Security Guidance
7 minutes

Making SaaS Compliance Easy with Automated Report Generation

Compliance is hard. It’s an arduous, manual, cost-prohibitive process that often takes months, if not years, to achieve for organizations in financial services, insurance, healthcare, and other highly regulated industries. 

Today, we are excited to make this herculean task measurably easier for GRC teams with the launch of Obsidian’s Compliance Posture Management frameworks, which will automate the process of dictating, validating, and demonstrating compliance in SaaS. For the first time, security and GRC teams are able to work off of a single interface to achieve their common business objective—to keep their business safe and compliant. By mapping complex regulatory frameworks to individually manageable SaaS controls across major SaaS applications, we are able to deliver security and GRC teams clear and continuous assurance that the applications their business relies on are in compliance with the legal and regulatory obligations they must uphold.

As of today, customers can get access to frameworks that support NIST 800-53, ISO 27001, and CCM. This means that if you are an organization that needs to stay compliant with any of these regulations, you can map requirements across these regulations to technical SaaS controls and know immediately how compliant you are. We are also actively working on supporting other regulatory frameworks such as HIPAA, CIS, PCI DSS, SOX, NYDFS, and more over the coming months.

SaaS and the compliance problem

Organizations continue to see the many advantages associated with migrating business-critical workloads to SaaS applications.  There is no question that cost savings, productivity, and efficiency are just a few of the benefits that come with SaaS which in turn, continues to accelerate adoption. CISOs, information security, and GRC leaders however are increasingly aware of how SaaS may be affecting their organization’s risk posture, particularly due to the sensitive data that used to reside on-prem are now distributed across SaaS. In fact, on average, at least 30% percent of corporate sensitive data now is processed or resides in SaaS applications like Salesforce, Snowflake, GitHub, Google Workspace, and more.

It’s not a secret that wherever an organization’s sensitive data flows, risk follows – and where risk goes – so too does governance and compliance. Therefore, it is of paramount importance for teams charged with performing risk assessments, configuring SaaS applications, validating controls, and mitigating risk to keep up with the pace of SaaS adoption.  Unfortunately, with the ever-evolving regulatory compliance landscape and substantial penalties for not adhering to those standards, traditional methods are proven to be insufficient. 

Enter automation with Obsidian

When it comes to security and compliance, automation isn’t just a “nice to have” anymore, it is a “must have” for any organization seeking to achieve a state of continuous compliance as part of its overall cyber security and risk management strategy. With SaaS, it is particularly important given how distributed ownership and accountability can be in larger enterprises.  Without automation to monitor a SaaS environment’s compliant state, customers are at the mercy of accidental changes that go undetected.  This leaves the sensitive data residing in those SaaS applications vulnerable to threats and the potential for hefty regulatory penalties if discovered during an external audit.  

How automation is achieved with Obsidian 

For any automated system to work, the core components that need to come together are visibility and the ability to programmatically take corrective action when certain conditions are met.  In the world of SaaS security, missing either of these elements can result in blindness to systemic vulnerabilities and an incomplete understanding of residual risk.  

Obsidian solves this problem with continuous monitoring of a SaaS application’s configuration, the integrations between them, activity and the ability to enforce technical measures to detect, prevent and automatically respond.  Obsidian’s Posture Management for instance leverages real time data to perform continuous risk assessments that automatically informs customers of their risk exposure.  Settings Management and Posture Rule features provide the ability to define and automatically enforce an appropriate risk tolerance across the SaaS environment.  

Validate Once, Comply with Many

One of the most beneficial features that organizations can expect from the Obsidian Platform is its ability to automate the validation of any technical control and prove compliance across all mapped frameworks.  For example, let’s say an organization has implemented an Enterprise Password Policy which requires all privileged users to have 16-character passwords.  This poses three questions that need to be answered:

  • How are Privileged Users defined? 
  • What SaaS settings can be configured to enforce this requirement?
  • Once established, how will it be monitored and reported?  

 With Obsidian, GRC teams can address each of these questions at scale.  First, they can create a rule that helps them define what SaaS application permissions constitute as a “privileged user” that looks something like this: 

IF “User Permissions” = Role 1 + Role 2 THEN User = “Privileged User”

Once that step is completed, GRC teams can then leverage Settings Management to surface the password setting for a SaaS application.  After the setting has been selected, an additional Posture Rule can be created which looks like this: 

IF User = “Privileged User” THEN ‘Password Strength’ MUST = 16

With those two steps completed, the GRC team has defined what they consider to be a privileged user and enforced a policy requirement for any user that meets that definition.  There is one additional step GRC teams can take to really achieve a ‘validate once, comply with many’ approach. That is to then take that same Custom Rule that was created and by using Obsidian’s built-in compliance mapping feature, they can seamlessly search across frameworks for any control that mentions passwords or privileged user access.  Once the compliance framework controls have surfaced, they can be easily mapped to the Custom Posture Rule that was created. The end result is a single Posture Rule that if it’s in a “Passing” state, that means each compliance control that is associated with it is now in a “Compliant” state.

GRC teams iterate on that same process to define and apply Custom Posture Rules to any and all enterprise policy or regulatory framework requirements and achieve peace of mind that if any of those settings revert to a “non-compliant” state, security and GRC teams will be immediately notified and a ServiceNow or Jira ticket will be created to automatically document the issue.

Measure compliance against internal and external standards 

With Next Gen Posture, we’ve designed the product so you can automatically map technical identity and access management, data classification, segregation of duties, and several other audited controls to industry compliance standards for clear, centralized monitoring. As these frameworks inevitably evolve over time, organizations can leverage Obsidian to remain confidently ahead of the curve.

On-Demand Compliance Reporting

We’ve also made generating and sharing reports as easy as clicking a single button. When it comes to internal and external audits, the main goal is to validate the operating effectiveness of security controls designed to mitigate risk.  To help streamline the audit process, Obsidian can automatically compile reports around specific standards and even applications. These reports provide detailed information around passing and failing controls.

Give it a go!

We are super excited to bring these products to market and can’t wait to hear what you think of them. If you’d like to learn more, please don’t hesitate to reach out to us.