Aptible VP of Product Management Chris Gomes and Product Marketing Manager Rob deJuana-Matthews give an early look at Aptible Comply Integrations. Aptible Comply Integrations connects to every app that matters to you--every app that contains or touches sensitive data--and keeps track of your current security position, ensuring your company stays in compliance, so that you don't have to.
Rob deJuana: 00:05 Hi everyone. Thanks for joining the Aptible Comply Integrations webinar. We're going to get started in a few minutes. I'll give everyone another minute to get in and then we'll get started.
Chris Gomes: 00:14 Good to see a lot of familiar names in here. Hey everybody.
Rob deJuana: 00:27 We should add some hold music like nice elevator musak.
Chris Gomes: 00:31 How's your singing capabilities, Rob?
Rob deJuana: 00:44 You wouldn't want to hear me sing. Honestly, no one would want to hear me sing. It would be bad for everyone's day.
Chris Gomes: 00:53 I will say a fun fact about Rob though, just to kill the last 30 seconds here. Rob can tell a car or a motorcycle by the sound of its engine from like half a mile away.
Rob deJuana: 01:04 Yeah, that's a problem that ... too much of my brain is devoted to that. It's not a good thing. It's that and Product Marketing, and not much else.
Rob deJuana: 01:17 So it's 1:05, so we're going to get started. As people join they'll be able to see everything after the fact with the link that we're going to send out to the recording.
Rob deJuana: 01:27 Hi everyone, I'm Rob deJuana-Matthews, Aptible's Product Marketer, and I'll be your emcee for today's webinar. I'd like to welcome you to the Aptible Comply Integrations webinar, which is the second in our Aptible Comply Product Webinar series.
Rob deJuana: 01:44 We're really, really excited about what we're going to talk about today, and we're very thankful that you joined us to get a sneak peek at Aptible Comply Integrations. As many of you know, our mission here at Aptible is to build trust on the Internet, and we believe that building trust is the result of strong security processes. But we know that these processes can be resource intensive, they can take a lot of time, and sometimes they can be a little overwhelming, which makes building trust hard.
Rob deJuana: 02:14 That's why we built Aptible Comply Workflows, which we talked about last month and that's we're building Aptible Comply Integrations to streamline those processes and make it easier for you to build trust. We're really excited to show you what we got today. And we're hoping that you see, as we do, how it can help you in your day-to-day operation of your Security Management program.
Rob deJuana: 02:37 Today, I'm fortunate to be joined by Chris Gomes, our Vice President of Product Management, and he has been talking to you guys about how we can make things a little easier, and he's been leading the charge in Integrations. Thanks Chris for joining me today.
Chris Gomes: 02:52 Absolutely. Yeah, I'm really excited for today's topic. This, as you may have all gathered, is a customer only webinar. We were really excited to invite you to this to give you a sneak peek of what's coming and to get your feedback early and build on the feedback that some of you have already provided into our Integrations process.
Chris Gomes: 03:13 As we mentioned on the last webinar, which was all about Workflows, this is all in the theme of giving you leverage and empowering you to run your security and compliance programs with greater ease. So I'm excited to show how we're thinking about building on top of Workflows with Integrations.
Rob deJuana: 03:35 We hope that you'll be as excited about this new functionality as we are. So to speak to this a little bit I want to do a little housekeeping. Before we get going, as part of the Aptible Comply webinar series we're committed to bringing you regular updates about Aptible Comply and its development. We usually aim to have about 30 to 45 minutes per webinar, we're having about 30 this time without Q&A, so we're going to try to get to most of your questions, and if we don't just make sure to them in the Q&A tool, and we will get back to you post webinar via email.
Rob deJuana: 04:16 We are doing things a little bit differently this time, so we are going to be soliciting feedback via both polls and through the Q&A tool throughout the webinar. So whether it's in response to a question that you're asking, or if you just have general feedback or questions go ahead and put them in the Q&A tool so that we can see them and respond to them.
