Powering GRC through integrations & automation

How to use integrations to simplify & automate compliance management

February 23, 2021 8:00 AM

Compliance management becomes more complex by the day as your company grows. Adding new vendors, onboarding/offboarding more employees, adding additional compliance frameworks, and building new products all add new challenges to your security and compliance programs. Solving the problem of complex compliance management requires a GRC platform that can automate and streamline the work that is being piled onto compliance managers. 

B2B SaaS companies have unique requirements that many existing GRC tools do not take into account. It’s critical to ensure that your compliance software helps simplify and automate the compliance process by integrating with other SaaS tools, as well as integrating the functionality within the tool to create a single source of truth with a unified data model.

Join us Tuesday, February 23rd at 8 am PT where we’ll discuss what an integrated GRC platform looks like, and how you can use it to power your compliance program.

Presented by

Jeff Lesser
Product Marketing
Chris Gomes
Product Management


Jeff Lesser (00:00):

Today we're going to talk about powering GRC through integrations and automations. One of the things that I really love about Comply and the way that Chris and the product team has architected the tool is it has two different types of integrations that we like to think about. One is these internal integrations that make Comply a very powerful single source of truth, so that controls are mapped to evidence and that's mapped into your audits and it makes everything super simple to manage.

Jeff Lesser (00:27):

Then the other types of integrations that we have are external integrations with SaaS systems that power automations and other things that not just simplify compliance management, but ultimately automate it and remove the manual work from a compliance management. We're going to talk about those two forms today. Just quick introductions. I'm Jeff Lesser. I'm the lead product marketer here at Aptible. One of the things that drew me to Aptible and why I'm super excited to chat with you all today is building a complex technical product in the legacy industry.

Jeff Lesser (00:58):

I think there's a lot of interesting ways for innovation in the compliance industry. I'm excited to see where Aptible and Chris in the product team has taken Comply. Chris, do you want to introduce yourself?

Chris (01:09):

Sure thing. I'm Chris. I'm a product manager here at Aptible. I've been at Aptible for two years. I see some familiar names among the attendees, and really excited to be cohosting today's webinar.

Jeff Lesser (01:22):

Awesome. Thanks, Chris. Quick agenda overview. We'll talk a little bit about the compliance challenge and how it's difficult to manage compliance across many different tools. We'll get into a little bit about this concept of an all-in-one compliance platform. Chris will show you a demo of how those internal integrations within Comply work. Then we'll talk a bit about the SaaS integrations and automations that we've built into Comply. Chris will show you a little bit about how those integrations work. Then we'll have that Q&A session at the end. Let's dig in.

Jeff Lesser (01:56):

One of the things that's interesting about compliance is, this day and age, it's more important than ever, but it's also more difficult than ever. Compliance requires that you manage your vendors and your vendor risk. It requires that you have all of the configurations amongst your cloud infrastructure set correctly. It requires that you do user access reviews on a regular basis. It requires all of these things. Those requirements are made more difficult because data is everywhere.

Jeff Lesser (02:26):

You're relying on this ever growing stack of SaaS vendors, which complicates the work that you need to do. The work that you need to do has typically been very manual, whether you're doing user access reviews or checking for two factor authentication. It's usually the logging into some system, getting a screenshot, and doing something manually. Then the last thing that makes it super difficult is this lack of control. You're not necessarily in control of what services your marketing team and your engineering team adopts. They're adopting those at an increasing pace.

Jeff Lesser (02:56):

As a compliance manager, you're just scrambling to keep up with what everyone in your company is doing. It makes it super hard to manage. You've got this tension and this decision to make. Do you focus on security and make it difficult for your company to procure these new tools and services? Or do you make it easier to procure these new tools and services and allow your company to grow, but have more difficult compliance management? We think that that's a false dichotomy. You can actually do both. We'll talk a bit about that.

Jeff Lesser (03:27):

Coalfire, the auditor released this interesting report and there was this element in it that talked about how half of companies are using four or more often redundant tools. We've seen this a lot with companies that we've talked to who have adopted Comply. Before they use Comply, they came to us and they're like, "We use spreadsheets and we use Wikis and we use Jira. We have some rudimentary GRC tool that we use, but mostly we manage it over email. Then we just throw everything into a Google Drive folder and try and organize it."

Jeff Lesser (04:02):

It doesn't always work as seamlessly as it should. When I think of how these compliance managers have set up their systems, it's a little bit like MacGyver here, where you've got the soccer ball and the olive oil and newspaper, you've got the wire and the cotton balls, and you're putting it all together here to create some balloon that you're sending off to your auditor. Not everyone is as clever as MacGyver. In the compliance industry, it seems like everyone is trying to be and trying to put some system together that helps them.

Jeff Lesser (04:41):

They've got their spreadsheets, which is the soccer ball and the newspaper is their Jira ticketing system. The reporting tools that they're using are the olive oil that they've used that put it together. Collaboration tools are the cotton balls. The wiki is the wire that they're using. Then ultimately, that match that's sparking everything to make it work for them is the email system. It all results in this package of screenshots, this beautiful balloon that they're sending off to their auditor.

