through this, is as simple as, "Hey, drop in an access token that you create in GitLab, enter the group ID, and then you're done." In this case it's not, but in some cases it's an OAuth flow, so you're just redirected to their site, you add the integration and then you're done, but it is ridiculously simple, what I'm trying to say here.

Chris (13:28):

And for every one of those turnkey integrations, we provide automated checks out of the box so that you can evaluate the data that you're getting from those integrations. And I'll illustrate that in the form of GitHub. Before I show that I will show just the type of integration, the other flavor of automation that we provide is just a public API. So down at the bottom here, you can see that if you need to generate an API key, you can do that, and then this is how Comply becomes the extensible evidence management system, allowing you to send any kind of evidence into the system. I'll show you what you can do with that evidence once it's in the system, because the answer is it's the same as these turnkey integrations. All the same benefits, like the ability to map a piece of evidence predictably to a certain control so that you know where to find the evidence in an audit. Or the ability to map it even to specific assets.

Chris (14:24):

So let's say you have database backups that are being posted on a regular basis. We just add a single line to your code to hit this endpoint on a regular basis anytime those backups post, and we can automatically log that and key it off to a specific database and tie it to your database backups control. So anytime you're looking for evidence of that, you can find it easily, and I'll show you how you can construct all of that logic here in the app. But let's start with the example of GitHub. So you've added this integration and you're ready to have evidence to start flowing into Comply as a result. I'm going to jump into the evidence section here, which is really where all this logic and all of this interaction lives. So this is where you're seeing we've got close to 2000 pieces of evidence flowing in from these different integrations. Don't worry. We have ways of searching this evidence and making it really easy to find what you need when you're in the audit. You can adjust how many pieces of evidence are being shown per page down here.

Chris (15:25):

But how does this evidence actually get generated from a system like GitHub? The answer is through these things called checks, and this is that automated logic that we provide out of the box for all of our turnkey integrations. So in the example of GitHub, we'll have checks like pull request approved, and it's really simple. What you're seeing here, and I'm going to zoom in a little, because I know my screen is kind of small. What you seeing here is just basically policy is code. This is like taking your SDLC change management policy and translating it into something that's computer readable.

Chris (16:00):

And can actually evaluate what we're ingesting from GitHub. So here's how it works. We have these test conditions, and this is looking for, basically what conditions should we look for when we receive an event from GitHub? And so these are things like, okay, a pull request was merged. That's the event that, any time an event matches that condition, we know to do something with it. And here's a tag that we will ingest from GitHub as well, that it was approved. In this case, this is providing evidence of your secure system development control. And so what we are saying is generate a piece of evidence any time there was a pull request that was merged after an approval process, and map that piece of evidence, the output, to your secure system development control. And that's what this reference refers to here. The condition of this evidence is okay. This is in compliance with our policy, and there's no remediation ticket needed, because again, this one worked as expected.

Chris (17:06):

All of this logic we provide out of the box, and it's all editable, and you can edit it in a simple model like this. So you can change it to say, "Well, I want to see every time one of these comes in. So flag it as something that needs attention." And maybe we want to open a ticket from a template. We need to create a remediation ticket in the wake of this. Maybe it was an ISMS exception. We know that this code repo is not going through our typical SDLC change management policy, so we're going to trigger a ticket to be created any time we ingest an event like this.

Chris (17:42):

And all of this, you just configure in the UI like this, and it's all version controlled. So as you're making edits to these logical checks, you can always roll back the clock and look at past versions of the check, and roll it back to one of those previous versions.

Chris (17:58):

So that's an example of the logic that evaluates the things that we are ingesting from those turnkey integrations. And again, you can always create your own check, and this is where you would be able to define things like, "Hey, we have those database backups. We have a service to do that and it's on croc. And so we just wanted to find what should happen when we ingest a database backup." So these are all managed through tags that are hitting the API, and the API documentation is very clear so that you can see how you can post anything to that end-point and then interpret it here and comply.

Chris (18:39):

But maybe you're defining an event type like database backups, and then you can map it to specific controls. Let's see if we have a backup control in here. We do. So I'm going to map it to that particular control in this condition and there's no ticket needed. And so it's that easy to just create a check. Oops. I should probably give it a name. Database backup. It's that easy to create a check and then use our API end-point to just send any evidentiary data you want to our system.

Chris (19:09):

And because we mapped it to this database backups policy, now here's this control. Any time evidence comes in to comply in evidence of this control, you're going to see it attached to this control. So I click on this evidence tab here. We already have some that were mapped to this control already. So you're seeing, here's the history of every piece of evidence that we've ever ingested as it relates to this control. So when an auditor is asking you for evidence of your database backups policy, all you have to do is navigate to this control and you can see all the evidence that's ever been mapped to this control over your history of your comply usage.