Rob deJuana: 04:35 In today's webinar we're going to go over a quick recap of Workflows, since you need Workflows to take advantage of Integrations. The problem we see in the market with tracking security-related operations across disconnected security tools, which is why we're building Comply Integrations. How we're seeing companies manage assets, and how that's causing friction for them, and what we feel the ideal solution is, which is what we are hoping we have brought to life adequately with Aptible Comply Integrations.
Rob deJuana: 05:07 We're also going to be doing a quick demo, and we'll have some time for additional feedback and Q&A at the end. So, once again, anything that comes up throughout the webinar go ahead and put it in the Q&A tool, and we'll get back to it.
Rob deJuana: 05:22 So, Chris, if you don't mind, I'm going to turn this over to you so you can give a quick recap of Workflows.
Chris Gomes: 05:30 Absolutely. So the background for Workflows for everyone who was on our previous webinar last, at the end of July, is we basically released this new product functionality that allows you to take the operations of your security management program and run them in Aptible Comply. So, what that entails is the ability to specify certain teams that are responsible for specific activities and the events that trigger those activities whether they are recurring events such as monthly access control reviews, or annual asset inventory reviews, or whether they are exogenous like a new workforce member joining the company, or offboarding a vendor.
Chris Gomes: 06:13 So if you haven't yet activated Workflows, if you haven't yet started on Workflows please reach out to firstname.lastname@example.org and they can get you all setup. I know that some people who are on the attendee list have already started using Workflows and providing feedback on them, so we're very grateful for that.
Chris Gomes: 06:31 As Rob mentioned, everything that we preview, as it relates to Integrations, is going to build on the core Workflows platform, and so in order to take advantage of what we're previewing you'll need to have switched over to Workflows so, hopefully, that gets you motivated to reach out to your customer success manager. Again, that email is just email@example.com.
Chris Gomes: 06:59 I will hand it back to you Rob unless I can help by illuminating. We have a poll that's at the ready that we would like to ask folks. We can jump to that poll real quick. Here we go. So the motivation for what we're about to talk about is solving the most important pains that you're having in operating your security management program, and so we're posing three options here. There's the pain around a growing list of assets, there's a pain around disconnected security tooling, and then we're also allowing you to vote for other here, and then write into the Q&A. And so, I want to ask everyone to take a moment here and vote on the biggest pain around security management.
Chris Gomes: 07:52 When I say a growing list of assets I'm referring to the pain that we've heard from many customers, which is here we go on the left-side of the screen, "We have a lot of assets in our ISMS, people are spinning up databases or they're opening up new code repositories. We are adding employees, we are provisioning phones and laptops, and that list goes on and on, and I don't know if we're tracking them all. It's hard to keep my asset inventory up to date." That's what we mean by growing list of assets. [crosstalk 00:08:21]. Oh go ahead, Rob.
Rob deJuana: 08:23 Sorry, just to jump in. The other thing is that all of these security tools that you're trying to track are living in a disconnected set of security tools that require you as the responsible party to be at the center of it and be the connection to all of that. What we find is happening is that you spend your days trying to catch up on all the changes that are happening in all of these systems, and then trying to document that reality.
Rob deJuana: 08:49 I'm sorry Chris that was just something that-
Chris Gomes: 08:52 No, that's exactly right, yeah. You're in catch up mode. That's what we hear from folks, which is, "If I'm barely keeping up to date with everything that feels like a win to me," and so that's what we mean by growing list of assets is that feeling of constantly being in catch up mode.
Chris Gomes: 09:08 Disconnected security tooling is another pain that we hear from folks, which is why we wanted to surface it for this call today, which relates to the fact that a lot of the tools that you're using to actually implement the controls, implement the processes of security there's a lot of them, and they don't understand one another, and you don't have any sort of central way of making sure that they're all configured correctly and in sync with what your security management policies and procedures actually say you should be doing. You want to build on that for us, Rob?
Rob deJuana: 09:46 Yeah, so one of the things that we see a lot is that aside from these third-party tools that may be able to connect to each other in some rudimentary way, or you may be able to put something together that would bring them together. You're not pulling all of that into a single place, there's no single source of truth. And there's no way to get the information back and forth aside from you moving it around yourself, and so you're tracking this manually, and you have to track it constantly. And when your team is growing this is a huge problem.
