Compliance Automation for IaaS

How intelligent automations on IaaS can simplify compliance management

December 16, 2020 12:00 PM

Running a business “in the cloud” is no longer reserved for Enterprises and early adopters. Almost every company today, regardless of size, is operating at least part of their business in the cloud (AWS, Azure, GCP, you name it). Companies use cloud infrastructure to build faster and focus on customer needs, not infrastructure. When it comes to governance and risk, however, the very characteristics that make cloud attractive for compute purposes can make it a nightmare for compliance teams. 

Join us for a webinar on Wednesday, December 16th as we explore new functionality that automates compliance for IaaS (including AWS), improves Comply's automation capabilities across all integrations, and improves issue detection and remediation workflows. On this webinar we will discuss:

  • Compliance requirements for companies using IaaS
  • Automated evidence collection and user access reviews
  • Issue detection, alerting, and remediation improvements
  • New reports and dashboards to make continuous monitoring more actionable

Learn more about compliance automation.

Presented by

Frank Macreery
Co-Founder, CTO
Sheri Salay
Product Manager


Rebecca (00:02):

Hello, everyone. Welcome to our webinar today. Just checking the attendee or participant tab to make sure that you're all able to join without me having to admit you one by one, so it looks good. It looks like there's some folks here on the line with us. So thank you so much for joining us today for this webinar where we'll be going through compliance automation for IaaS or Infrastructure as a Service. We'll be talking around how intelligent automations on your Infrastructure as a Service can simplify compliance management. I'm just going to give people a few more minutes to filter in. And as I do that, a couple of housekeeping rules. Everyone here is on listen only mode. So we won't be able to hear you or your background noise, but if you do have any questions, we definitely want to keep this interactive and we'll leave around 10 minutes towards the end for answering any of your questions.

Rebecca (00:54):

Just feel free to type that into the Q & A box as we're going. Also, this webinar is being recorded, so you'll all get a link to the on-demand recording after the fact for you to go back and refer to anything you may have missed. Also, feel free to share it with your colleagues, friends, and family. We'll try to keep it interactive; we have a poll during the presentation, so I'll be sure to launch that while Sheri is going through her slides. And with that, I'm going to hand it over to Sheri who will start the webinar.

Sheri Salay (01:25):

Thanks Rebecca. First, I'd like to welcome everyone to our webinar and say, thanks so much for taking time out of your day to join us. let's get started with some introductions. My name is Sheri Salay. I'm a Senior Product Manager here at Aptible. I'm a relatively new addition to the team I joined back in September and I came over from AWS. I'd also like to introduce Frank Macreery, our CTO, and Co-Founder. He is the expert in all things data security compliance and technology. Frank, would you like to say a few more words?

Frank Macreery (01:55):

Yeah, sure. Thanks, Sheri. That was a very kind. I'm not sure about everything you said there, but I have dealt with a lot of the pain that we're going to be talking about today firsthand, working on our complied product and our Deploy product. And so Im really happy for this opportunity to speak with all of you about how Comply can make it easier to manage infrastructure in AWS compliance.

Sheri Salay (02:19):

Thanks, Frank. All right. So we are here today, as Frank mentioned, and Rebecca mentioned as well to talk about compliance automation for infrastructure as a service. We know that compliance in the Cloud presents some very unique challenges. And so today we're going to talk about some of the common challenges you may face when securing in the compliance part of your Cloud environment. We're also going to talk a little bit about continuous monitoring. So this automation can really be key to helping you solve your compliance and governance challenges. We will then step into a product demo so you can see how Aptible Comply simplifies compliance management. And like Rebecca said, we are going to save time at the end for Q and A. So any questions that come up, please feel free to drop them in the Q and A tool.

Sheri Salay (03:07):

So why are we here? Well, this chart tells a pretty significant story. We all know the compliance for infrastructure as a service is difficult. We know that Cloud adoption continues to progress rapidly and as organizations continue to migrate their infrastructure to Cloud based services, they're focusing more and more heavily on ways to secure their Cloud and achieve governance and compliance requirements. A recent report by SailPoint identified that 88% of the companies in their research poll reported issues with their Cloud infrastructure services. We tend to think that the 12% who may not have reported issues probably fell asleep during the survey and didn't complete it. What we're noticing is that the majority of these issues that related to security, such as DDoS attacks, they're related to compliance such as granting users and inappropriate access permissions to their resources and audit issues such as providing correct and complete evidence for a given control in an audit.