Jeff Lesser (05:14):

Managing compliance across all of these different solutions when you're trying to just put it into a spreadsheet or multiple spreadsheets and manage it through cloud services is just managing chaos ultimately. When the compliance manager finally gets to that point in the middle of their audit, where they're getting responses back from the auditor, telling them, hey, you need to go fix this and I didn't get enough of this and I need more of that, it's like, no, no, that's fine. Using all of these different tools cobbled together, MacGyver together, is totally working for us.

Jeff Lesser (05:47):

Ultimately, we think that there's definitely a better way, instead of using all of these different point solutions and trying to follow these multiple lines from where you're starting to get to your audit and be successful in achieving compliance. Ultimately, if you've got this platform where everything is integrated together and everything's woven together, doing compliance becomes seamless. Managing compliance becomes this thing. Where instead of right before your audit time, you're scrambling to put everything together.

Jeff Lesser (06:16):

You've been managing compliance throughout the year. It's been happening continuously. You're just basically sending off the results of your work instead of scrambling to do the work. I want to turn it over to Chris to give a demo of how those integrations within Comply make it easy to do compliance.

Chris (06:37):

Awesome. Thank you, Jeff. I love those gifts. I feel like we also need to gift where someone's reading some ancient tablet written in Babylonian, where they're trying to decode what is the auditor actually asking for. Like, what? It could have be this, it could have be that. What did we give them last year? We know it worked. That's the only gift that I feel like we could have added there. Yeah, very resonant. We've seen a lot of that among our customer base. What I'm here to demo is how Aptible provides internal consistency.

Chris (07:15):

Think of that diagram that Jeff showed, where it had assets and reports and your GRC and evidence. That one right there, all tied together, internally consistent with one another, so that everything you're doing is making it that much easier to then find that later when you are in the context of an audit, when you do get that question from a customer about your encryption program, when you are running your risk management, and you need views into your security projects, and everything like that. It's all in one place.

Chris (07:47):

It's all saving you time and helping you implement a robust security program in the long run. Let me go ahead and share my screen here. Do do do. Okay, here we go. What you're looking at here is the control index of Aptible Comply. I like to start here, because this really provides ... This is the view into the central clearinghouse of everything that's happening within Comply and how we help you stay organized, stay on top of your compliance requirements and your compliance operations.

Chris (08:24):

The way that this works is, what you're seeing here is a list of all the controls that are in this example environment. Those controls, one of the primary ways that we provide internal consistency is by cross mapping your internal controls to your frameworks and their associated requirements. In one place, you can immediately see, hey, how does the algorithm requirements for PCI? How does that relate to different requirements of other frameworks, access reviews that we're conducting for FedRAMP? How far does that get us in terms of ISO or SOC 2?

Chris (09:06):

I know we're doing this over here. How does it help me do that over there? One of the first places that we help customers develop that sense of internal consistency is by giving them this cross map view of everything that's going on in their program across all the different frameworks and requirements that they care about. Every customer is a little bit different in terms of how they document their compliance program through a mixture of policies, procedures, control statements.

Chris (09:37):

We give customers the flexibility to keep that all in one place and all, again, internally consistent. You're going to hear me say that a lot, and you'll probably get sick of hearing me say that. As an example, if we look at access authorizations here, in this environment, we're showing a pithy statement that summarizes the control and it's mapped enter into a human resources security policy, which provides more detail about the onboarding, training requirements, training schedules, a little bit of pre-employment here.

Chris (10:10):

This policy may be implemented or supported by several discrete controls. As you're seeing here, everything in Comply is cross mapped to all of the framework requirements that you care about. This particular environment is fully loaded with all the various frameworks we support. If you only cared about ISO and SOC 2 to begin with, then you would just be seeing the requirements for those two frameworks. What you're seeing up top here, the evidence performance graph is a view of the evidence that we've collected in Comply across all of these different control statements over a period of time.

Chris (10:51):

Right now, it's filtered to last month. If we just looked at, say, the last week of evidence, it would look a little bit different. If we looked at the last quarter, we could see a different timeline. You're also seeing that evidence on a control by control basis as we look down this table, so that you can rest assured that each of these controls is not just dead text on paper. Rather, in a given period of time in, say, the last month, I know we can provide evidence of this, I know we've collected evidence of this, and it is stored here. If it's green, it's good. If it's yellow, it's not so good.

Chris (11:31):

If it's red, it's really bad. We'll talk about the different conditions on evidence later. The key takeaway here is that all the documentation of your compliance program lives in one place, cross mapped to your different frameworks and their requirements and the policies and procedures that actually implement them and the evidence that can attest to how effective those controls are performing. Let's dig a little bit into one of these controls. Again, the whole theme here is the internal consistency.