Rob deJuana: 10:17 We deal with this every day at Aptible personally as a team. We're growing so fast, and the product is being developed at such a rate that our asset inventory gets out of date just like that. And it takes up a ton of time for someone to go through and say, "Okay, what's going on in G Suite? What's going on in GitHub? Do the people who are supposed to be on this team have access to what they're supposed to," and then you're documenting that. So, once again, it's spending a lot of time catching up and then documenting reality.
Rob deJuana: 10:52 So, I think it'd be interesting to talk about what you guys see as the biggest pain. And it looks like, we're going to show another screen, but a growing list of assets is part of a problem for a large number of you. And then there's also disconnected security tooling is a big pain, which makes sense to us. And then there are some other issues apparently that we will get to shortly.
Rob deJuana: 11:27 When we think about that growing list of assets you're going through your GitHub newsfeed for updates. Maybe you've got it set to 'all activity,' and you're hitting GitHub endpoints or you're making API calls, at best, in order to get this list of your repos. At worst you're paging through all of your repos to confirm them, and which ones are in the organization, what's been created, what's new? You're manually reviewing your audit log to see what's been happening.
Rob deJuana: 11:59 This would keep anyone up at night, but the idea you've been working some on something all day and you haven't really gotten to the strategic things. You're just going through the tactics, that's eating up most of your day. And then you go home and you're thinking about everything else you need to do, and you go to sleep, and you wake up, and you're like, "Wait a minute, have I caught everything? What was created today? What was created after I left the office that is going to be an issue for me and how do I go about finding that?" Rather than thinking about those things and being caught in those tactics, you want to be able to move away from that. And that's the goal of everyone's job is like, "I want to move on to the higher order things," and you're not doing that if you're stuck in, for this example, GitHub.
Rob deJuana: 12:45 And when you think about, "Okay, well I've implemented all these really good tools that are helping my security, but none of them speak to each other," GitHub cannot set permissions based on what someone's permissions are in G Suite or what their role is in G Suite. I can't give them the proper access through Okta in GitHub. These things don't talk to each other in that way, I still have to be that, so you're thinking, "How am I going to manage all of these pieces?" It's just really difficult for anyone.
Chris Gomes: 13:18 And just to build on the example on the left here. So, we're showing GitHub as an example of a tool that many of our customers use for their code repositories, but another example of keeping track of assets being an issue is; just imagine as your company grows you have people who are using SaaS services left and right. Someone saying, "Hey, I need a screen capturing tool. I'm just going to download something," and maybe even if it's a paid tool, people have budgets, people are grabbing SaaS vendors lesson left and right and starting to use them not always realizing that some of those need to trigger compliance conversations.
Chris Gomes: 13:55 And so we've heard from a lot of our customers, "I just want to have the opportunity to have a conversation with people, but in order to have that conversation I need to know what people are doing." I know that some customers have formed a cultural habit of having a Slack channel where people say, "Hey, I'm adding this vendor, let me know if I need to do anything," but that is really hard to maintain and that falls apart pretty quickly.
Rob deJuana: 14:18 Yeah, and to your point Chris, when people are doing, I guess ... bringing on rogue programs that makes your asset inventory out of date without you even knowing. You don't even know that that is something that now you have to track, and it creates a really uncomfortable feeling for people, and that goes back to this growing list of assets. And we're talking about manual tracking of those assets, so even if you know what all of your assets are this is sort of what your life looks like.
Rob deJuana: 14:52 And we're going back to this GitHub example because it's easy to show what you might be living with, and some of you know this because GitHub is so universally used. When you're making those API calls, like this on the left, that's the output that you'll get unless you're paging through, and then you compile this list of all the repos, and you're like, "Okay, this is what I have, this is what I have to deal with, but I have to check the permissions on all of that, and who has access to that." So you're going into the audit log, and maybe you're searching through that, and maybe you're exporting it, and then you're going and manually updating your asset inventory, which is living in this spreadsheet here, and so that's a lot of time that you're spending. It's a lot of manual monitoring of all of these things.