Sheri Salay (04:12):

So organizations may face challenges and achieving their compliance and governance objectives for a variety of reasons. We'll talk about the four core challenges that we've identified in the upcoming slides. One of the most common challenges facing organizations today that may resonate with you is the amount and the time consuming nature of the manual work that goes into meeting compliance requirements. Evidence collection can be a high touch manual process that's difficult to coordinate across all the various teams in your company. If you're frequently involved in an audit cycle or you're auditing across multiple frameworks, your team may find themselves doing the same work multiple times. Let's think a little bit into the user access reviews. They can be a sizable challenge to gather evidence in a timely manner for user access reviews, to support an audit because of the manual and error prone processes to gather that information.

Sheri Salay (05:08):

According to that SailPoint report, we referenced earlier 91% of companies reported that they have manual work to do when preparing user access reports for their Cloud infrastructure. So that amount of manual work, as you might imagine, and probably experienced can cause a significant loss of productivity and disruption across your compliance, your engineering, your dev ops teams. So organizations know that complexity, the rates of change and the lack of automation in their Cloud environments can make it difficult to manage governance and compliance within your organization. We at Aptible may not be able to help you simplify your Cloud environment or slow down the velocity of change in your environment but a little bit later, we're going to talk about ways that we can help address the automation gap.

Sheri Salay (05:54):

The second challenge that we've seen with regards compliance in the Cloud is the complication factor of adopting many tools. So in addition to infrastructure services, organizations tend to use both Cloud native and third party tools to monitor Cloud operations like infrastructure Deployments security, such as intrusion detection and vulnerability management services. And you've got ticket management and workflow services such as Jira and Slack in there as well. So what might be challenging for organization when it comes time to meet compliance objectives is just the very fact of gathering evidence from all of these tools.

Sheri Salay (06:32):

The third challenge organizations face today is coordinating the evidence collection across all the different owners of those tools. So compliance teams may be spending a lot more time than they'd like coordinating with the engineering, the dev ops, their security and their dev sec ops teams and the owners of those tools to gather evidence that prove or disprove whether they're meeting their internal and external controls. And the fourth and final challenge that we identified to compliance is the dynamic and elastic nature of the Cloud. Organizations can scale their Cloud footprint exponentially in such a short period of time today, and infrastructural resources, such as virtual machines may have very short lifespans. So how can you effectively manage governance compliance when your Cloud environment is constantly changing?

Sheri Salay (07:24):

So we combined together, these four factors can keep the compliance team locked in a loop where they are constantly collecting point in time evidence. You're not really pulling ahead, you're struggling to test your internal and external controls, and you're struggling to collect evidence in time to meet your audit deadlines. So we know the compliance teams are looking for automated tooling that will help them break out of that loop and pull ahead of their compliance requirements and their audit cycles. By proactively and automatically monitoring the same control that your auditor is going to come and ask you for evidence for in a couple months, you can bypass the time consuming and error prone, manual evidence collection process.

Sheri Salay (08:07):

Audits can become a matter of showing the work that you've done instead of reacting to surprises that you uncover once your dev ops team has finally responded to your evidence requests. With the automated collection tool, compliance teams can help proactively improve their organization's overall security posture. So we've brought the top dog of Aptible to show you what we've built today and to how you might be able to imagine a whole new complaints experience for your organization. Frank. So Frank's going to give us a little bit of a demo here in a little bit, but first I want to kick off a poll.

Sheri Salay (08:47):

So this is the poll that Rebecca was referencing earlier. We are really curious to understand what infrastructure services your company uses today. So we, that there might be a multi-Cloud Deployment in many cases and we'd like to understand which providers you're using today. And so with that, I'll hand over to Frank who will walk you through the demo and give a little bit more information about what the Comply service does.

Frank Macreery (09:12):

Thanks a lot, Sherry. So I'm seeing some results come in now and the good news is that most of you are using AWS today. So you'll all be able to apply the demo that we're going to show directly to what you're already using. It looks like right now, we've got 86% of respondents saying that they use AWS and then roughly 13% each using Microsoft Azure, Google Cloud platform and Oracle Cloud, nobody using IBM SmartCloud or OpenStack, but there's still time to respond. Anyway, thanks everyone for responding to that poll. And thanks Sherry for kind of introducing what we're talking about here today. I want to talk a little bit about... Sorry, my mouse is just chosen a bad time to give out. Sorry about that.