Rebecca (19:50):

Chris, I'm just going to interrupt you real quick. So Margot asked, are these the legacy checks or are these new checks?

Chris (19:57):

Ah, thank you for that. That is a good point of clarification. These are the new checks. Everything that you're seeing here is the brave new world and the new checks. We had an old version of checks called status checks that we've moved into this area here called legacy checks. All of the functionality of these legacy checks are being rolled into these automated evidence checks. I know that we're abusing the word check here. So, sorry if this created any confusion. But eventually, these legacy checks are going to be completely rendered obsolete and be replaced by these new checks, and so this legacy checks tab will eventually go away. You won't lose any of the functionality. Things like your Okta access control checks, your mobile device management checks, all of those will be replaced by these out-of-the-box evidence checks. That's a great question, Margot.

Chris (21:01):

So the benefit of all this evidence-streaming to the system is you get this really cool dashboard, what I keep coming back to, so you can see how we're doing on an ongoing basis. But let's talk about what happens in an actual audit. You're running these integrations, you've got database backups being posted regularly to your system. Now it's time for an actual audit, and the rubber meets the road. You have to provide this to your auditor.

Chris (21:32):

This is the functionality that we've released recently. So this might be a new to some of you who are existing Aptible customers, but my audits module is now how you will move through the experience of an audit by mapping evidence that's either in comply already or needs to be provided to an auditor's request list.

Chris (21:54):

So you see I've got a few going here. If I wanted to add a new audit, let's say it's time for an internal assessment, it's as simple as creating... Internal assessment. A new audit type here. You define the coverage period over which the audit is taking place. Let's say it's over two, three, and then you set a default due date for any evidence request tickets that are going to be generated. And this is just to save you a little bit of time of having to configure that again and again.

Chris (22:22):

And then you simply upload a CSV of a request list, and you can get this from your auditor. Even if they're providing it in a portal, you can always export it from the portal and just upload a CSV of what are the requests that the auditor's asking for, or what do you want to test as part of this internal audit?

Chris (22:41):

I'm going to jump into one that I've already got halfway done here, just to show you what it looks like. And then this is what you get from the auditor's request list. You can jump to, hey, each of these windows is the request from the auditor. So this is what it looks like if you haven't attached any evidence yet. It's just the name of the request and then what the actual request is here. And you're going to see there's multiple ways to then take that evidence and map it to this auditor's request. And then when you're done, you hit complete requests, and so you can filter just to the incomplete ones to clean up your screen a little bit as you're making progress on these requests items.

Chris (23:23):

But let's talk about what it actually looks like to map evidence to this control. So this one, for example, is asking for authentication settings for in-scope applications, and there's numerous ways that you can map evidence that already exists in comply to this control. One of them is to just search that evidence index that you saw earlier. So if I click add evidence, it's going to show me my evidence index. You can use all of the filters that we provide to find the time range that you care about. One important thing is to filter by control. So for this particular one, password or authentication settings we're going to look for anything that might map to our authentication control, for example, workforce usage of authenticators. Or you could map it to specific framework requirements.

Chris (24:12):

So if your auditor's telling you "Hey, we're testing A.6.2.1," then you can just search by that framework requirement to find a piece of evidence that's already in Comply and map it to the system. Another neat thing you can do if you know the control that it maps to like, "Hey, what is my auditor actually testing with this?" Let's say for another example here, if we have a, "Hey, this looks like our vendor security requirements policy," you just add that control. And we're just going to suggest evidence for you, anything that mapped to that control. Or let's say it was our vendor onboarding policy. Again, we will just provide evidence that's already in your system that maps to this control.

Chris (24:54):

And then you can just confirm that that's what you want to add by clicking that check ,ark, and then complete the request. And I have this filtered so that's why it just went away there. But it's through this internal control mapping that you can quickly translate what your auditor is asking for to some piece of evidence that's already in the system. What if you need evidence from a collaborator? What if you need evidence from a teammate though? That's where this request evidence feature comes in.

Chris (25:23):

And if you think back to that problem of herding cats, this is how we can help you get new evidence into the system when there is some novel auditor request, so let's say for example, for this IAM control password authentication settings for in-scope applications. Maybe you don't have this readily available. Maybe you are using one of our turnkey integrations. All you do is click request evidence. Give it a name. We will populate the details of that evidence request for you. This due date, that's where that default due date comes in again and here you can assign this to a specific individual and open a ticket. And this will just create an evidence request for that individual. And this is how you can manage all of your various evidence requests that are going out for all these different controls in a single pane of glass.