Rob deJuana: 15:37 So if you're thinking about, "Okay, I got a track the assets, okay I've done that. Now I got to go and monitor them," and that is really, really rough when you think about, "Okay, what else am I going to be doing while monitoring these? Okay well, I'm going to check my repos manually, see what changes have been made, what permissions have changed." So you're going through, maybe your newsfeed, maybe you're going through activities, then you're clicking on it specifically. And, in this example, let's say we want to just figure out who has access to one repo of the 100 you might have.
Rob deJuana: 16:09 And so you click on the 'Insights' tab, and then it says, "Okay, what do you want? Do you want to check the commits, the forks, the people?" All of these things are things you're going to have to check, so you're looking at this and you're like, "I'm checking people right now, but I also have to check who's created the forks and should they be there," and then, of course, this is the information that you see on just one. And so you can see who has access and you audit against the user's intended access, and you could do this by running queries on the audit log. Or just exporting the CSV and filtering, but this is still a lot of manual work, and then you're repeating this for multiple tools. You're looking in each one of these tools and saying, "Okay, does everything line up with my policies that I setup in the beginning," and that's just a lot of extra work that keeps you away from the strategic things you need to be focusing on for security and compliance, you're mired in tactics.
Rob deJuana: 17:05 And that's why we tried to build something that will help you because we see this. We know you've probably seen this. Either you've been in these, you're in these on another tab, or you're going to be in these later today looking at these screens, and we wanted to make that easier, We wanted to make it easier for you, we wanted to empower you to be able to focus on higher order strategic issues.
Rob deJuana: 17:32 And so I'm going to turn it over to Chris to give you a sneak peek of automating your Asset Management with Comply Integrations.
Chris Gomes: 17:40 Awesome, thank you Rob. Yeah so, I'm really excited to jump into this topic now of how we can make your life easier and empower you. We've provided you with manual Workflows, so that Comply can now remind you to go and update your asset inventory, Comply can let you trigger events yourself when there is a new asset added. It can remind you to go and check the configuration of those assets but, again, like Rob was saying that still involves all these activities that have a lot of disparate systems involved, and require you to go in and verify something. And so, the way that we are thinking about solving these problems is by "the growing list of assets", we solve that problem with asset tracking. The issue of "disconnected security tooling", asset control monitoring.
Chris Gomes: 18:30 So, if we just keep it on this slide for one second what we're talking about here with asset tracking is a way to automatically be notified if there's a new asset in a system you care about, or if that asset goes away, so created or destroyed you get a notification that says, "Hey, it looks like there's something that you might want to keep track of. Does this belong in your asset inventory?"
Chris Gomes: 18:56 The second one here, asset control monitoring instead of having you go and verify that your Mobile Device Management tool is enforcing the security policies correctly, you're simply notified if we perform a regular check, and something's out of whack, something is not configured correctly in that tool, and so that's what we mean by monitoring asset controls. So both of these are how we're thinking about Integrations.
Rob deJuana: 19:24 That, basically, turns it from active management to management by exception, which frees up your time.
Chris Gomes: 19:33 Exactly. Management by exception, so we're not trying to automate away your job, but rather we want to give you more leverage and empower you, so that you know if you're getting an alert from Aptible Comply it's because something does require your attention. Something's out of whack, you got to investigate, a) maybe somebody opened a code repository and it was set to public and it should be set to private. Or there's something else about the configuration of an asset.
Chris Gomes: 20:00 So, I'm going to jump into some specific examples here of what this could look like and I'm going to take it slow to make sure that the way that Integrations and how we're thinking about it is clear by the end of it. So we'll start with the specific asset the type, like first-party systems, so these are your proprietary information systems. These are your code repositories, your apps, your databases.
Chris Gomes: 20:26 If you flip to the next slide please, Rob. So what are the potential Integrations that we're talking about with this asset type? This would be the sources of truth for your code, like Bitbucket, GitLab, GitHub. These would be things like AWS, GCP, Azure, Aptible Deploy if you're hosting a deployment with us, with Aptible.
