Yesterday, Obsidian announced the next-generation of our SaaS Security Posture Management (SSPM) solution that delivers increased customizability, extended breadth to increase the security posture across all applications in their ecosystem (not just core SaaS applications), and the ability to secure 3rd party SaaS integrations.
I’ll let my team talk about the details of these products over the course of this week. Individually, and together, these products are pushing the limits of what’s possible in the SaaS security space—a space, in my opinion, that has been underinvested for the last decade or so.
But SaaS security is only part of the equation that needs to be solved.
The other part is something relatively unsexy, yet foundationally important to most organizations, especially financial institutions, insurance companies, and those in healthcare: regulatory compliance.
Application deployment today is also more distributed than it has ever been. As organizations continue to increase their reliance on cloud technologies, moving away from on-premises data centers to hybrid and cloud-based workloads utilizing IaaS, the IT compute and application layer has become increasingly decentralized. Today, more than ever, organizations have workloads deployed in IaaS and SaaS environments. This “cloud first” strategy is a great thing, but has had the unintended consequence of distributed ownership across the enterprise. Applications are deployed with relative ease by HR, IT, security teams, and even employees.
Many compliance programs today are manual in nature requiring analysts to pore through settings and alerts across a variety of SaaS applications to assess whether they require investigation. In fact, the security leader of a leading national retailer, a customer of Obsidian, told us his team was spending up to 40% of their time per month reviewing and following up on alerts before using our product.
Often today, compliance workflows have many layers drawing from employees in different departments. Here is one example:
It doesn’t exactly flow like water, does it?
What’s lacking is a translation layer between the folks who identify compliance violations and those who have the power to fix them.
Whether it is the National Cybersecurity Strategy, which calls for, in some sectors, “new authorities” to set regulations that can drive better cybersecurity practices at scale, Gramm-Leach-Bliley Act (GLBA) updates, or new state privacy laws, there are lots of new requirements coming down the pike. Many have implications for SaaS security.
Here are three examples:
Organizations in regulated industries must be agile in the face of regulatory chaos and surging SaaS threats. Adapting SSPM strategies for this new era requires the adoption of automation, embracing collaboration to include more stakeholders in the regulatory compliance process, and continuously advancing the strength of controls and policies. All the while dealing with economic and competitive pressures. It is no easy task.
Obsidian views the future of SSPM as being able to help customers solve these challenges particularly via automation, collaboration, and by enabling continuous SaaS compliance. Let’s take a look at these three core features:
Continuous monitoring vs spot checks
It is time to end manual compliance monitoring. Automation offers a ton of benefits that its manual counterpart cannot. In fact, the essence of automated monitoring is eyes always watching for SaaS compliance violations without the need for sleep, food, or vacation days. Manual monitoring by staff cannot compete.
Manual monitoring may be good for static items. SaaS is dynamic. Users, admins, their privileges, and activity are constantly changing. Compliance monitoring needs to be able to keep up.
Single source of truth
Automation is good for more than just monitoring. An automated compliance tool hosted on a SaaS platform negates the need for a maze of separate spreadsheets and instead offers a single interface that allows all employees to work off the same playbook.
An organization’s collection of technical controls typically come from three sources: independent frameworks or regulations like NIST, SOC 2, and HIPAA, custom controls, and other recommended controls. The total number of controls and policies can add up becoming unwieldy especially when a single control applies to multiple standards.
We believe the smartest approach for organizations is to throw all of their controls into a single pot with a single interface. This simplifies management and helps avoid duplication of effort. If a new compliance requirement gets enacted that has 20 mandatory controls, for example, rather than start from scratch to input all 20 into the platform, a user would only have to input unique controls that do not currently exist in the system.
Finally, a compliance tool is only as good as how up-to-date it is with the latest best practices and standards. Automation should make it easy to update with new recommendations and then have them monitored globally.
Compliance is a team sport that comes with technological and business culture hurdles. Evaluating and acting on risk assessments must include insights from across an organization. At their heart, SaaS compliance tools are collaboration tools that keep IT, security, risk, and HR teams on the same page in terms of policies and policy enforcement.
How can a compliance tool foster information sharing? On-demand reporting capabilities and automated ticketing are ways. I think security threats are so existential that shared responsibility models will actually come to fruition with teams coalescing under the leadership of the Chief Risk Officer.
In effect, from a security perspective, all these units will merge into one, and compliance tools must be ready to support that.
Obsidian believes that the best way to maintain a strong SaaS compliance posture and to validate that posture with external auditors is to think of it as a loop where constant updates make the tool continuously stronger. My colleague, Dennis Faire, explains this in more detail here.
Automation, today, is now helping organizations gain more control over their SaaS and compliance postures at a time when businesses can feel squeezed between more sophisticated, frequent threats and governmental regulations that are imposing change too. We empathize with all of the people involved in navigating these changes, but are also equally confident we can help. Reach out to us to chat.
Also, if you want to join a rockstar team dedicated to solving complex engineering and product problems to help make the impact of SaaS breaches a thing of the past, I’m hiring on my team.