Frank Macreery (10:23):

So anyway, it's great to see such broad adoption of AWS especially because we are talking about our Comply to AWS integration today. I'm going to briefly summarize how Comply works at a high level and how the AWS integration fits into the bigger picture of Comply and then I'm going to take the rest of this webinar to show a demo of how this Comply integration with AWS works. Please, if you have any questions at any point in time, just chime them in, in the Q and A. Rebecca is going to be watching that Q and A, and we'll be able to triage and bring up questions as you ask them. Next slide please, Sheri.

Frank Macreery (11:07):

Cool. So I want to talk a little bit about the kind of mechanics of how Comply works. So the first thing that happens when you connect Comply with your AWS account is that we start automatically updating an asset inventory with the compute and storage resources that you're using in AWS. So we pull them in, we also pull in your service accounts and any groups that you're using in IAM and use them to populate an asset inventory. So the thing about this asset inventory is that we keep it up-to-date automatically over time. So as you add resources, deep provision them, as you change tags and your resources in AWS Comply, stays up-to-date all the time. And it allows you to organize your assets with these tags, both with the tags that are coming from AWS, that you're already using to label your resources and any tags that you want to create in Comply that are specific to compliance purposes that maybe your dev team doesn't know or doesn't care about.

Frank Macreery (12:18):

So once those assets are in the asset inventory, Comply also immediately starts monitoring for Cloud infrastructure compliance requirements. So right now today we have 14 different automations built into Comply and you can create additional automations on your own. These automations that come out of the box span, IAM, RDS and EC2, and we're very soon going to be adding support for additional automations across S3 and Cloud trail. The way these automations work is they check these compliance requirements, verify that everything's okay. If things are okay, we collect that evidence and store it in the compliant evidence repository, so that you can use it to respond to questionnaires later, either audit requests list from your auditor or security questionnaires from your customers. If something's not okay, we flag that and it goes into our issue detection system. So you get alerted and you can use the workflows in Comply to remediate those issues and get everything back on track. Next slide, Sheri.

Frank Macreery (13:26):

So talking about the workflows that Comply supports. So we know that there's a lot of different pieces of your compliance program and Comply is trying to give you a single place where you can take care of all of them. And so we handle things like governance procedures. One really great example here that I'm sure all of you do is access reviews. So making sure revealing who has access to which systems and making sure that that level of access is appropriate. So with AWS, that means reviewing, IAM, looking at all of the resources that each IAM user or group has access to and making sure that there's an appropriate justifiable business reason, why they need to have that level of access. Doing those reviews on a continuous basis is important so that you can have the track record to show to the auditor and also so that you don't get stuck in a position where there's an incorrect level of access and you have to explain to the auditor how that happened.

Frank Macreery (14:30):

So the next workflow that we support is remediation. So going back as we mentioned in the previous slide, part of what Comply does is we automatically detect issues where resources that you have in AWS, aren't meeting your compliance requirements. So where some other tools stop is just alerting you to the presence of those issues, but Comply actually gives you all the tools you need to remediate these workflows. We connect with the workflow systems you're already using like Jira, Slack, and email so that you can complete these workflows and assign them in the way that you're used to doing and ultimately see the progress and the completion of those remediation activities in Comply. And then finally, once you've kind of built up this background of procedure completion, remediated issues, and all this body of evidence in Comply, you can use that evidence that you've collected to respond to audit requests and Comply provides a tool to import these audit requests lists, and automatically respond to them with evidence that you've built up in Comply.

Frank Macreery (15:38):

And we're going to show you all of this today, and hopefully you come away with this, seeing how setting up a compliance automation system like Comply from the start can remove a lot of manual work and lead you to a place where you're ultimately using compliance to improve your overall security posture and build trust quicker. So with that I'm going to take over screen Sherry and jump into a demo. Thanks, Sherry. Okay, cool. So what we're looking at here is the controls dashboard. This is the homepage of Comply. It's not very exciting right now and as you can see, it's pretty empty. But what we're going to start doing in this demo is start populating this environment with data. We're going to start collecting evidence automatically, some manual evidence and start building towards a dashboard that looks a little bit more like what we've got in our production Comply account.

