How one compliance-as-a-service provider uses JupiterOne

By

For most people, compliance is stressful. Tracking down relevant paperwork, heavy workloads, deadlines that always seem too close, and the issue of “passing” an audit can take a toll on a team. But what if you could automate your compliance processes and move towards continuous compliance?

SunStone is a compliance-as-a-service vendor for regulated clients in government, healthcare, supply chain, and financial services. From the start, SunStone recognized that their documentation and manual processes were not scalable or compatible with new, cloud-native technologies. Mapping their compliance operations to government-regulated compliance operations was also a heavy lift for them. Then, they found JupiterOne.

How SunStone keeps JupiterOne in its orbit

SunStone needed a way to achieve continued compliance and speed up their audit cycles. Now, all of SunStone’s compliance operations are centered around JupiterOne. They also tap into JupiterOne’s capabilities for comprehensive asset visibility and management.

Asset visibility supports compliance operations

You’ve heard it before, but we’ll say it again. You can’t secure what you don’t know you have. When SunStone found JupiterOne, they were still looking for a better way than using static spreadsheets and manual asset tracking, leaving many stones unturned.

SunStone’s operations service both government and commercial customers as well as their respective supply chains. That’s why understanding how the assets in their attack surface related to one another was critical to achieving comprehensive compliance. JupiterOne not only ingested data about all the entities in their environment, but also provided them with a visual map of how their cyber assets connect.

From there, they were able to start working towards compliance.

Custom queries to automated alerts

First, SunStone SMEs map their compliance framework requirements to JupiterOne’s control catalog, and then map those components into their asset inventory. Once those are mapped, the CISO team defines the policies and procedures that need to be put into place to achieve compliance. Their DevSecOps will define the controls and J1QL (JupiterOne Query Language) queries necessary to remediate problems and alerts.

JupiterOne’s variety of out-of-the-box dashboards continuously update and provide a solid foundation for their monthly reporting activities.

Due to the nature of their business, SunStone needs to be aware of any changes to their environment that could result in noncompliance. Instead of manually navigating their ecosystem to find threats or vulnerabilities, SunStone tagged their vendor relationships and data flows into the graph view to understand how the addition or negation of any vendor, OSS, derivative project, or asset change will impact their environment.

Easy audits for the auditor and the auditee

After all the preparation and organization, JupiterOne even makes compliance easy for the auditor.

In addition to manual evidence collection and tight deadlines, JupiterOne is also capable of providing value to the auditing officer. Instead of scheduling long, in-depth meetings with the audit officer, a simple push of a button allows the auditor to see:

  • Changes to asset relationships
  • Compliance health and progress
  • How queries can answer complex questions
  • The origin of available data
  • How assets relate to one another in the attack surface

Since deploying JupiterOne in their asset environment, SunStone has achieved cATO for NIST 800-53/FISMA continuous compliance for one of the world’s largest supply chain programs, lessened their audit cycles from 18 weeks to 2 weeks, and saved $328k in direct FTE labor savings.

To learn more about JupiterOne for compliance, check out SunStone’s presentation from our Virtual Customer Summit for more details.

Tanvi Tapadia
Tanvi Tapadia

Born and raised in Raleigh, North Carolina, Tanvi is a marketer who strives to create the perfect balance between data-driven decisions and creative marketing. She is an NC State graduate who loves to explore, eat, and play with her dog Butter.

To hear more from Tanvi, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

JupiterOne and AWS together help customers strengthen security posture
November 30, 2022
Blog
JupiterOne and AWS together help customers strengthen security posture

To help organizations of all sizes secure their cloud assets, JupiterOne announced a number of key initiatives with AWS this week at re:Invent.

How to visualize your data by use case with JupiterOne
November 23, 2022
Blog
How to visualize your data by use case with JupiterOne

The new Properties Panel and Managed Dashboards in the JupiterOne platform empower you to prioritize speed, efficiency, and organization!

Security will give up on users as a line of defense in 2023
November 23, 2022
Blog
Security will give up on users as a line of defense in 2023

In a recent debate on cybersecurity predictions for 2023, panelists disagreed on plenty. But they agreed: in 2023, security will give up on users as a line of defense

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.