Chris (26:17):

Now, what does this look like from that individual's point of view? This creates what we call a compliant ticket and tickets are pretty straightforward. If you use any kind of project management software or Service Desk or Zen Desk, it's the same kind of logic. It just represents a piece of work to be done. We integrate with JIRA. So you can just push these tickets to JIRA and that individual can provide the evidence there in JIRA.

Chris (26:44):

But better yet, and what I'd love to illustrate is that this will actually create an email. You can configure this to just email the assignee and that assignee can just respond to that email with an attachment. And that will automatically log this as evidence. And so they don't even have to log in to Comply. All they've got to do is just respond to that email and that evidence will get logged.

Chris (27:10):

Now, I'm going to pop open my email here. See if I can actually show y'all what this looks like. Pay no attention as I type in my password. It's called one, two, three, four. It's the same password that I have in my briefcase. Let's see if I have an example of one of these. While I pull this up, what I'll say is from your point of view of the process quarterback, it doesn't matter how the individual responds to the evidence request. If they're responding in Comply, if they're responding in JIRA, or if they're responding in their email, it's all the same. The evidence gets adjusted and gets mapped back to that auditor's request.

Chris (27:58):

So here it is. I'm going to share my screen again. I'm in my Gmail. So this is what the evidence requests looks like, that we just issued. So here's that password or authentication settings for in scope applications. And so what you're seeing here is you can just reply to this email with any notes or file attachments that fulfill this ticket. This is another piece of functionality that's brand new. So our Comply customers, this might be new for folks on this call. But you can click into it to go exactly to that evidence request. But really all you have to do as the assignee for this ticket, if you have what you need to respond, just reply to this ticket, with the attachment. See Attached. Throw in an attachment. I'm just going to grab whatever's on my desktop and fire that off. And so that will now be adjusted by Comply. And it's going to be mapped back to that original request list.

Chris (29:00):

So let me hop out of my email and back into Comply and share my screen to close that loop and to show what that looks like. That's my dashboard. Share my screen again. Okay. So we're back in the audit framework. And so here's that evidence request that we issued and it's syncing right now. So the evidence is not there yet, but we'll circle back once that sync is complete. And what you're going to see is the evidence is just automatically mapped to this control. Once that ticket is complete, as the process quarterback, you can review it and then close out the request once it's satisfied and once you do have all the evidence that you need there.

Chris (30:16):

So for this one, for example, I'm just going to close out. I'm going to close out this one to again show, to get that little green check. The number of requests items goes up, and you're a little bit closer to completing that audit. At any point in time, you can export the evidence that's generated here, and you're going to get a zip file with one folder per request labeled with the ID of the request itself. So you can just hand that off to your auditor and say, "Here you go. Here's all the evidence that you asked for, one folder per evidence request with all of the details, attachments, metadata for each of those requests in that folder."

Chris (30:58):

I want to make sure that we circle back to how you can then use this evidence across audits and across the frameworks. So when I say across frameworks, I'm talking about how the same evidence that you're gathering for your ISO 27001 audit can be used in your SOC 2 audit. And we provide that through this mapping of internal controls. So the same internal controls that are satisfying ISO 27001 are also mapped to SOC 2. And you can reuse any of this evidence in any of those audits. So you've generated evidence of your, let's say... find a good one here... your device security requirements. You have four pieces of evidence. That satisfies this requirement of ISO. If I jump into the evidence itself, this is these device enrollment activities, all of these will in turn satisfy similar device enrollment activities for SOC 2. And so if I jumped to that SOC 2 dashboard, this is, you'll see that same internal control is going to be mapped to some requirement of SOC 2. And if I just do a quick search...

Chris (32:08):

So, we have logical or physical access controls mapping to that device security requirement, those same pieces of evidence satisfied this requirement of SOC 2. So, evidence that you gathered for one framework can be used in another framework. And then similarly, these audits, you always have this history and comply. If you're managing your audit requests and you're gathering this evidence in comply, then it's going to be always creating that log, that history of use. So you can look back to pass audits and see, "Hey, what's a similar request that we've gotten in the past relating to what an auditor's asking for now?" Maybe I jump back to this Q1 2020 ISO audit. I see here that, oh yeah, we've got this piece of evidence from the past. Here were the password settings that we saw there. Does this look like the right thing?

Chris (33:00):

Yes, it does. And you can reuse this evidence by just taking it from that pass audit and mapping it to a request list from one of your new audits.

Rebecca (33:14):

Is there a time limit for how long we keep the evidence in Comply?

Chris (33:18):

There is no time limit. Until the molecules disintegrate into their underlying atoms we will store this evidence in Comply. There's no time limit. There's no either technical time limit, nor is there any kind of cost to maintaining the evidence and comply indefinitely. That's a good question.