Chris (12:03):

I'm not going to talk too much about the integrations that actually provide evidence programmatically and pull in that evidence from your environment. I'm going to talk about that in a second demo as part of this webinar. Right now, I'm just going to talk about what you're able to do with Comply without even setting up a single integration. If you want to just set up Comply and not plugging into anything, you still get all of the benefit of this internal consistency. That's what I'm focusing on here. I'll dive into one particular control. Let's check out, say, code reviews.

Chris (12:38):

What you're seeing here, I just filtered it down to that particular control, everything updated to show me just the evidence that was relevant for this control for the given period of time. Let's jump into this detailed view of the control. What you're seeing here is basically the heads up display for this particular control. Everything you could possibly want to know about this control in one place, nicely set like a dining room table. You have up top here the control and the statement itself.

Chris (13:12):

Then you have that same evidence performance graph, again, filtered to just the evidence that's relevant for this control over a particular period of time. Then you get into all of the fun modules that Jeff was referring to that actually allow you to operate your program in a way that can scale and keep everything mapped to one another, as opposed to doing this in 10 different systems. What you're seeing here is automations first. We'll talk a little bit more about this in the second demo, since automations here, this is an example of an integration into your source code versioning control tool.

Chris (13:49):

That's an example of an external integration. I can see here, if you have any automations that are programmatically enforcing this control and monitoring it, then what you're seeing here is manual evidence. This is good old fashioned screenshots. If you need to upload a screenshot and supported this control, you can do so right here and keep it mapped to this control. There's, in fact, numerous places where you can upload evidence, send to Comply, when and where you need it, for example, in the context of an audit.

Chris (14:18):

It's all getting tied back to these controls, so that you can always answer the question, how are we doing on this control over a period of time? That's where the manual evidence would get logged. Then there are procedures. Procedures, everyone's familiar with policies and procedures, procedures of the how, how do we actually go about doing this? If there's some manual or administrative step that's required, let's say it's more than just a technical control or even the maintenance of our technical controls. Let's get into the brass tacks of how that happens.

Chris (14:48):

Well, I can see here that this particular control is implemented by a procedure here. In this case, this example, this control states that all substantive changes source code for in scope applications must be reviewed before merging and deployed to production. Maintainers were specified on a per repository basis. Each repositories documentation may approve changes and change approvals must be documented. That's the control. Easier said than done. How do you actually put rubber to the road and do this?

Chris (15:19):

Well, one of the aspects of this control is that there are maintainers for each repository that are documented for that repository who can make these change approvals. This particular control, one of the procedures that implements it is a procedure about reviewing those code repository maintainers on a regular basis. What you're seeing here, I'll zoom in a little bit, is the actual logic that's taking this dead text on paper and making it work for you. Again, all internally to the system of Comply.

Chris (15:55):

This procedure is going to kick off quarterly or anytime you activate a new code repo. What does this procedure actually entail? Well, it's pretty straightforward. It's just, hey, every quarter, we need to review that list of maintainers who is eligible to approve merge requests or pull requests for security vulnerabilities. We lay out the steps here. In order to make sure that this procedure actually comes to life and works for you, it's not just dead text on paper, it's going to kick off on a schedule. It's going to automatically create tickets for you in Comply.

Chris (16:34):

Again, the logic for this one is every quarter, we're going to trigger one ticket for each code repo reminding you to review those code repository maintainers. I cheated a little bit here, because you can see that this is integrated into Jira. This is another example of one of those external integrations, which we'll talk about more in the second demo. Not every customer likes to rely on the internal ticket module within Comply. They say to us, hey, we've already got our engineering team using Jira.

Chris (17:09):

It's not exactly an easy step to get them to change the environment in which they are organizing their backlog, their to-dos. No problem. That's where the Jira integration comes in. That same procedure that we were just talking about, reviewing the code repository maintainers, that logic, it can kick off within Comply, but actually push the ticket to Jira. This is just a read only copy of the data we're getting back from Jira. This ticket is actually being worked on in Jira itself, not hearing Comply.

Chris (17:40):

Any attachments that are uploaded to the ticket in Jira will propagate back here to Comply. Certainly, the status of that ticket in Jira will stay in sync here with Comply. I'm getting a little bit ahead of myself to that external consistency. Internally, what you can see here, again, coming back to this heads up display, this central control plane is everything that's relevant for this code review, control. Continuing straight down the list, the next thing that we see here are risks. What risks are mitigated by this control? Why does this control exist?

Chris (18:19):

Everyone who's been through an ISO 27001 audit knows that this is really the starting place of any strong security program. Identify the risks to your organization, and then come up with the plan that is appropriate for those risks. Which of the Annex A controls are justified and relevant for you? Well, it depends on the context of your environment. What you're seeing here is how this particular control, you can keep track of what risks does it mitigate. In this case, what we're seeing here is a summary of, hey, there's a risk that we introduce a vulnerability into our source code.

Chris (18:54):

What you're seeing here is that the adjusted risk level is low. That's because you've implemented this control and you know that is operating effectively. Therefore, this residual risk amount has been reduced from some high amount to some low amount. If I go ahead and click into this, what you can see here is a similar control panel for that risk. Let me hop into the risk register itself, so you can see all the risks in this organization. Here's that first one. We introduce a vulnerability into our source code. I'm going to reset my view.