Frank Macreery (16:46):

So this is the account that Aptible uses to run our own compliance program. And as you can see, we've got evidence streaming in both automatically and manually across all of the controls in our compliance system. And we can see the performance over time, see where we've got a good evidence here, see where there's things that need our attention and manage it all in one place. So let's get started doing that. The first thing that I would love to do here is set up an AWS and integration between Comply and AWS. So to do that, I just go to automations, integration configuration, and I'm going to add our first integration. So we don't have anything set up yet, and we're starting from scratch. So I'm going to connect to AWS, Comply uses what AWS calls cross account role-based authentication which is their recommended most secure way to connect with an integration provider and share resources.

Frank Macreery (17:50):

And so in order to set this up, I actually need to create a new role in AWS. So I'm going to do that over here. I'm going to copy over the account number and the external ID that Comply gives me and use it to create a cross account role. So the external ID is required for additional authentication to verify that even if there's a compromise of Aptible Comply the request needs to be made both from our account and have this secret external ID present. I'm going to attach a base Comply policy to this role, and I'm not going to add any tags for now, and I'm going to just name it, and create. Okay, now that's created, and so to set this up and Comply, I just need to copy the roles ARN, the identifier, paste that into Comply and specify the region where our resources live by default. So I'm going to do next step. So now that's setting up in syncing.

Frank Macreery (19:14):

While that's happening, I'm going to go ahead and add another integration. So we support integrations with both Jira and Slack. For the time that we have today, I probably won't be able to show both of these. So I'm going to show the Slack integration off and I'm going to set that up. So to do this, I need to just click next. And this is an [inaudible 00:19:37] set up a little bit easier than integrating with AWS. I just click allow and now Comply is integrated with Slack. Cool. So these are the two integrations we're going to be working with today. I'm just going to go ahead and re-sync this AWS environment. And once that's completed, I can go over to our asset inventory and see the assets that have started to be populated here.

Frank Macreery (20:02):

So I'm going to first go over to compute, and I see all of our EC2 resources being populated in the asset inventory automatically. I've got the asset tags that are coming back from AWS. I can also add my own tags so I can go in here, I can review all the available tags. I can create a new one that lives in Comply only. So I might say sensitivity high, if that's something that only Comply cares about, and I can create and apply that. And now I've got this tag here. I can filter all my results. I can filter them by tags so I can search here sensitivity high and filter down.

Frank Macreery (20:47):

I can also filter by various properties that are coming back from EC2, like availability zone. I can restrict these down just like you can do in the AWS console. But because Comply integrates with it can integrate multiple times with multiple different AWS environments, you can see all of these resources in one place in this single asset inventory. We're also pulling in all of your storage resources. So these include all of your RDS databases currently. And with these storage resources, we can go in and in addition to seeing all of the properties that are coming back from AWS, we can manage properties specific to compliance. And so we can define the different types of data that are stored in a database. So for this, I might say that it's HIPAA PHI and health data, and that's it. I can also update metrics like asset and data criticality. So we'll say that this is low impact for everything other than availability, where it's moderate and you can configure business continuity and backup configurations as well.

Frank Macreery (22:07):

And whenever you make these changes of course everything goes into this immutable audit trail so that you can see the activity in the set of changes over time, both coming back automatically from the integration and the things that you've updated and see all these changes in one place.

Rebecca (22:25):

Hey, Frank?

Frank Macreery (22:26):


Rebecca (22:27):

So we have a question from one of the audience members: "What compliance rules or security frameworks is the tool testing against?"

Frank Macreery (22:35):

Yeah, that's a great question. So we're going to get to that in a little bit, so as a preview of that all of the automations that we support they can be mapped to any number of frameworks. So right now I happen to have Comply setup with just three frameworks, HIPAA, ISO, SOC2. We provide out of the box mappings to these three frameworks, as well as GDPR, CCPA, FedRAMP, HITRUST, NIST CSF, and several others. And you can import any other frameworks that you're using too. And so basically the way it works is we have a set of standard controls, our automations map to those controls, and those controls are then mapped to requirements in each one of these frameworks. And so it's basically like generate a piece of evidence once and then use it across multiple audit frameworks.

Frank Macreery (23:31):

And when we get to the point where we have some evidence in the system, I'll show how you can tie it back to a specific framework. Thanks for that question, whoever asked that. Okay, so we just showed off the asset inventory, and now I want to show off how we can set up automations when we're collecting evidence and events from these assets. So these are the automations that come out of the box with Comply. You can build your own, so you can use our API to create additional automations. But these are the ones that come out of the box. So I'm going to look at one that as part an automation that's related to a control that many of you may have in your program which is database backups. So here we can see the details of how this automation is configured.