Chris Gomes: 20:48 And so what do we mean by Asset Tracking? So whenever there's a new database, or a new code repository open on one of those Integrations that's a potential new ISMS asset and so you would receive a notification in Comply saying, "Hey, is this an asset that should be added to your inventory? Do you need to track this?" Similarly, if they go away on one of those sources that's an automatic trigger that, "Hey, maybe you need to run the workflow of deprovisioning an asset."
Chris Gomes: 21:22 Controls, as it relates to these Integrations and these assets, we're talking about SDLC controls, we're talking encryption and key management and so there are lots of ways in which your policies are specifying: "you need to be enforcing certain technical controls on those assets", and right now it's up to you to go and make sure that those are in place, and we'll see a specific example of that in a moment.
Chris Gomes: 21:47 Another example beyond first-party systems are third-party systems. So, again, these are SaaS products, these are vendors that you might rely on. Potential integrations for these? So when we're talking about the end system we're talking about things like Salesforce, or Drift, but those specific assets, a lot of our customers manage them with a tool like G Suite Marketplace or with Okta, and so by integrating with those devices, those are the hubs at the center of the hub and spoke, we can see if you're adding a new vendor, and we can see if you're offboarding a vendor, and so we can surface those events in the name of tracking your assets. And then, for asset controls the most relevant thing there is reviewing who has access to those systems, and do they have the correct access.
Chris Gomes: 22:41 Then, we got on to devices and so here we're talking about JAMF, ADDiGY we know that those are systems that our customers use to manage phones and laptops, so if a new laptop or phone is detected or retired we can notify you and raise the question of should you be tracking this in your Asset Inventory, or in your Device Inventory, and we can help you ensure that your Mobile Device Management controls are in place there.
Chris Gomes: 23:06 And the final example here is people. People are an asset, and they have an asset lifecycle, so we might integrate with G Suite, or Rippling, Workday, Checkr, Gusto, TriNet, Zenefits, any of the HR benefits providers, and the asset tracking events there are new employee onboarding, or offboarding. And similarly, we can ensure that any HRIS processes are in place and configured correctly. Like, for example, if an auditor said, "Are you running background checks on everybody who's handling sensitive or confidential data, "We can know if your systems, that are the source of truth for those background checks, actually possess background checks for all those employees.
Chris Gomes: 23:50 This is just an initial list, and this is another moment when we want to solicit feedback from the attendees, and so please hit the Q&A button at the very bottom of the Zoom here. And I'm asking that you submit the processes that you most want to automate. Our goal is to grow this list, our goal is to tackle the long tail of integrations that matter to you, and our goal is to prioritize among that list so that we are tackling your biggest pains first.
Chris Gomes: 24:22 So what processes do you most want to automate? What are the security and compliance activities that you're doing on a regular basis that you're saying to yourself, "My God, I wish I could just automate this away"? Or, what are the security and compliance processes that you would like to be doing and you're finding that you're not doing them often enough? You're getting an alert that "Ooh, I'm supposed to be reviewing our vendors this month and I just can't find the time to do it," and so maybe you're putting them off, but please hit that Q&A button at the bottom of the screen right now and let us know what processes do you most want to automate.
Chris Gomes: 25:01 Next slide please, Rob. It's going to be an emphasis slide. Once again, please hit that Q&A button and let us know what processes do you most want to automate. Where are the biggest pains and time sucks for you in terms of security and compliance, and where we could potentially integrate with a tool and make your life easier by either automatically tracking your assets or verifying an asset control for you?
Rob deJuana: 25:28 Yeah, and I think about this as like, "I bought a car and it was supposed to be a nice car, and now I'm building the car rather than driving it. And that's what it feels like.
Rob deJuana: 25:41 So we're getting a couple of responses in. So what processes do you most want to automate? We're getting integration in with JIRA, G Suite onboarding, and third-party access control reviews.
Chris Gomes: 26:00 Yup, these are great. Please keep them coming in. The integration with JIRA, I'm really glad somebody brought this up. The way that we're thinking about integrating with JIRA ... and keep the feedback flowing in just be hitting that Q&A tool again and again if you like or don't like what we're saying, but a lot of the operations of the manual workflows that we've provided today, or I should not say a lot of them, all of them live within Aptible Comply. We've basically provided the tooling to conduct those manual Workflows in the app.