Chris (19:27):

What you can see here is that the original likelihood was likely and the impact was significant. That original risk value was high. However, we mitigated that risk by mapping it to a particular control. We can see the evidence performance of that control, so we know how well that control is working. That's how we get this adjusted likelihood an impact and adjusted risk value of low for this particular risk. With a single click, I can hop right back to that control that I was just looking at of code reviews.

Chris (19:55):

This is a real nifty feature because you will be navigating between different objects to the compliance program. You're going to be thinking about risks. You're going to be thinking about controls and policies. You're going to need to navigate through those things gracefully in the context of one of those hair on fire MacGyver style audits that we saw earlier in the presentation. The last thing that's listed here is then your audits. This is telling you that, hey, an auditor has tested this control in a previous audit.

Chris (20:26):

You can see here that we had an ISO internal audit where we were collecting evidence on a particular three months' timeframe. This control ended up getting mapped to that audit request list. What does that mean? That's a bunch of Comply mumbo jumbo. Let me dive into the audit module to show you how this works in a moment. Long story short, what this means is, you were able to quickly grab the evidence from this control and provide it to that audit request list item and satisfy that request for an auditor. It is here forever to tell that story.

Chris (20:59):

Next year, when you need to figure out, hey, the auditor is asking us for some evidence around change management, what did we show them last year? This is how you create that internal consistency over time. You can go back and find what you provided your auditor in previous successful audits. I'll dive into the audit module next, because the audit module is how you take all of this work that you're doing over the course of the year and you get credit for it with your auditor when it matters.

Chris (21:27):

Before I dive into that though, let me just comment on a few other things that you're seeing here and that demonstrate the internal consistency of Comply. As mentioned before, every control, every policy, every procedure is cross mapped to your frameworks and the requirements that are relevant within those frameworks. Your statement, the actual control statement is here as well as any other documentation that's mapped to this control. All of this is editable in a really simple markdown editor.

Chris (21:55):

If you wanted to jump in here and add a little supporting information, you can do so in a really nice markdown editor. Think about all those tools that Jeff was referring to, that customers tend to rely on when it comes to documenting their controls. This can keep all of that in one place. No more Confluence. No more Wiki. Keep all of your control documentation, your policies, and your procedures in one place in a really simple intuitive interface. Furthermore, think about approvals.

Chris (22:30):

There's a maintenance policy itself about how we actually keep these controls and policies up to date. That's what you're seeing up here with this approve button. You can actually version control every change that you make your documentation in Comply. Think about deprecating that spreadsheet, that version control log that is really hard to keep up with your actual documentation. All of that is just, forget about it, it's taken care of for you in Comply using this approval workflow module. I'm going to dive now into the audit section. That was the controls.

Chris (23:05):

Hopefully, it's clear how, in your GRC tab in the control index, everything that I just described is a benefit that you get across all of your controls. Every one of these framework requirements, when you need to understand what are we doing for it, how are we doing, who's the owner, all of that is centralized in one place, because all these modules tie together nicely. Hopping over to audits. Like I said, audits is where the rubber meets the road. You get credit for all of this at the end of a given cycle. Let's hop into that ISO internal audit that I was referring to earlier.

Chris (23:39):

What you're seeing here is a list of all of the requests that our auditor has made of us during this audit. There's many ways to get these requests in Comply. Some auditors work directly in Comply and upload the request list, which is real nice. If you need to upload a request list yourself, we can ingest the CSV really easily. You can download that from your auditor's portal and just throw it here in Comply, so that you're actually able to then quarterback the audit here in Comply.

Chris (24:09):

If I filter down to incomplete requests, I can see what are the audit requests that are still work in progress. Or I could see, hey, what are the ones that are done and off my plate really easily with the click of a button. The other nice thing that you're seeing here is that this audit has a coverage period. There's a period of time over which we're trying to collect relevant evidence. Think about the coverage period for, say, a SOC 2 type two audit. This is not just for internal tracking purposes.

Chris (24:40):

This is actually scoping the evidence that Comply suggests for you based on the relevant period of time. Again, it's all about that internal consistency. Every time you upload evidence to Comply, it's being time stamped and it's being associated with a control and a point in time. By specifying the timeframe of this audit, Comply can make smart suggestions about what evidence is relevant for a particular requirement. Let's show what that looks like. I'm going to hop into one of these requests here.

Chris (25:12):

I'm going to mark this as incomplete, just so I can continue working on this particular request. What you're seeing here when I did that is every change to the status of this request is logged. You're seeing comments on the right here. Again, it's all about that internal consistency. No need to run this in 10 different tools, because it's all being run in one place and everything is borrowing from everything else in Aptible. What you're seeing here is that for this particular audit request, evidence of effective change management for in scope, code repositories, I've mapped a couple things.