Frank Macreery (24:23):

It's basically checking whether database backups are on or off for an RDS database. It's logging the evidence as okay if it's finds that data backups are on and it's creating an issue if data backups are off. Now, I'm sure that many of you have many resources in AWS and some are in scope for your audits and some are not. And so Comply makes it easy to filter down an automation to just those resources that you care about. So I'm going to go ahead and do that here. I'm going to restrict the scope of this automation just two assets that have the tag Aptible demo and production. I can include other tags if I want, but for right now, this is the tag that I'm going to use.

Frank Macreery (25:08):

So we're only going to apply this automation, and we're only going to collect the evidence or log the issue if an RDS database comes back and it has this asset tag. So I've set this up, we'll revisit this in a moment, but before we do that, I want to show you how we can set up a governance procedure. So for something that's traditionally, it needs a manual review.

Frank Macreery (25:34):

And so we're going to set up a review of an initial access review for production databases. So I'm going to go ahead and I'm going to go back to GRC, to our procedures. You can see Comply provides you with a bunch of template procedures that you can choose to use. All of these are none of them are active right now, they're all paused. But what we're going to do is we're going to create our own new custom procedure for reviewing access for RDS databases or any storage asset. So in order to do this I need to give a name to this procedure. So I'm going to call it conduct initial access review for production databases. I'm going to assign these tickets to myself or to the CSO who's different than Frank.

Frank Macreery (26:31):

I'm going to say that they don't require approval. I'm going to map this to our access management policy so that we can easily tie any evidence that's collected from this procedure back to this control in any framework requirements that we've mapped to it. And then I'm going to provide some instructions here. So this is a markdown template. You can provide a procedural instructions and default ticket notes. And you can use our markdown editor to edit this. I'm going to just leave this here for now. I might have more specific guidance if this wasn't a demo but this all can be edited later. So in order to set up to make sure that this happens every time Comply detects a new asset, I'm going to go ahead and set it up for all storage resources.

Frank Macreery (27:28):

I'm going to go ahead and make it both quarterly recurring, because we want to review it every quarter and then set it up every time a new storage resource is activated. So now we can activate the procedure now and activate it for all of our... Sorry, we can activate it now, which we're going to do, and then we can choose to either trigger it immediately or we can leave it not triggered immediately. I'm going to go ahead and trigger it immediately so that we can start reviewing all of the databases that have just been detected by Comply. And I'm going to go ahead and create that. Cool. So now when I go over here to tickets, I'll see all of these newly created initial access review tickets. We'll circle back here in a sec. What I want to do now is I'm going to show how we can review the issues that are detected by our automation in real time.

Frank Macreery (28:46):

So what I've done before this demo started is I created a new database. I did it because these databases in RDS take a while to create. And so I didn't want you all waiting on the demo. So I created a database it's called database demo, 20201216. And it I've set it up so that it doesn't have any backups enabled. So this is important if you remember, we showed that automation earlier, that's checking for backups being enabled or disabled. It doesn't have any tags right now, and so I'm going to go ahead and add a tag. So if you remember, I configured that automation to require the Aptible demo ends being set to production. So when I add this, now it'll make this database become in scope for that automation.

Frank Macreery (29:40):

And so that should set this up. And so now I'm going to go back to Comply and I'm going to have to go back and sync the assets. So it's going to take a couple minutes to sync or a little while to sink. So let me check issues right now. So it's not seeing the issues yet, but we'll give this a minute here. Going to refresh, It might take one more refresh. All right. Let's see. Okay, cool. So now that I've refreshed a couple of times and just waited a minute here, we're seeing all of the issues coming back from AWS. And so I'm going to go ahead and I'm going to drill into this database backups issue right here. So we'll see that we've got an unresolved issue coming back for this database demo, 20201216. We're not seeing issues for any other databases, even though they don't all have backups enabled because they don't match that tag that we configured.

Frank Macreery (31:05):

So what we can do now that this is here is we can assign it to a different person. If we do that, they'll be notified of the issue needs to be resolved. What I'm going to do right now since I know exactly how to fix this is I'm going to go back into RDS and I'm going to enable backups for this database. And then we're going to come back and see that the issue gets resolved in Comply. So in order to do this, I need to modify the database and as with everything AWS, give it a second. So this is a fun question. I'm curious, who knows, how do we actually enable automatic backups here? So it's grayed out and if you guess that we just have to pick a positive number for the backup retention period, you're exactly right.