Chris Gomes: 26:35 Another form of integration that we're thinking about is an integration that allows you to actually conduct those manual Workflows in your issue tracking system of choice: JIRA, Trello, Asana, whatever it may be. And so we would have all the triggers and we would have all the audit logging live in Aptible Comply, but it would essentially push those Workflows, which today some of our customers are using in the app, to a third-party tool like JIRA.
Chris Gomes: 27:06 So keep the feedback flowing if that's how you were thinking about the JIRA integration or if you were looking for a different ... to integrate with JIRA for a different purpose let us know.
Rob deJuana: 27:18 There's a couple more. One of them is AWS, keeping track of everything that's an asset in AWS.
Chris Gomes: 27:25 Yup, these are great.
Rob deJuana: 27:27 Yeah. The reason why we're so excited about this, and I'm the marketing guy, yeah of course I'm going to be excited about it, but the reason why we are really genuinely excited about this is that we're moving from translating regulations and requirements into policies that you can understand. We're moving those into actionable items that you could really go out, and do, and get your team aligned around so they're not just reading policies and procedures they're actually getting things that they can work on.
Rob deJuana: 28:02 And now, we're taking some of that work that is just eating up so many people's time and turning it into something that's just, "Cool, got it, it's handled." And that's one of the reasons why we're just so happy, but I think for the sake of time we should probably move on to the next piece which is, Chris we'll leave it to you on asset tracking.
Chris Gomes: 28:26 So this is, essentially, an overview of an early stage prototype we have for GitHub, and so it's really just meant to bring to life how these could work with a particular integration. So we'll show you GitHub. I'm really excited about this given that some of the input that was provided was specifically about GitHub and first-party assets. So, essentially, we have a GitHub Marketplace app in development right now that has these two functions of Asset Sync, and Smart Policy Check. So the Asset Sync is what we're going to talk about first for the sake of Asset Tracking.
Chris Gomes: 29:02 So, basically, from Aptible Comply you install the GitHub Marketplace app, and you authorize it to apply to current and future repositories, that way if a new repo is opened down the line by a member of your engineering team the security officer would get that notification of, "Hey, there's potentially a new asset here."
Chris Gomes: 29:23 After installing and authorizing it, we shall see on the next slide is a bootstrapped Asset Inventory that lives in Aptible Comply. So we know that a lot of folks here see high interest in having the Asset Inventory actually live in Comply, and this is a first order use case for that. Actually, here's a list of assets that we pulled from GitHub and this list would stay up to date, and you would be able to expand this list by accepting those notifications when, "Hey, looks like somebody added something to GitHub, is this an ISMS asset that is in scope? Do you want to add it to your Asset Inventory," and so that's what you're seeing here, and that's how asset tracking would work.
Chris Gomes: 30:08 The second example of Asset Control monitoring through GitHub, this is where that second part of the GitHub integration fits in that was referred to as Smart Policies, if you'll go to the next slide please. So here's an example of a policy that today is, what we call, not very smart but it's in everyone's ISMS. If you have an SDLC policy and if change management in scope of the protocol you're targeting then you've got some language in your ISMS about code review and substantive changes to code for in scope applications review before merging in deployment to production. So that language right now it's up to you to go and make sure that this happening some how.
Chris Gomes: 30:50 At some point an auditor's going to say, "Show me proof that you're doing this," and so the way that the GitHub integration would help with that is this second component right here, smart policy checks automatically run secure system development checks against your GitHub repositories. If you'll go to the next slide please.
Chris Gomes: 31:08 And so what you're seeing here I know that the screenshot's a little small, but we've, basically, translated that policy into, essentially, domain specific language. And so we structured it to say if the asset that lives in GitHub contains or touches sensitive or confidential data then it needs to have branch protection enabled, it needs to be set to private, and so it has certain rules that we then check against the payload of the integration.
