AWS Partner Network (APN) Blog
How Drata’s Continuous Compliance Solution Helps SaaS Providers Streamline Compliance on AWS
By Chintan Sanghavi, Sr. Partner Solution Architect – AWS
By Bill Tarr, Sr. Partner Solution Architect – AWS
By Daniel Marashlian, Chief Technical Officer – Drata
 |
| Drata |
 |
Trust and transparency are the pillars of software as a service (SaaS) businesses, especially when it comes to handling customer data. In order to earn trust, you need to first prove that you deserve it. It’s becoming increasingly common for customers to request proof of the steps that their providers have taken to protect customer data.
Compliance frameworks are one way to do this, and adding continuous compliance automation accelerates the process and reduces the burden on SaaS providers. Prior to continuous automated compliance solutions, related evidence capture was collected manually with screenshots and spreadsheets. It was a redundant, error-prone, and unscalable process that only grew more complex and expensive over time, costing companies hundreds of hours of engineering and development time.
Drata is an AWS Partner and AWS Marketplace Seller that offers continuous compliance automation solutions as part of their security, risk management, and compliance automation solutions to help Amazon Web Services (AWS) customers lower the friction of gathering evidence of compliance, and helping accelerate their customer journey to achieving SOC 2, HIPAA, GDPR, ISO27001, and PCI DSS, amongst other frameworks.
In this post, you will learn how Drata’s suite of continuous automated compliance solutions can help accelerate SaaS providers’ journey to compliance frameworks, and examine the journey to Service Organization Control (SOC) 2 Type 2 of one of their customers.
Compliance Automation as a Service
The idea behind Drata’s compliance solution was to take the pain out of manual compliance by streamlining end-to-end workflows and putting automation at the forefront of security. To do this, Drata connects directly to a company’s tech stack (including AWS infrastructure) to continuously monitor and collect evidence of a company’s security controls, allowing companies to focus on growth and innovation rather than being weighed down with collection of security evidence in a manual fashion.
Drata aims to help companies earn and keep the trust of their users, customers, partners, and prospects by helping to maintain compliance with industry standards and best practices.
Solution Overview
Within Drata’s platform, pre-built tests, controls, and requirements are checked daily to verify and maintain compliance with over 14+ different frameworks and regulations. They offer a library of Drata Integrations, with more than 75 of the most popular tech tools to continuously monitor and collect evidence of your security posture, including cloud service providers, single sign-on (SSO) and identity provider (IdP) tools, device management solutions, and observability platforms.
Figure 1 – Drata integrations.
Connecting your AWS infrastructure to Drata just requires a cross-account AWS Identity and Access Management (IAM) role in each account you wish Drata to scan, the “Drata Autopilot Role.” Drata provides inline instructions in the Drata admin portal on setting up your role including permissions to copy into your role granting Drata read-only access to your account.
Once AWS is connected to Drata, the systems will automatically capture the application programming interface (API) response as evidence to prove that your organization has remained in compliance. Drata generates raw JavaScript Object Notation (JSON) files which supports auditors in reducing the amount of manual time needed to review evidence.
With JSON files, auditors can see raw data output, debug any issues, and determine that the client’s controls are operating effectively. All of this evidence is also collected in a PDF with time stamps, dates, exclusions, notes, and any other details the auditor might need to evaluate everything within the scope of your audit. The evidence can be accessed by your auditor through Drata’s Audit Hub—making it easy for them to view just the information they need.
Depending on the setup of your technical stack, these are all platforms that you would be required to log into frequently and screenshot/log evidence that you complied prior to a solution like Drata. Once you connect your current systems, Drata will begin automated evidence collection and API checks to keep you in compliance and audit-ready at all times.
As your company grows, automated monitoring, evidence collection, asset and personnel tracking, and access control are streamlined via workflow automation. Drata’s Amazon Inspector integration automatically pulls in AWS scan data to show proof of customers’ vulnerability scanning process.
Not only does Drata’s automated evidence collection ensure you’re maintaining compliance on a daily basis, but this process compiles a hefty array of evidence in preparation for your audit. Your auditor will be able to take samples of your evidence directly from the Drata platform streamlining the entire audit experience. This process is also done across version control.
