CISOs and GRC officers are quickly recognizing the growing threats posed by misconfigured SaaS applications and integrations between SaaS apps. On average, 30% percent of corporate sensitive data now is processed or resides in SaaS applications like Salesforce, Microsoft 365, Google Workspace and more.
One of the vexing challenges facing security and GRC teams is that even when companies establish tight security controls within SaaS, it is really hard for them to know how and where those policies are being followed. Additionally, many businesses still monitor their controls manually. Because of this, frankly, many teams are overwhelmed by the volume and constant drum of potential violations they have to sift through and prioritize.
This problem impacts all companies but especially ones in regulated industries including healthcare and financial services. Those organizations must prove their security posture to regulators, and it is hard to prove what you can’t see.
Obsidian solves this problem with an automated, rather than a manual, approach. Our posture platform continuously validates whether an organization’s SaaS technical controls are applied correctly to the SaaS application. When they aren’t, alerts are automatically distributed to stakeholder groups to help drive accountability and remediation. This overall capability to configure SaaS applications at scale, detect whenever those configurations result in a non-compliant state, and the ability to generate reports of all compliance mapped controls is what we refer to as continuous compliance. This model helps organizations achieve an “audit once, comply with many” approach that streamlines the ability to demonstrate SaaS compliance across all industry frameworks and standards at once such as HIPAA, Sarbanes-Oxley (SOX), GBLA, CCM and more.
Obsidian views continuous SaaS compliance as similar to the popular concept of continuous integration/continuous delivery (CI/CD) where code is receiving continual updates, Obsidian is constantly providing updates, control recommendations and detections to update your compliance posture.
Here is a more detailed look at continuous SaaS compliance:
The cycle begins when the Obsidian platform is first deployed and begins its analysis.
Within a few hours, our platform gains a full understanding of the SaaS environment and begins detecting violations and related anomalies. As an aside, the speed at which Obsidian can learn about a SaaS environment is one main reason incident researchers like to use Obsidian for their investigations as they relate to SaaS.
Once baselines are established, Obsidian, from its own data, can begin to make recommendations about controls that can be monitored. Users can also apply controls from a growing list of frameworks and standards including NIST, SOC2, the CSA CCM. We will be releasing support for additional frameworks over the next few weeks to further aid companies achieve compliance against regulations that matter to their specific industry.
The problem with manual monitoring processes involving several spreadsheets is that besides being arduous for teams and time-prohibitive, they are also point-in-time spot checks. SaaS is dynamic. Users, admins, their privileges, and activity is continuously changing. These changes are not mapped and reflected in point-in-time spreadsheet reports, often rendering any compliance reports quickly outdated.
Automating this process enables teams to continuously validate their compliance posture. This real-time data helps leaders make more informed risk management decisions. It also helps minimize inaccuracies in the workflows and prevents potential breaches, and likelihood of fines.
Reporting capabilities are an essential part of the compliance process. Every organization has multiple stakeholders that have a vested interest in a secure SaaS posture. This includes security and GRC teams as well as app owners and executive leadership. These teams need conclusive answers to questions like, “Is my data across my SaaS applications safe? Are we treating our customers’ data with the highest data privacy standards? Are we in compliance with industry regulations?” You can answer these questions easily with Obsidian’s report generating capabilities.
For many companies, internal and external audits are necessary but when it comes to SaaS, they are painful, expensive, and time consuming due to the complexity.
Continuous SaaS compliance is like a virtual auditor because users can produce reports that show the same kind of data and controls that auditors look for. This saves time because an auditor would no longer need, for example, to collect screenshots of settings, lists of users and groups and more. Ultimately, this process reduces the cost and time required to complete portions of audits.
Our customers are realizing immense value from our automated compliance posture module. We have heard from customers that they have reduced their resource costs and the time it takes them to map SaaS technical controls to regulatory requirements from months to minutes.
If you want to learn more, reach out to us. You can also read more about our Compliance Posture module here.