How one compliance-as-a-service provider uses JupiterOne

by

For most people, compliance is stressful. Tracking down relevant paperwork, heavy workloads, deadlines that always seem too close, and the issue of “passing” an audit can take a toll on a team. But what if you could automate your compliance processes and move towards continuous compliance?

SunStone is a compliance-as-a-service vendor for regulated clients in government, healthcare, supply chain, and financial services. From the start, SunStone recognized that their documentation and manual processes were not scalable or compatible with new, cloud-native technologies. Mapping their compliance operations to government-regulated compliance operations was also a heavy lift for them. Then, they found JupiterOne.

How SunStone keeps JupiterOne in its orbit

SunStone needed a way to achieve continued compliance and speed up their audit cycles. Now, all of SunStone’s compliance operations are centered around JupiterOne. They also tap into JupiterOne’s capabilities for comprehensive asset visibility and management.

Asset visibility supports compliance operations

You’ve heard it before, but we’ll say it again. You can’t secure what you don’t know you have. When SunStone found JupiterOne, they were still looking for a better way than using static spreadsheets and manual asset tracking, leaving many stones unturned.

SunStone’s operations service both government and commercial customers as well as their respective supply chains. That’s why understanding how the assets in their attack surface related to one another was critical to achieving comprehensive compliance. JupiterOne not only ingested data about all the entities in their environment, but also provided them with a visual map of how their cyber assets connect.

From there, they were able to start working towards compliance.

Custom queries to automated alerts

First, SunStone SMEs map their compliance framework requirements to JupiterOne’s control catalog, and then map those components into their asset inventory. Once those are mapped, the CISO team defines the policies and procedures that need to be put into place to achieve compliance. Their DevSecOps will define the controls and J1QL (JupiterOne Query Language) queries necessary to remediate problems and alerts.

JupiterOne’s variety of out-of-the-box dashboards continuously update and provide a solid foundation for their monthly reporting activities.

Due to the nature of their business, SunStone needs to be aware of any changes to their environment that could result in noncompliance. Instead of manually navigating their ecosystem to find threats or vulnerabilities, SunStone tagged their vendor relationships and data flows into the graph view to understand how the addition or negation of any vendor, OSS, derivative project, or asset change will impact their environment.

Easy audits for the auditor and the auditee

After all the preparation and organization, JupiterOne even makes compliance easy for the auditor.

In addition to manual evidence collection and tight deadlines, JupiterOne is also capable of providing value to the auditing officer. Instead of scheduling long, in-depth meetings with the audit officer, a simple push of a button allows the auditor to see:

  • Changes to asset relationships
  • Compliance health and progress
  • How queries can answer complex questions
  • The origin of available data
  • How assets relate to one another in the attack surface

Since deploying JupiterOne in their asset environment, SunStone has achieved cATO for NIST 800-53/FISMA continuous compliance for one of the world’s largest supply chain programs, lessened their audit cycles from 18 weeks to 2 weeks, and saved $328k in direct FTE labor savings.

To learn more about JupiterOne for compliance, check out SunStone’s presentation from our Virtual Customer Summit for more details.

Tanvi Tapadia
Tanvi Tapadia

Born and raised in Raleigh, North Carolina, Tanvi is a marketer who strives to create the perfect balance between data-driven decisions and creative marketing. She is an NC State graduate who loves to explore, eat, and play with her dog Butter.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.