Chris (25:47):

I've mapped a policy itself to this control. Let me show you how easy it is to do that, if I go ahead and clear that out. All I needed to do in order to map that policy was add something to this request. If I click this button, that's going to show me all the options and take a look at this. These are all objects that live in Comply, and that you are already collecting on an ongoing basis. The one exception when you do need to go chase down some colleagues and gather evidence from colleagues is evidence requests. We will talk about this in the second demo.

Chris (26:21):

Controls, policies, automation sequences, evidence items, all of this is in Comply already. Let's say we wanted to add the policy associated with our SDLC. I can go ahead and jump into policies here. What I'm seeing now is all the policies that are in my program. Guess what? Because they're all cross mapped to different frameworks and requirements, if I know, hey, I know what this is testing, this is testing A.14, I can just go ahead and narrow down the field. Boom! There's my SDLC policy. I'm going to go ahead and attach that.

Chris (26:56):

Simple as that to take an object that's already in Comply, upload it for this particular evidence request. The other thing you're seeing here is that I've mapped some specific evidence to this automation, to this evidence request from the auditor. The evidence that I've mapped is an automation. What you're seeing here is number of evidence items. There's 11 evidence items that are being associated here. What these 11 evidence items are, as you can see, again, they're scoped to the timeframe.

Chris (27:26):

This is actually evidence of every pull request going through a code review for the given timeframe of this audit. You might remember that that control we were looking at before had something 25 pieces of evidence associated with it. If I go ahead and jump back to the code, reviews control, there's 25 pieces of evidence over the particular timeframe that's being explored here. When I'm in the audit, by setting that audit timeframe of January 1st, 2021 and later, when I'm attaching evidence, it's going to go ahead and just scope it only to the relevant evidence for that time period.

Chris (28:06):

This was evidence that I just uploaded that was already in Comply. As simple as that, I could say, wow, that was easy, and complete the request. What I get, at the end of this, is a request list that is filled out. All of these requests will be complete much faster than if you were to do this in a project management tool, in a spreadsheet, trying to do it with the tools that your auditors give you in their portal. You can complete the audit to knock this one off your to-do list. At any point, of course, you can export all the artifacts of your audit.

Chris (28:41):

I'm just going to show what this export looks like. Then I'm going to hand it back to Jeff in a minute, so that we can talk about the ways that Comply integrates with external tools, so that it can really superpower everything that you're doing in the system. Here we go. I downloaded the file. I just went off screen share because I don't want you all to see how ugly my inbox is. If I jumped to this file right here, this is the email that I got from Comply. I just downloaded this zip file right here. Here it is, boom! Hopefully, you all can see this.

Chris (29:21):

I'm not just screen sharing the email. There's every request from that audit organized with the request ID of the particular auditor's request. If I jump into one of these, look at that, I see the policy. I see the actual pieces of evidence from every discrete pull request itself right there. Take that, hand it off to your auditor, ship it to their portal, and you've just saved an enormous amount of time in the audit. Thanks to Comply's internal consistency. That was a long demo. I'm going to keep the next one a little bit shorter. Hope I didn't lose a bunch of people there. Jeff, I'll hand it back to you for teeing up the next demo of how Comply can integrate with your external systems to save you even more time.

Jeff Lesser (30:08):

Thanks, Chris. I think I lost my webinar sheet here. Give me 10 seconds to find it again. Here we go. Let's do the screen share. I think I see what happened. Let's try. Let me try something. Cool. We'll present this. Cool. Now, Chris is showing you how you can basically take Comply and get the single source of truth out of it. Instead of using multiple different tools, everything's unified into this data model within Comply. I remember when we improved our control page and it became the single pane of glass where you could see everything that was important to that control, it really blew my mind about how much easier it made managing compliance.

Jeff Lesser (30:57):

The other thing that really makes managing compliance a lot easier is the automations that we built into Comply. Not only is Comply internally connected to each other, all the different entities and objects that exist, but Comply pulls in evidence, pulls in assets, pulls in information from outside tools to automate a lot of those manual efforts that you go through yearlong, however long cycle of compliance. Wanted to quickly chat about some of the different ways that the automations make an impact on simplifying compliance. This is a report that was done by SalePoint.

Jeff Lesser (31:34):

It's talking about infrastructure as a service specifically, but I think it's an awesome example where it shows that 91% of companies are performing manual steps when they go to do user access reports for their infrastructures and service their cloud infrastructure services. Nearly every company is struggling with manual evidence collection in some way. When we think about PVD SaaS and how everything's moving towards being cloud-based infrastructure, every company, 91% of companies is manually managing compliance for those surfaces.

Jeff Lesser (32:10):

This is one area where Comply has really focused in terms of automations and integrations with external tools. We've got a really robust AWS integration. We've got a really powerful user access review functionality that automates a lot of the manual work and user access reviews away. These 91% of companies that are still doing this manually could benefit a lot from Comply. When you think about automations more generally, more broadly, Coalfire and that same report where they were talking about 50% or more of companies are using for more tools, talks about how compliance automation is something that more and more companies are making a priority.