Chris Gomes: 31:33 So we're turning that policy into a Smart Policy so that we can then verify that this technical control is in place on this particular asset in its native system, in this case, Omnicode repository that lives in GitHub. So what you're seeing here is a series of checks against the assets surfacing for you those instances where, "Hey, this was not configured correctly, you have to go and adjust a technical control in GitHub." And the point is to turn all the red lights green, so that you just got one big green light that says, "You are in compliance," and if that light ever goes red you can double-click into it and see exactly what you need to do, and what technical controls you need to take action on.
Chris Gomes: 32:18 So we're back to this slide. These are some of the integrations were thinking about. We've got some folks provided Q&A feedback about this. We're really excited to continue getting feedback from you, so this is one more final call. As the Product Lead this is thing I live and die for, your feedback, so let us know if there's other integrations that you would be excited about. Let us know if there are other automations that you would want us to help with. And if you see something on this slide already that you're particularly excited about just shoot it in the Q&A and give us a plus one that, "Yeah this is one that I'm really interested in."
Rob deJuana: 32:55 This is the thing, that we are really dedicated to making this make your life better, and so it allows you to really focus on the higher order tasks that you need to focus on. And so we're trying to make it so that you feel like this is built to make things easier for you and your team, and that's why we need this feedback.
Chris Gomes: 33:28 Awesome.
Rob deJuana: 33:30 So some of the feedback that's coming in is ... oh, we've got integration with Zapier.
Chris Gomes: 33:40 Zapier?
Rob deJuana: 33:41 Zapier, yeah.
Chris Gomes: 33:45 We see an opportunity there to get a lot of leverage by integrating with Zapier and being able to, basically, provide a really simple interface for folks to then build on top of that integration. So, essentially, the part of the product that we are trying to nail is a really well-defined model for what these Security Policies are, for the sake of Asset Controls. And then for the sake of Asset Tracking, what are the core abstractions and events that you can then build on top of through a Zapier integration or, down the road, a public API, for example.
Chris Gomes: 34:27 So that's one where we'd be excited to find out more about what people want to do with that integration, and that, and how people want to build on top of Zapier.
Rob deJuana: 34:38 We got another one for you Chris, integrations with analytics tools and data warehouses.
Chris Gomes: 34:44 I think that's a great one as well. We have, right now essentially, the starting point of a really rich set of reports that would empower a security team for bringing issues up with their board, or with management to say, "Hey look, here's how we're performing on our Workflows. We have this many technical controls in place that have been verified with this level of precision and fidelity. We have this many people completing training on time, this may people who are off track. We complete our compliance processes on time 85% of the time, and here's the gaps where we're not doing that." So we are beginning to collect that kind of information in the app as people use Workflows, and we will continue to get even richer data as people integrate with various assets. And so I could certainly see value in integrating with an analytics tool, and being able to push that data outside of Comply so that you can run whatever analytics you want on it.
Rob deJuana: 35:52 And here's another one that hits close to home, integration with Lattice.
Chris Gomes: 35:57 Yes, Lattice the performance management tool, I assume. That's interesting, and we can certainly look into that. I'm thinking through the particular HRIS use case that that could be used for, but certainly, in terms of a source of people and managing teams that's a potentially good source for our customers.
Rob deJuana: 36:24 So I think, just to be aware of time, we should probably move on to Q&A and feedback, I want to give everyone enough time to get their questions in.
Chris Gomes: 36:35 I see another one that came in right here, which is any plans for the ability of customers to build custom integrations. And the short answer to that is, absolutely. We would like to move toward a world where we've defined the object model really well, and defined the API really well so that customers in the developer community can then leverage that and build their own integrations, and that's really the path we see to make this powerful, no matter what particular systems or tools that you're using. And so that's why Rob and I kept hammering home this idea of how we're approaching the idea of Integrations with this asset tracking style of integration, and then asset control monitoring style of integration, as well as the third flavor of integration I mentioned which is being able to push some of the workflows into the tracking system of your choice.
Chris Gomes: 37:29 We're working on making those really well-defined and simple, and yet powerful, so that customers can build their own custom Integrations.