“Drata’s integration with AWS empowers companies of all sizes to continuously monitor their security controls across their AWS services and easily build a strong compliance program,” said Daniel Marashlian, CTO at Drata. “With a mutual automation-led approach, together Drata and AWS are able to streamline the redundancies of maintaining a healthy cloud-based security posture and enable organizations to focus on critical business needs.”
Figure 2 – Drata control dashboard.
Visibility of Controls
Control monitoring and management are critical in building a robust security program and mitigating potential risk for your organization. Drata automates control monitoring of both pre-built and custom controls. You can then set owners to each control to be notified of any failings for accountability management.
Drata offers a checklist of pre-mapped controls and requirements that are built into the platform. Depending on the trust services criteria that apply to your organization, you’ll then be able to customize which controls are in scope for your compliance audit. If your organization needs custom controls, you’re able to create them and map them to Drata’s automated tests, from one centralized dashboard.
That’s where Drata’s scalability comes in—you have the flexibility within the application to define, modify, and manage your controls as you see fit.
Updated View to Your Security Posture
Drata’s dashboard offers a real-time view of all of the controls across your organization, which controls are complying, and any controls that may be missing evidence or not passing. Whether the failings are due to policies, employee onboarding or offboarding, security training, database backups, or infrastructure configuration, you have immediate visibility into your current security standings.
As you grow into different markets and pursue different standards, you’ll be able to filter controls by framework and view if there are any controls that overlap with other frameworks. Drata’s Framework Readiness dashboard shows the percentage of overlap between certain frameworks to help you gauge readiness across various security standards.
Figure 3 – Drata Framework Readiness dashboard.
Building a Comprehensive Compliance Program
There are a variety of other functionalities in Drata’s platform that streamline the entire compliance journey and help place security at the core of any company. In addition to pre-built controls and requirements, Drata offers pre-built policy templates mapped to controls for a variety of frameworks.
All policies included in Drata’s Policy Center are recommendations and best practices that can be leveraged when applicable. You also have the option to create and upload custom policies. If your organization already has policies, you can upload those into Drata’s system. Drata has pre-built workflows for any policy that is changed or updated, which automatically creates a version history of edited policies for tracking purposes.
A key part of building a comprehensive security program is employee buy-in and cooperation. Drata’s system simplifies the employee onboarding process with automation and modernizes personnel management. For example, once your technical stack is connected, that will provision the accounts for all employees in the company.
A mobile device management (MDM) solution will be installed and used on employee devices to check that password managers and other important checks are in place at the individual employee level. From there, you can also view and monitor whether employees have reviewed and accepted policies, multi-factor authentication (MFA) is enabled, and security training has been completed, among other things.
If any of these items haven’t been completed, your security personnel, or whoever is assigned to the control in Drata, will be notified. Drata also partners with background check and security training vendors for additional support throughout the employee onboarding process.
Although it can be difficult to achieve and maintain a strong security posture, Drata understands that compliance isn’t a one-size-fits-all, which is why users have the ability to customize numerous configurations.
Customer Case Study
Axero Solutions is an intranet software company based in New York offering SaaS-based solutions (like Communifire) for communication and collaboration to their customers. Given the sensitive, and constantly changing nature of the data Axero manages on their customers behalf, Axero wanted to complete their SOC 2 Type 2 to provide assurance of the security of their design to their customer.
For cloud-native SaaS companies, security and compliance are necessary to earn and keep the trust of their users and partners. Pursuing compliance frameworks, such as SOC 2, would provide Axero Solutions with valuable insights into their security posture, internal controls, and vendor management while also giving the organization the ability to scale and expedite growth.
Axero recognized that pursuing SOC 2 compliance would increase their visibility into potential cybersecurity risks and help establish a security-first culture at the company. However, it was important that they found the right partner to help automate this process and avoid the pain points that come along with pursuing compliance manually.
Adam Ilowite, CEO of Axero Solutions, and his team had researched a variety of automation platforms on the market but felt Drata was the partner that best fit the company’s needs. The decision to go with Drata as their compliance automation platform came down to user interface, integrations with their tech stack (particularly AWS), and team Drata’s expertise.
Ilowite said he “felt confident in Drata to guide us through our compliance journey while allowing us to focus on the product. Additionally, we were looking for a platform we’d enjoy using every day—one that wouldn’t overwhelm us with a sea of new information.”
