How one compliance-as-a-service provider uses JupiterOne

By

For most people, compliance is stressful. Tracking down relevant paperwork, heavy workloads, deadlines that always seem too close, and the issue of “passing” an audit can take a toll on a team. But what if you could automate your compliance processes and move towards continuous compliance?

SunStone is a compliance-as-a-service vendor for regulated clients in government, healthcare, supply chain, and financial services. From the start, SunStone recognized that their documentation and manual processes were not scalable or compatible with new, cloud-native technologies. Mapping their compliance operations to government-regulated compliance operations was also a heavy lift for them. Then, they found JupiterOne.

How SunStone keeps JupiterOne in its orbit

SunStone needed a way to achieve continued compliance and speed up their audit cycles. Now, all of SunStone’s compliance operations are centered around JupiterOne. They also tap into JupiterOne’s capabilities for comprehensive asset visibility and management.

Asset visibility supports compliance operations

You’ve heard it before, but we’ll say it again. You can’t secure what you don’t know you have. When SunStone found JupiterOne, they were still looking for a better way than using static spreadsheets and manual asset tracking, leaving many stones unturned.

SunStone’s operations service both government and commercial customers as well as their respective supply chains. That’s why understanding how the assets in their attack surface related to one another was critical to achieving comprehensive compliance. JupiterOne not only ingested data about all the entities in their environment, but also provided them with a visual map of how their cyber assets connect.

From there, they were able to start working towards compliance.

Custom queries to automated alerts

First, SunStone SMEs map their compliance framework requirements to JupiterOne’s control catalog, and then map those components into their asset inventory. Once those are mapped, the CISO team defines the policies and procedures that need to be put into place to achieve compliance. Their DevSecOps will define the controls and J1QL (JupiterOne Query Language) queries necessary to remediate problems and alerts.

JupiterOne’s variety of out-of-the-box dashboards continuously update and provide a solid foundation for their monthly reporting activities.

Due to the nature of their business, SunStone needs to be aware of any changes to their environment that could result in noncompliance. Instead of manually navigating their ecosystem to find threats or vulnerabilities, SunStone tagged their vendor relationships and data flows into the graph view to understand how the addition or negation of any vendor, OSS, derivative project, or asset change will impact their environment.

Easy audits for the auditor and the auditee

After all the preparation and organization, JupiterOne even makes compliance easy for the auditor.

In addition to manual evidence collection and tight deadlines, JupiterOne is also capable of providing value to the auditing officer. Instead of scheduling long, in-depth meetings with the audit officer, a simple push of a button allows the auditor to see:

  • Changes to asset relationships
  • Compliance health and progress
  • How queries can answer complex questions
  • The origin of available data
  • How assets relate to one another in the attack surface

Since deploying JupiterOne in their asset environment, SunStone has achieved cATO for NIST 800-53/FISMA continuous compliance for one of the world’s largest supply chain programs, lessened their audit cycles from 18 weeks to 2 weeks, and saved $328k in direct FTE labor savings.

To learn more about JupiterOne for compliance, check out SunStone’s presentation from our Virtual Customer Summit for more details.

Tanvi Tapadia
Tanvi Tapadia

Born and raised in Raleigh, North Carolina, Tanvi is a marketer who strives to create the perfect balance between data-driven decisions and creative marketing. She is an NC State graduate who loves to explore, eat, and play with her dog Butter.

To hear more from Tanvi, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.