Frank Macreery (32:03):

So it's not totally intuitive, we're going to make this change immediately modify the database instance, and this is going to go ahead and make that change. So this is not going to take effect right away. AWS takes a little while to make any modification, even something just like enabling backups. So we won't be able to click re-sync right away., but what I'm going to do in the meantime is I'm going to show you how Comply can make governance reviews around access to your AWS resources a lot easier. And hopefully by the time that we've completed that access review, we can come back and see that this issue is resolved and can be used as evidence. So to do the access review, I'm going to go back here. I'm going to go back to this ticket that's been created to conduct initial access review for production databases.

Frank Macreery (33:00):

So to do this... Actually give me one sec here. Is this the right one? Yeah. Okay, cool. This is the right one. So, this is the database demo 20201216. So we've got some instructions here, but what we also have is these tabs where we can look at who has access. So which users have access to this resource through IAM. And so we've got six different users who have access to the system and what I'm going to do is review each one of them. And so what Comply lets me do is see who has access and use Comply as the source of truth for who should have access. So looking at this list, I know that Ashley, Bailey, Catherine, the CSO and myself all should have access, but Josh shouldn't. And so what I'm going to do is I'm going to approve each of these first five people. And if I refresh, they all show up as okay, with this approval being logged for today.

Frank Macreery (34:11):

Josh, like I said, should not have access. So what I'm going to do I can either create a ticket to fix this. For now, I'm going to just create an exception. This isn't a major issue. Josh is still a team member. He's just not any more on the appropriate team that needs access to this production database. So I'm going to go ahead. I'm going to log an exception create the ticket, and I'm going to say review Josh's access to database demo 20201216. And I'm going to set it to be due a week from today. I'm going to assign this one to Frank to review and I don't need this to be reviewed, this one's not a major issue. And then I'm going to go ahead and open that ticket.

Frank Macreery (35:03):

So now this is going to be tracked alongside this review. And for now I'm going to Mark this ticket as done. So that's going to record, it's going to save the completed ticket as evidence. And then what it's also going to do is it means that you'll see this new ticket assigned to Frank to review Josh's access. But what I can also do is go into this asset, look at the access that's been defined and see who has access here at any point in time and see whether it's been approved. I can filter this down to just people who have access. I can filter it to people who have valid access, easily filter to access issues. This is especially helpful if you may have 100s of different IAM users and you need to quickly see who has access validly and where the issues are.

Frank Macreery (35:52):

And you can see any authorizations or approvals that have been updated in the last 30 days. So hopefully you can get a sense of how the different ways that we pivot here and the ability to pull in the access data directly from IAM and AWS can enable faster governance reviews for access. So hopefully in the time that we've completed that access review we can go back to RDS and hopefully this... Okay, it says it's successfully modified. Great. So if you remember where we left off here, I had just enabled backups on database demo 20201216. So I'm going to go back to Comply. I'm going to go to our issues page. I'm going to go to database backups, and I'm going to resync just to make sure that Comply agrees that the issues fixed. So I'm going to wait several seconds for this resync to complete.

Frank Macreery (36:52):

And indeed now we've got no unresolved occurrences. And if we go over to resolved, we see this issue that occurred a few minutes ago, and it's now resolved. And because it's resolved, it's showing up like the resolution is showing up as evidence that we can reuse for an audit or for a customer questionnaire. Cool. So now that we've kind of started to build up some evidence and Comply both from our manual governance procedures and this automated remediation I want to show how Comply helps you tie it all together.

Frank Macreery (37:31):

So the first way that it helps tie things together is through this full sledge GRC. So I'm going to go back to the controls dashboard here. So it's a big lump, it's not quite as pretty and we're getting there, right? So every process has to start somewhere. And so now we've got a little bit of evidence here. And if we go into, for example, our data backups policy, where we've just collected some evidence, we can see tons of detail about this specific control, the evidence that we're collecting from it. We can drill down into these and see exactly what the evidence was. We can see what automations we have set up. We can log manual evidence. We can create new procedures. We can even log risks that are associated with our data backups policy. And perhaps most importantly, we can map this control to requirements in any of the frameworks that we're targeting.