Jeff Lesser (32:52):

62% of companies view automated evidence as a strategy to minimize the impact of compliance or minimize the burden of compliance, is probably another way to say it. When they talk about compliance automation in there, they talk about the evidence collection that compliance requires and how that can be automated away. They talk about continuous monitoring and control monitoring that isn't, like I said earlier, right before the audit, scrambling to put everything together hair on fire.

Jeff Lesser (33:22):

It's as the year goes on, when something is identified as being a challenge or being a problem, your system detects it, surfaces it, and makes it easy to remediate. You're not nine months later trying to explain to an auditor why there's this issue that you haven't fixed for nine months. It really focuses a lot on these continuous integration and continuous delivery controls as a means to use security to prove compliance or rather compliance prove security. Strong security is the foundation of compliance.

Jeff Lesser (34:00):

Doing automation on continuous integration and continuous delivery helps ensure that you are managing good security throughout the year. We always talk about how Comply is powered by these integrations. The automations are a result of these integrations with external tools. We connect with AWS. We connect with your code repos, like having GitLab. We connect with your source of people, whether that's Okta or JumpCloud or G Suite. Your devices, they might be in Jamf, managed in Jamf or JumpCloud or other services.

Jeff Lesser (34:36):

We connect with all these tools, and then bring in the assets into your asset inventory, so that you always have this up-to-date running asset inventory. We bring in the evidence into the evidence management modules so that you're automatically testing every single code PR, like Chris was talking about, that's happening in GitHub or GitLab. When we think about what this continuous monitoring and continuous automations functionality is within Comply, it's pulling in those assets and making sure that it's always up to date.

Jeff Lesser (35:08):

Anytime a new employee is added, anytime an employee is off boarded, that that's kept up to date and accurate, and tagging it with relevant information from the source. With AWS, for example, we pull in the tags that you've built in AWS and you can scope your automations to only be on certain assets with certain tags. We pull in evidence. For AWS, specifically, we have 22 different automations across four different services. A lot of that is basically collecting evidence that you've got the right configurations, that you've got the right password policies, that you've got 2FA installed encryption, all of those things that really matter towards great security and great compliance.

Jeff Lesser (35:50):

Then I was mentioning briefly earlier, we have automated issue detection and alerting. If, for example, a new storage service is spun up in S3 and it doesn't have the right configs, we will surface that immediately as it happens and give you the ability to see that issue, remediate that issue, and prove that you did that really easily fully automated within Comply. At this point, I'll turn it over to Chris and show you how you can make Comply do more work for you.

Chris (36:26):

Awesome. Thank you, Jeff. Let's pick up the story where we left off earlier. Again, everything that I showed in the first demo, you get all of that without plugging Comply into a damn thing. Now let's talk about how superpower to get when you do start making those connections into those systems that Jeff talked about. As Jeff mentioned, you're going to get asset inventories that are kept up to date with the actual source of truth, including all the tagging and organization that those services provide.

Chris (36:54):

You're going to be able to collect evidence on an ongoing basis and when you need it through integrations with project management tools like slack and Jira. You're going to be able to continuously monitor your compliance requirements, so that you're not catching all of these things in the 11th hour right before your audit, but rather 24/7 365. You're keeping an eye on things and looking out for any issues. I'll start by showing the automations just basically a configuration page. Here we go here. This is just the integrations configuration page.

Chris (37:29):

There's not a lot going on here. I'm just illustrating the different kinds of automations and integrations that we provide. We have integrations that we refer to as asset providers. You can think of these as the real meat and potatoes of where your compliance requirements are expected to be implemented. Then there's ticket management systems, which are going to come in handy anytime you need to kick off a workflow or reach out to a colleague in your organization, requesting evidence or just instantiating a given procedure like, hey, we need to run our annual ISMS review.

Chris (38:08):

Then lastly, we do provide a public API. You can create access tokens to monitor any arbitrary event that you want to send to that API. I'm going to focus primarily on asset providers and ticket management systems in today's demo. As Jeff mentioned, these asset providers, they provide a ton of value in helping ensure that you are always in compliance and ready for your next audit. Let's talk about AWS, for example. What you're seeing here is that through an integration with AWS, we're pulling back service accounts groups, storage assets, and compute assets.

Chris (38:41):

If I jump over to the asset inventory over here and I look at those storage assets, what you're seeing here is basically asset management that is being automatically populated through AWS. What you're seeing here in terms of asset tags are those same key value pairs that you're using in AWS in order to organize your environment. This gives you the compliance director the visibility and governance over what the heck is going on over there and all of our necessary encryption database, host hardening standards being met in our cloud environment.

Chris (39:17):

The asset tags are really nice, because they pull back the tags from AWS. You can also add your own asset tags here. If you knew that this was a resource with customer data, you can just add that tag and you can layer it on top. You can see that that's just distinguished from the AWS tags, insofar as it doesn't have the AWS logo. All of the same great tools that you saw me toying with before are here so that you can keep yourself organized. You can filter by any property here. You can clean this up if there are some things in here that you don't care about.

