This morning I had the opportunity to chat with software engineers and data scientists at the AI Dev World Conference on a topic I just happen to be v...
As we began our SOC 2 journey, I started having nightmares of enormous spreadsheets and endless Jira tickets along with the constant monitoring of our systems and process. This was probably the most daunting part of it — figuring out how to best maintain all of the various controls we put in place — while also being able to sleep.
The good news is there is a better way to maintain the controls that don’t involve spreadsheets and Jira tickets. In today’s world, there are niche pieces of software for almost everything — which is good and bad. The trick is to find the right tools without getting tool heavy which would only exacerbate the problem. We are 5 months into our monitoring period for our SOC 2 Type II and I am very happy with how our software stack has come together. Below are some of the tools we landed to help maintain our controls.
What is it? Blissfully automatically uncovers your SaaS app usage, keeps it continuously organized, and provides workflows and automation to collaboratively manage, control, and track changes across your entire organization. Their tag line is “Total SaaS Management” and they deliver. I found this one very early in my SOC 2 journey. In fact, it was their Ultimate Guide to SOC 2 that led me to them in the first place as I was embarking on this quest myself. Blissfully, upon connecting to your user system, G-Suite in our case, immediately generates data on what software your teams have logged into with their account (you will be surprised at the number of apps) and also what the spend is relative to those pieces of software. I was a fairly early user of Blissfully and I can say the evolution of the product over the last year has made me an even bigger fan than I already was.
Problem we are solving: In most organizations, understanding what software your users are accessing can be a very difficult task. It’s often hard to determine what is actually being used and how much you are spending on these applications. Blissfully also helps manage another error-prone part of SOC 2 — onboarding and offboarding employees and vendors. It also helps make sure our vendors are in compliance with our security posture too.
How we’re using it: We use Blissfully to onboard employees and ensure they have the software and access they need to become productive on day one. We also use it to offboard employees to ensure user access to critical systems are removed and we have an audit trail of this happening. We onboard and manage all vendors via their vendor workflows to make sure they meet our security standards, we assign proper ownership and are able to track and manage spend with them.
What is it? Fleetsmith provides control over Macs from a security and compliance standpoint. By installing a simple agent or adding it to your DEP profile with Apple each machine automatically registers with Fleetsmith. Once that occurs you can go in and set policies regarding OS upgrades, FileVault usage, as well as controls around login, password expiration, and lockout parameters.
Problem we are solving: Management of Mac laptops in the enterprise environment has long been a challenge. We needed the ability to manage macOS, make sure it remains up to date, and that we are able to wipe a device in the event an employee leaves or the device is lost or stolen. Also, ensuring all devices have their hard disks encrypted which provides another layer of protection.
How we’re using it: We use Fleetsmith to manage all aspects of macOS and also gives us the ability to remote wipe our devices. The solution is basically set it and forget it outside of a few minor tweaks of policies here and there. It does a great job keeping track of all things related to Mac management and device health which have historically been a sore spot for businesses. They were recently acquired by Apple which makes a ton of sense given how much control they bring to Mac, iOS, and TVOS alike. It will be interesting to watch how they evolve the product in light of this.
What is it? StrongDM allows you to manage and audit remote access to your servers, databases, and clusters — anywhere. This is done with the SDM agent that runs on users’ laptops and provides their local machine access to resources controlled through a central console.
Problem we are solving: We needed the ability to allow access to certain resources within our network at a granular level and in some cases on an as-needed basis. Also, when working toward your SOC 2 it’s important to know who accessed what when and not need to dig around through various system logs to figure it out.
How we are using it: When you have a team of engineers managing what they can and cannot access can become a bit overwhelming. It is also an area that will cause you a lot of pain during your audit if you get it wrong. With StrongDM we can configure resources such as MongoDB and audit and monitor who is accessing it along with what they are doing while they have access. We are also able to give temporary time bound access to those resources to allow our teams to work seamlessly when solving an issue in production. After the timer expires they go right back to their configured permissions. It also eliminates the need for a VPN since everything is run through their gateway and only those with proper privileges can access those resources at any given time.
What is it? Pima simplifies the process of sending confidential documents and agreements to your prospects and customers. It allows you to load up your NDA, countersign it, and host it as we do at https://pinpoint.com/security. Once the form is filled out and NDA is signed the customer will automatically receive the documents they requested.
What problem does it solve: One of the challenges once you have your SOC 2 is distributing confidential documents like SOC 2 reports, penetration tests and AWS audits as well as ensuring a proper NDA is in place before you do so. Pima handles that for you and keeps an audit trail for those documents as well. It also allows you to send updates to your customers when your security documents are refreshed.
How are we using it? We use Pima to allow customers to self serve our security documents all the way from making the request to signing the NDA and finally receipt and tracking of the documents. The first steps are challenging enough — the final, who opened what and when is pretty much impossible. You choose what documents you want to review, then a countersigned NDA is sent to you and as soon as you sign the documents you requested show up in your inbox. Pima watermarks the documents with the recipients’ email and we can easily track who opened the documents and in the event the documents get passed around it’s obvious who did so.
Having our SOC 2 is extremely important to us. The more we can automate some of the controls we have in place, the more we can focus on delivering against our roadmap — quickly and securely. These are just a few of the tools we are using to maintain our SOC compliance and feel we have really made an impact on limiting the impact to our resource’s time.
I hope you will find some valuable information in this post and let us know if there are tools that you use that we should take a look at! We are always looking for ways to improve our processes and efficiencies here at Pinpoint.
Vice President, Operations
Automating data science is hard, and we do a lot of it.
As part of our latest release, our Agent underwent a complete transformation in order to simplify the installation of in...