Frank Macreery (38:31):

So what you're seeing here are mappings to requirements and SOC2, ISO 27,001, and HIPAA, all of these requirements come out of the box with Comply. You can edit them as you want, but you don't need to think about them. You could choose to just use our defaults. And so you can drill down into the requirements. You can see exactly what the requirement says. In this case, it's called the information backup requirement of ISO 27,001. And again, you can see all the evidence here in the framework, not just the control. And you can pivot to any number of other frameworks. So we can see the same evidence in the data backup and storage requirement under HIPAA. So just from basically connecting this AWS integration and doing the bare minimum to fix an issue that we found you've got this evidence populated across all the frameworks that you're targeting.

Frank Macreery (39:29):

The last thing that I want to show today on this demo, and then hopefully there's some questions, because we would be happy to answer them is how you can use all of this in an actual audit. And so for that, I'm going to go over to the audits page in Comply. And I'm going to create a new audit from a sample request list that we received from an auditor. So we're going to call this the sample IaaS audit request. I'm going to define a coverage period for let's say this quarter, beginning of October to the end of the year. And any tickets that are created as part of this audit, I'm going to set them to be due next week. I prepared a CSV with three audit request items here. So I'm going to go ahead and open that.

Frank Macreery (40:29):

You can import a different CSV from your auditor, and then I'm going to go ahead and create that audit. Cool. So now it's showing up here and we can click into the audit to drill down into the requirements and start answering them. Hopefully for the holidays, you get audit request lists that are this simple. I know this is probably a little shorter than most of the audit requests lists that you get. But for the demo purposes this is about all we could fit in. So you can imagine this being a much longer request list, but ultimately Comply is trying to help you answer all of these extensive questions as quickly as possible.

Frank Macreery (41:14):

So the first request item that we've got here is to provide evidence that backups are taken for in-scope production databases. I'm going to go ahead and click in here, and I'm going to select to add evidence items to this request. So here I can choose individual evidence items that were logged. So this includes both manual and automated evidence. So I go ahead and click yes. And I'm going to select all items for the data backups on evidence item. And there's one here from that one in scope database. So I go ahead and click that I can click and drill in and see the details, view the adjacent payload. But for now, I'm going to go ahead and call this request completed and say, we've got some evidence here of our one in scope production database.

Frank Macreery (42:08):

Cool. So going back to the request list we see that this item is now completed. We've got one of three requests items completed, and we're going to move on to the next request item. So this one's asking us to provide evidence that access reviews have been conducted for production systems. So here I'm going to choose a different way to add evidence to the request. I'm going to go in and I'm going to pick our access management control, because what that's going to do is it's going to include the text of the control. So the actual policy of that access management control and filter down any evidence that we've collected, including the tickets that we've completed for access management. So I go ahead and click here on controls, click access management policy. And I'm going to add this one control and I'm going to go ahead and complete this item in the request list. Cool.

Frank Macreery (43:13):

Now we've got two of three items completed. For the third, I wanted to show an example of something that I'm sure you all face, which is even when you've got all of this automation in place, sometimes you still need to collect evidence manually, and there's not a much better way to do it. And so this third request list item is asking for an up-to-date system network diagram. So Comply can help with this too, even when it's a manual request. So here, what we're going to do is I'm going to add an evidence request here, which allows me to assign a responsibility to one of my team to basically drop the evidence in and add it to this request list. So I'm going to say network diagram, I'm going to sign this one to Frank. The reason why I'm picking Frank is because that's me and I'm set up in Slack and we'll show how easily we can respond to this in Slack.

Frank Macreery (44:05):

I don't think this one requires a review. We could, of course, as I mentioned, integrated with Jira, I'm not going to do that now. I'm going to just go ahead and open this ticket. So this is open and it's going to stay open and I can track the progress here in this request list. But I'm going to go over to Slack and I'm going to scroll down to Aptible Comply demo and, okay, cool. So we've got this new ticket the network diagram, and we can click in to see what's being asked of me, provide evidence of an up-to-date system network diagram. And so what's pretty cool here is I can just reply in thread. I can add text, I can add an attachment. And so what I'm going to do is I'm going to upload a PDF of our latest network diagram. And I'm going to say this is our latest Deploy reference architecture diagram and just hit enter.

Frank Macreery (45:02):

And so the Comply demo bot is going to is going to communicate that this has been uploaded. And if I go back here, I can refresh and we'll see that the item is now added to the request list. I can click through, I can see. Yep. Here's the PDF and I can go ahead and complete the request. And so now if I go back to the audit request list, we'll see that we've got three of three request items, have some evidence. So what I can do now is I can export this. What this is going to do is it's going to send me an email with a zip file that contains all of the pieces of evidence here, along with the original CSV.