Chris (39:54):

You don't want to show all these columns, you can rearrange these columns to your heart's content. Let's say I really cared about the engine, I can pull that up and keep an eye on that. All of this is just asset management 101 and, of course, keeping track of who is the owner for these particular assets. Let's see, where is my owner? Keeping track of who is the owner for my assets is a critical requirement of many compliance frameworks. Then for each of these assets, keeping track of things asset and data criticality, business continuity metrics, backup configs, all in one place, and again, made easier through that integration with AWS.

Chris (40:30):

Because it's pulling back those assets for you. Now, let's talk about the fun stuff, which is how do you make sure that your compliance controls are in effect on these various assets. Let's hop back to that control that we were looking at before the code review control. I'm going to go ahead and find that one again. Here it is. As mentioned in the earlier demo, this control is implemented by way of an automation code repo pull request approval. If I hop into that automation, what you're seeing here is basically how this automation is configured.

Chris (41:04):

What I want you to take away from this is this is pretty darn simple as far as an automation system is concerned. Simple, but powerful. It's all in plain English here. If you need to configure anything about it, you can do so, for example, by monitoring for other types of tags that are coming back from GitHub. Then you can control, hey, what happens if a pull request is not approved? Who's it going to be assigned to? Are they going to be notified immediately? Ultimately, of course, what control is all of this storing evidence to on an ongoing basis?

Chris (41:37):

All of that is configurable, even though this automation was an out of the box automation. Meaning along with our other turnkey automations, all these great automations here, just by integrating with one of those vendors that you were seeing before like GitLab or Jamf or AWS or GitHub or Okta. We have written automations for the most common compliance use cases. You don't have to do any heavy lifting there. You can always create your own automations. We support that as well.

Chris (42:06):

We're trying to do the heavy lifting for you by knocking out the 80% of compliance requirements that every framework is going to ask for and which is monitored in a consistent way across these different vendors. What that will do is automatically create evidence. That's what we were looking at before for that code repo control. All of these pieces of evidence were pulled in programmatically from pull requests for GitHub or merge requests for GitLab. You can take a look anytime there's an issue and dive into, hey, here's four pull requests that weren't approved.

Chris (42:42):

What in God's name is going on there? We give a whole module for issue monitoring and remediation, so that you can manage these issues as they come up. If I hop over to my issues panel, here's what it looks in action, here are all those same automations with a timeline of any issues that did arise over time, and who's been assigned to look at that. For my code repo pull request approval, again, you can see it's pulling data from GitHub and GitLab. You can take a look at the different code repos where there was a PR.

Chris (43:16):

If I click into this PR, you can get everything, the commit, the author of the pull request, who merge the pull request. Then you can keep track here of any kind of resolutions to these as you dig into these one by one. The great thing too is sometimes you're going to get false positives in a lot of these vendors out there that sell automations and security and compliance. It's really hard to nail the signal to noise ratio. There's always exceptions. There's always code repos that, hey, temporarily, we're going to allow non-security related pull requests to get merged without review.

Chris (43:54):

No problem. Just create an exception directly in Comply. In doing so, you're taking advantage of our exception management module. It's also going to silence any alerts that are coming from that related automation over time. Here's an example of a few exceptions that are applied to specific automations and that are essentially silencing any alerts relating to specific assets over time. This gives you your ISO exception management in one tidy place, while at the same time making your automations more relevant and helping to fine tune that signal to noise ratio.

Chris (44:30):

The final automation that I want to show comes back to these ticket management automations. We actually saw a sneak preview of the Jira one earlier, when we were looking at that same code repo control. You all going to get sick of me navigating to this particular control if you're not already. As you saw down here, we have a procedure relating to this control, hey, every quarter, we've got to review code repo maintainers. This is an example of a ticket that when it gets created, it's just going to push a ticket to Jira and assign it to the right people to get the job done.

Chris (45:07):

That's an example of one of our ticket management integrations. Another really handy one is in the context of an audit. You remember me referring to one of these evidence requests earlier. Let's say, for argument's sake, your auditor is looking for a list of vendors used for in scope services during the review period. Okay, no problem. I know who runs our vendor management. I'm just going to add an evidence request. It's prepopulated with all the information that my auditor gave me. I might say, hey, that sounds a Ryan thing and I'm not going to review it myself.

Chris (45:46):

I'm going to trust Ryan to do it. I'm going to go ahead and push this ticket to Jira. I'll go ahead and set that particular project that it should be pushed to. The other thing that this will do is, actually, if you're integrated with Slack, just push a Slack message to Ryan. I'm going to go ahead and orchestrate this right now, so I can show you how this works. First, I need to log in here to my Slack and hide all the cat gifts that I send back and forth with different colleagues. Let's see here. Here we go. All right. I'm going to share my screen again. I'm already sharing, aren't I?

Chris (46:42):

Well, there you go. Now you've all seen my cat gifts. If I hop back into Slack here, what you're seeing here is an example of all the different messages that I've received from Comply over time. These are things like, hey, grant access to SaaS systems, but they can also be requests for particular pieces of evidence. What you're seeing here in the thread is that all I need to do is respond in thread. I can include any attachments that I want here and this will automatically close this ticket in Comply.