Rob deJuana: 37:38 So I've got another one here, "How do you plan on integrating with all my various systems?"
Chris Gomes: 37:46 I think that's a really closely related one to that last question, which is there's a long tail of tools that our customers use. We know that from experience and from talking to folks, and so we're trying to prioritize the ones that are going to provide the most coverage, and the most leverage up front. And so GitHub is an example of a tool that if not GitHub it's GitLab for the vast majority of our customers, and so those are two examples that we're starting with, as well as JAMF and G Suite those tools come up again and again. And we hope that that will provide a lot of coverage for some of the most frequent processes from any of our customers.
Chris Gomes: 38:23 The long tail we're only ever going to get to with the help of a developer community and so we expect, over time, we will be building support for more and more integrations by allowing for those custom integrations to be built. And in the meantime, we'll start with the fat end of the tail, and try to tackle as many of those that as many customers use as possible first.
Rob deJuana: 38:49 There's another one, "Is there rate limiting for assets that have an API limit?"
Chris Gomes: 38:55 The short answer is, there's potentially going to be rate limiting as we start to explore the frequency in which we're going to be making those calls. We're most likely not going to be ... that's most likely not going to be a problem for anyone just given the scope of Asset Inventories, and the types of calls that we're running to verify the configuration of those assets. I don't think we are going to be coming up on any of them, but hypothetically it could potentially be an issue, and so it is something that we will take into consideration even though I don't think it'll come up for anyone in the near term.
Rob deJuana: 39:36 Got one more for you. "Can I control what permissions you have access to when integrating?"
Chris Gomes: 39:42 Yes. So we are very conscious, as a security compliance company, of only requesting the minimum necessary permissions and, at the same time, being mindful of giving our customers flexibility to set those permissions, and provide a finer level of granularity. So there are potentially trade-offs.
Chris Gomes: 40:02 In the GitHub example we looked at you could sync GitHub only with select repositories, and you can make that à la carte selection upfront when you're adding the integration. That would enable you to verify the configuration of those repositories that we selected, but it would not allow us to have visibility into future repositories, and so if somebody were to add a repository later you would have restricted us from being able to recognize that. So there are always trade-offs, but we do want to support our customers' need for various levels there.
Rob deJuana: 40:42 Sounds good. So just to be aware of time, we want to hit our time commitment of 45 minutes and be mindful of your day, so I think that for any other questions that we have we'll respond to them after the fact, but I want to get back into this and just talk about what's next.
Rob deJuana: 41:08 So Chris, do you want to kind of talk about what is going to come up with Integrations?
Chris Gomes: 41:15 Yeah. This is great feedback that everybody provided. I really appreciate it, we really value your time, and thank you for being here, and for providing that feedback. As Rob mentioned, if you asked a question and we didn't have a chance to answer it we will follow up and make sure that that question gets answered for you. As far as the development of Integrations go the GitHub integration that we showed you an early proof of concept for we will be releasing that into private beta soon, and when we do that we will followup with folks on this call to see if you want to participate in that private beta.
Chris Gomes: 41:48 In the meantime, we're going to be following up for some additional feedback, and for your input as we prioritize other integrations to develop. So if you have more feedback to provide that you didn't get a chance to provide today you can feel free to email me directly firstname.lastname@example.org. Otherwise, we'll be keeping everyone up to date as to the development of the automated integrations and workflows.
Rob deJuana: 42:16 So I just want to do a little wrap up here. Thank you so much for taking time out of your day to join us and get a sneak peek of Aptible Comply Integrations and how you can automate your asset management with it.
Rob deJuana: 42:29 Everyone who has signed up will get a link, so if you attended you'll get a link even if you know someone who didn't get a chance to attend as long as they registered they'll also be able to get a link. If they want they can reach out to email@example.com, we'll send you a link so that you can view this recording of the webinar. And, once again, if you want to kind of think about what's going to happen next with Integrations definitely get in touch with your customer success manager at firstname.lastname@example.org.
Rob deJuana: 43:03 Thank you again and we'll see you soon.
Chris Gomes: 43:09 Thanks everyone.