Chris (33:46):

So, that brings us to the end of the demo. I want to circle back to our original presentation here and make sure that we hit on everything that we covered there. But at this point, if you do have any questions or if there's anything that I didn't cover in the demo that you were hoping to see, do please put them into the Q and A here and I will circle back to close that loop and to show it in the demo. Meanwhile, I'm popping open the deck to make sure we got everything. I see a couple of questions coming in.

Chris (34:19):

So, one question is what applications does Aptible integrate with? So, that's a good question and I'm going to actually show our ... I'm going to take you to our website because there's this nice page that I want everyone to see where you can keep track of our live integrations and then what we have coming up.

Chris (34:39):

So, this page on our website, aptible.com/comply/integrations. This is where you can see really cleanly what are all of our integrations. And what's really helpful is that this allows you to filter by the type of integration. So, when we say workflow automation, for example, what you're going to see here is JIRA. And that's because as we went over in the demo, this integration exists. It's slightly different than our other integrations. It's not like you're pulling, "Hey, who has access to JIRA?" With this integration, what you're using this for is to push those evidence requests to individuals and it's helping you with the project management and the actual workflow automation when you integrate JIRA.

Chris (35:42):

Whereas some of our other integrations like secure system development, these integrations, when you add to GitHub or GitLab integration, or if you're using Aptible Deploy for your apps and databases, these integrations actually pull evidence from those systems automatically through those automated checks that we looked at. For mobile device management, we have Jamf from JumpCloud, and for IAM, we have Okta, G-suite, and then JumpCloud again, since it serves both of those purposes. The other thing that I want to highlight here is our integration roadmap is publicly available. You can see what we have planned, what's in progress, and what's recently shipped. So, if there's anything on this roadmap, we make this public because we want feedback from folks like you. So, I will also share this in the chat.

Chris (36:33):

So you can jump to this to see, hey, what are we planning around AWS? And you can vote on this. Is this nice to have? Is this important or is this critical? And in doing so, it's going to give you the ability to provide a little bit of commentary and then your email address so that we can just follow up and close the loop with you when we deliver that integration. Our planned integrations, so with AWS, we're actually starting with the IBM service and AWS IAM, this is actually in limited availability today. So, if you're an existing Aptible customer and you want to participate in the beta and provide feedback on our IAM integration, let Rebecca and me know, we'd love to get your feedback before it releases to general availability. But basically what this integration does, this will pull evidence of your user access controls and actually surface IAM data from AWS in your comply instance for you. And then you can always see what's just launched to make sure you're staying up with the latest and greatest integrations and updates to our roadmap. Make sure you don't miss anything here.

Chris (37:44):

And so this is our roadmap. So, please vote on these features. We love customer feedback. We're very transparent about what we're planning and we want your input and you can always submit a new idea on this roadmap. And same thing, we just ask you for a little bit of commentary. We might follow up with you to better understand what you're trying to solve and why. But we welcome that kind of input.

Rebecca (38:08):

Like a combination of American Idol and Shark Tank.

Chris (38:10):


Rebecca (38:11):

You can vote, you can submit ideas.

Chris (38:13):

Yes. And if anybody submits the idea for Rebecca to sing, I will vote as that to be a critical feature. So you have my word.

Rebecca (38:22):

My voice as the narrator. Love it.

Chris (38:25):

Feel free to email us if you do want to participate in that AWS IAM beta, or if you of course have any questions about any of the content that we reviewed on this webinar. We're an open book. So, I'm just jumping back to the other questions. Yes. Another question came in, this one we touched upon, but I'll come back to it again. Is there an API or other solution if it's not a standard integration.

Chris (39:02):

So, if you're working with a service that we don't yet have a turnkey integration for, how can you automatically get that evidence out of your systems and into comply? The answer is we have a public API and that's going to allow you to send any kind of evidentiary data to Comply and author those checks yourself to process them, to map them to specific controls, as well as to open remediation tickets if necessary. If, "Hey, we use Bitbucket for version control. So, we want to just copy and paste your GitHub and GitLab checks to evaluate if pull requests are complying with our software development life cycle change management policies." You can just copy those checks that exist for GitHub or GitLab and use them for Bitbucket in exactly the same way as an example. The other way that you can see your solutions integrated, of course, is by voting for them on roadmap.aptible.com, what we just shared earlier. We want to hear from you if you have an integration that you don't see here, that you'd love to be supported, please let us know.

Rebecca (40:15):

I guess with that, it doesn't look like any other questions came in. So thank you all so much for joining us today. Really appreciate the time. Chris, thanks for an awesome demo. Very, very interactive. Very day in the life, so much appreciated. Hope everyone has a great rest of your day, a great rest of your week and stay well.

Chris (40:36):

Thanks everyone. Bye.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form. Please try again.