Chris (47:11):

As part of that audit, as case in point, if I issued an evidence request to one of my colleagues, they don't even have to log in to Comply, they just get a Slack message. Oh, I see, I need to provide a list of our vendors, no problem, grab that, throw it into Slack, hit done. That will automatically upload that evidence into Comply, mapping it back to that original audit request from your auditor. Those ticket management integrations are a nice complement to our asset integrations. Not everything can be provided evidence of programmatically.

Chris (47:45):

For those that you can't, we're going to make it really darn easy for you to go out there and gather that evidence through Jira, through Slack, even an email integration. You can just email your colleagues and they can respond to that email with the evidence and that will automatically provide evidence back to that same audit request. It's through those external integrations that Comply becomes really super powered. Through the benefit of the internal consistency, that it's easy to find everything that you're doing and tie it back to your controls, your risks, and your audit requests, saving you time in your audit cycle, and helping you be the compliance hero that your company needs and grow your business through compliance and a robust security program.

Jeff Lesser (48:27):

Chris, we skipped over one of my favorite pieces of compliance automation, and I'm wondering if we've got a good environment that we could show it in. It's when AWS issues can be automatically remediated when they're fixed at the source. I'm wondering if you could pull that up. I'll quickly describe what it is. Essentially, what Chris was showing in GitHub and GitLab with the code merge requests when there's an issue, you select them, and then you click resolve. That's how that it's been resolved. Different issues are resolved in different ways.

Jeff Lesser (49:01):

With AWS, when an issue is identified, the way to resolve it is go back to AWS and fix it at the source. Rather than coming in here and just selecting it and being like, okay, yeah, I fixed it, all you have to do is click the resync button and Comply checks that everything is good. If everything is good, if everything's been fixed, that automatically moves this issue from the unresolved state to the resolved state. I don't know that we can show that transition, but this is my favorite thing where it's like, not only does Comply automatically find these challenges for you that are going to be problems when audit time comes around, it automatically makes it resolved once you've fixed it.

Chris (49:40):

Yeah, that's a great point, Jeff. If we had more time, I would just jump into the AWS environment and resolve one of these issues, but that's going to reveal just how clumsy I am in AWS. For example, this is checking that audit logging is enabled on relevant S3 buckets. Let's say I've gone ahead and scoped this automation to only the assets for which it's relevant. I didn't show that either. Now I'm just getting greedy. Basically, in this audit logging configuration, I've scoped it to just these two assets matching this particular tag.

Chris (50:14):

That's why that tag is so important to pull back from AWS, because that's most likely where you're keeping everything organized. You're saying, all right, I just care about buckets within this sandbox environment. Then when you are running that issue by resyncing it, it's just going to go ahead and check that for you. This will automatically resolve in instances after you've configured audit logging in the correct way on that bucket.

Jeff Lesser (50:40):

Awesome. Thanks for taking that detour with me and showing that. That's one of my favorite features that you've built. We did get one question as the webinar was progressing. I wanted to make sure that we answered it. The question is, who does the cross mapping of policies to Aptible? In creating that single source of truth where policies are cross mapped across frameworks, who's responsible for that? How does that happen?

Chris (51:06):

Yeah, thank you for asking that question, Frank. I threw an answer in the chat earlier, just to make sure that in case Frank had to go or something before the end here. The answer to that question is we maintain a cross mapping out of the box of all the frameworks that we support. When we say we support a framework, by Golly, we support the framework. That means we understand the framework. Our team of internal subject matter experts understand where frameworks overlap.

Chris (51:34):

They know that annex control a dot yada, yada yada cross maps to SOC 2, CC six point whatever it might be to FedRAMP, moderate to PCI. We maintain that cross mapping of the various requirements of these frameworks. We have template policies, controls, and procedures. If you're looking for those templates, they come out of the box as well. However, if you want to load your own policies, controls, and procedures into Aptible, then what we do is we just load them in for you.

Chris (52:04):

That same team of subject matter experts just takes them, puts them into Aptible, and essentially replaces our out of the box controls policies and procedures with yours. That is how you maintain that cross mapping of the various requirements of those frameworks to your documentation. That was a long answer. The short answer is, we maintain those cross mappings out of the box. If there's any manual work that's required to cross map it to your own documents, we provide subject matter experts who help in that process.

Jeff Lesser (52:37):

Yeah. I think you did a good job of showing as time goes on, policies may change, they may evolve. It's easy to edit them and modify how policies are cross mapped in the tool on your own. Comply, our support team is always here to help for sure. It's super simple to just go and change it yourself, which I love. Cool. I don't think we have any other questions in the Q&A. We'll just wrap things up here. Chris, thank you so much for showing off those awesome demos. You're the demo master. Thanks, everyone, for joining us and for watching and sticking around to the end. We will be sending this out recorded to those who registered, so expect that later today.

Chris (53:20):

Thank you, Jeff. Thanks, everyone. Thanks, Rebecca.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form. Please try again.