For most people, compliance is stressful. Tracking down relevant paperwork, heavy workloads, deadlines that always seem too close, and the issue of “passing” an audit can take a toll on a team. But what if you could automate your compliance processes and move towards continuous compliance?
SunStone is a compliance-as-a-service vendor for regulated clients in government, healthcare, supply chain, and financial services. From the start, SunStone recognized that their documentation and manual processes were not scalable or compatible with new, cloud-native technologies. Mapping their compliance operations to government-regulated compliance operations was also a heavy lift for them. Then, they found JupiterOne.
How SunStone keeps JupiterOne in its orbit
SunStone needed a way to achieve continued compliance and speed up their audit cycles. Now, all of SunStone’s compliance operations are centered around JupiterOne. They also tap into JupiterOne’s capabilities for comprehensive asset visibility and management.
Asset visibility supports compliance operations
You’ve heard it before, but we’ll say it again. You can’t secure what you don’t know you have. When SunStone found JupiterOne, they were still looking for a better way than using static spreadsheets and manual asset tracking, leaving many stones unturned.
SunStone’s operations service both government and commercial customers as well as their respective supply chains. That’s why understanding how the assets in their attack surface related to one another was critical to achieving comprehensive compliance. JupiterOne not only ingested data about all the entities in their environment, but also provided them with a visual map of how their cyber assets connect.
From there, they were able to start working towards compliance.
Custom queries to automated alerts
First, SunStone SMEs map their compliance framework requirements to JupiterOne’s control catalog, and then map those components into their asset inventory. Once those are mapped, the CISO team defines the policies and procedures that need to be put into place to achieve compliance. Their DevSecOps will define the controls and J1QL (JupiterOne Query Language) queries necessary to remediate problems and alerts.
JupiterOne’s variety of out-of-the-box dashboards continuously update and provide a solid foundation for their monthly reporting activities.
Due to the nature of their business, SunStone needs to be aware of any changes to their environment that could result in noncompliance. Instead of manually navigating their ecosystem to find threats or vulnerabilities, SunStone tagged their vendor relationships and data flows into the graph view to understand how the addition or negation of any vendor, OSS, derivative project, or asset change will impact their environment.
Easy audits for the auditor and the auditee
After all the preparation and organization, JupiterOne even makes compliance easy for the auditor.
In addition to manual evidence collection and tight deadlines, JupiterOne is also capable of providing value to the auditing officer. Instead of scheduling long, in-depth meetings with the audit officer, a simple push of a button allows the auditor to see:
- Changes to asset relationships
- Compliance health and progress
- How queries can answer complex questions
- The origin of available data
- How assets relate to one another in the attack surface
Since deploying JupiterOne in their asset environment, SunStone has achieved cATO for NIST 800-53/FISMA continuous compliance for one of the world’s largest supply chain programs, lessened their audit cycles from 18 weeks to 2 weeks, and saved $328k in direct FTE labor savings.
To learn more about JupiterOne for compliance, check out SunStone’s presentation from our Virtual Customer Summit for more details.