Initially, Axero was using a few different infrastructure partners. A couple of years ago, they decided to consolidate into one to simplify their infrastructure management.
After looking into various infrastructure partners, the company decided that AWS was the right choice. Since then, they’ve utilized AWS CloudTrail, Amazon EBS Snapshots, and Network Load Balancer to provide a streamlined process for our infrastructure management needs.
Drata and AWS Together
Ilowite, Axero’s CEO, identified a resource gap for a developer with a cloud engineer-specific background, finding a compliance automation platform that integrated well with Axero’s AWS infrastructure was significant. The setup between Drata and AWS was made to be simple and easy, especially for those who aren’t considered technical personnel.
With the help of Drata’s team, Axero could complete the setup with AWS in a matter of minutes and fully deploy their infrastructure tasks for Drata to monitor in just a couple of hours. The next day, Axero had real-time data showing all the improvements that needed to be made to their security posture.
Through Drata’s seamless integration with AWS, Axero gained access to a dashboard within Drata’s platform that clearly laid out the steps needed to achieve SOC 2 Type 2 compliance. For example, Ilowite noted that “some of our AWS accounts are service accounts and simply used for internal tasks. With Drata, we can exclude them from the scope of MFA, so they don’t come up on the failing list.”
Drata’s platform helped Axero create a complete inventory of their S3 buckets across regions. With that, they verified that each S3 bucket had the appropriate security settings and was aligned to the proper data retention policies. Ilowite said “it would have been very difficult to be 100% sure we were monitoring each and every storage bucket in AWS, especially those that are in various archival states without Drata.”
Prior to using Drata’s solution, Axero looked at another vendor to manage the AWS side of their SOC 2 compliance process. However, it would have dispersed their resources and would not provide the level of automation as other platforms.
“The interface of AWS can be technical when setting a new security policy or changing something, so the value that Drata and AWS’s partnership gives to someone like me is priceless,” said Ilowite. “All I had to do as the end user was connect AWS to Drata for us to get an instant, clear picture of our current controls—it was like security 101 made easy. Drata is a foolproof way to get the technical aspects of compliance set up correctly and acts like a personal translation engine for the complex aspects of the AWS infrastructure.”
Outcome
Not only was Axero able to have substantial cost savings using Drata’s compliance automation platform, they were also able to complete their SOC 2 Type 2 audit three times faster by leveraging the connection between Drata and AWS. It was projected to have taken months, if not a full year, to achieve SOC 2 compliance without the relationship that already exists between Drata and AWS.
“Drata and AWS in conjunction provide an actual proof point of our security control failures—so there’s no dodging it,” said Ilowite. “In combination, these two platforms are great at catching issues right as they happen, as opposed to waiting months until your audit. Drata’s continuous monitoring allows you to detect any failures long before they become problems. Because you have constant visibility to your security standings on the Drata platform, you can verify and have reassurance that your security posture is in a good place.”
Learn more about Drata case studies.
Summary
Drata provides continuous compliance automation solutions for their customers. These solutions allow customers, such as SaaS providers, to monitor their diverse workload spread across multiple accounts, and customize the controls they need to apply for their chosen compliance framework, and any of the other 14+ frameworks to which Drata has mapped their controls. This evidence collected can be easily exported in an auditor-friendly format.
For SaaS providers, the result is an accelerated journey to frameworks like SOC 2 Type 2, and a clear roadmap to future compliance needs, allowing you to earn customer trust and grow with confidence.
To get started, check out Drata in AWS Marketplace.
About AWS SaaS Factory
AWS SaaS Factory helps organizations at any stage of the SaaS journey. Whether looking to build new products, migrate existing applications, or optimize SaaS solutions on AWS, we can help. Visit the AWS SaaS Factory Insights Hub to discover more technical and business content and best practices.
SaaS builders are encouraged to reach out to their account representative to inquire about engagement models and to work with the AWS SaaS Factory team.
Sign up to stay informed about the latest SaaS on AWS news, resources, and events.
Drata – AWS Partner Spotlight
Drata is an AWS Partner and security, compliance, and risk automation platform that continuously monitors and collects evidence of a company’s security controls, while streamlining compliance workflows. With Drata, thousands of companies streamline over 14 compliance frameworks—such as SOC 2, ISO 27001, GDPR, and more—resulting in a strong security posture, lower costs, and less time spent preparing for audits.