Frank Macreery (45:48):

And I can mark the audit complete. The request list zip takes a few minutes to generate, so in the meantime maybe we can go to questions cause that's basically the end to end story of how Comply can help you integrate with AWS among other services to automatically populate an asset inventory, detect issues and collect evidence on a real-time basis, and then allow you to use that, to manage your compliance program and prepare for audits. So thanks for listening. Hopefully this was useful and look forward to questions that you have in the Q and A. Thank you.

Rebecca (46:33):

Great. So one question that came in a few minutes ago — I think this might be from one of our existing customers — is what sort of integrations are in place for Aptible Deploy?

Frank Macreery (46:45):

Yeah, that's a great question. So I see Ben asked that in chat now. The answer is nothing right now, but that is something that's coming very soon coming very soon in Q1. So I should correct that. What we do today is we populate your asset inventory with all of your storage and compute resources from Deploy, but what we're not doing is creating the sort of evidence collection and issue detection that you get with AWS. So for those who aren't familiar with our Deploy product what it does is it basically provides you with a way to deploy web applications and databases in the cloud, and it puts guard rails on those deployments, so that you don't have to think about these security controls. Basically we automate them and make sure that there's no way to work around them.

Frank Macreery (47:39):

And so what we're building in Q1 is we're expanding on the integration between Deploy and Comply so that you have all the evidence from what Deploy is doing that you can use in audit requests or customer questionnaires. We're not going to generate issues from the Deploy portion, because the whole reason for using Deploy is that we're able to make sure that everything is secure and you don't have to think about it, and you just get the evidence of how that security is being enforced.

Rebecca (48:16):

Great. Thanks. Another question came through is: "What is our pricing model and how can it differ from one org to another?"

Frank Macreery (48:26):

Yeah, that's a great question. So we have pretty flexible pricing and fundamentally the things that we vary pricing on is the kind of the number of frameworks or the number of audits that you're targeting, the size of the workforce that you're managing through governance procedures like access reviews and the kind of breadth of different integrations that you need to support. So the number of systems that you need to integrate with, the number of different AWS accounts that you need to integrate with, for example, those are the levers that basically will determine where pricing lands out. And so ultimately we have a pricing plan that can scale pretty well as your team and your compliance program grows, but those are the main levers.

Rebecca (49:18):

Great, thanks. And definitely if you go to aptible.com, there is a button in the top right, where you can request a demo as well. So you can schedule a time with one of our salespeople, and we'll be happy to walk you through what the pricing options are. You can also reach us at salesataptible.com as well. I haven't seen any other questions, and if folks have any other questions feel free to type them into the Q and A box or into the chat now while we've got a few minutes left. Oh, we've got one more question. "How long does it take on average to get the tool up and running?"

Frank Macreery (49:55):

Pretty quick. So I mean, the prep I did before this call was five minutes of setup, just so that you didn't have to see me creating an account, selecting frameworks and approving the initial set of controls. That's the only thing that I did before this. So everything else is just what you saw. So you can get up and running very quickly. Maybe the more meaningful question is how quickly can you implement a compliance program and get to audit readiness using Comply? And there we say that we bring it down from months to days or weeks. And so it's not instantaneous, there's some work required, but we can shave off a ton of the time. I know we have some quotes about the actual time savings. I don't remember the hours or percentages. I'm not sure Rebecca, if you happen to know those off hand.

Rebecca (50:51):

Actually we did just publish a case study with Data Republic where they chopped their kind of audit preparation time in half. So they were ISO 27,001 audit ready in just a matter of a couple of weeks. So we're seeing that kind of statistic across the board actually is people saving like weeks off of their audit preparation and slicing their time substantially. All right. I don't see any more Q and A coming through, but I will be sending an email out before end of day today, Pacific time with a link to the webinar, as well as some additional resources. We did just announce this AWS integration and we have a blog post as well, so you'll find more information in that email and you can feel free to respond to me if you do have any questions that come up and I'll put you in touch with the right individuals.

Rebecca (51:51):

Really appreciate everyone taking the time today. And thank you, Sherry. Thank you, Frank so much for leading the presentation and just giving some great content and a really great demo, and we will be in touch. We'll be having our next webinar in 2021. So I hope everyone has a great rest of 2020, and we'll see you on the better side.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form. Please try again.