Obsidian launches new SaaS security and compliance tools

Cybersecurity firm Obsidian has launched its SaaS security posture management (SSPM) solution with new security and compliance tools to help organizations manage third-party SaaS integrations.

The SaaS-based deployment will feature three primary modules including Obsidian Compliance Posture Management (CPM), Obsidian Integration Risk Management, and Obsidian Extend.

“Obsidian not only provides posture hardening and third-party SaaS integration risk management, but also offers threat mitigation for SaaS,” said Glenn Chisholm, chief product officer and co-founder of Obsidian. “It remains the only company in the SaaS security industry to deliver a unified solution that covers all aspects of SaaS security comprehensively.”

All the modules of Obsidian’s SSPM are already available to customers and are licensed and priced separately based on the number of users and SaaS applications used by them.

Obsidian streamlines compliance for SaaS integrations

Obsidian CPM enables organizations to measure and maintain compliance across SaaS environments to both internal security policies and third-party standards including SOC 2, NIST 800-53, ISO 27001, and CSA Cloud Controls Matrix.

It allows for mapping complex frameworks to individual SaaS controls to ensure third-party applications comply with required legal and regulatory obligations.

“Obsidian maps identity and access management, data classification, segregation of duties, and several other audited controls to industry compliance standards for clear, centralized monitoring,” Chisholm said.

Obsidian also allows security teams to define custom rules and custom standards on its platform to ensure internal security policies extend coverage to their SaaS applications. Additional custom posture rules automate the validation of SaaS application settings that map back to compliance framework controls.

“Navigating the compliance control maze is a daunting task, made exponentially more difficult by multiple SaaS environments,” said Chris Steffen, research director at analyst and consulting firm Enterprise Management Associates. “Security and GRC leaders are always looking for ways to gain better visibility into these requirements.”

The Obsidian CPM also generates compliance reports to help demonstrate the operating efficiency of compliance controls.

Added capabilities for integration and data security

Obsidian Integration Risk Management — the second key module of the SSPM — allows for scanning interconnections between SaaS applications, mapping permissions and different levels of access, analyzing integration activity, and uncovering areas of risk.

The module features a three-step functionality — discovering integrations, identifying unsanctioned applications, and consistent monitoring, Chisholm explained. While discovery entails generating an inventory of consolidated third-party and internally developed applications’ connections to business-critical SaaS platforms such as Microsoft 365, Google Workspace, and Salesforce, unsanctioned applications refer to the ones connected arbitrarily without approval from the security teams.

Security leaders are always looking for ways to decrease risk, and integrations between solutions are not only becoming more commonplace but critical to making seemingly disparate systems play nicely with each other, Steffen pointed out.

“We recognize that each of these core enterprise services introduces, manages, permits, and logs integrations differently, which is why Obsidian navigates and resolves these discrepancies to present security teams with a clear list. Additional filtering options give analysts the flexibility to dig into specific concerns like inactive or unsanctioned applications or integrations that need review,” Chisholm said.

The third module of Obsidian SSPM is called Obsidian Extend, which provides security for sensitive business data across an enterprise’s SaaS ecosystem through a dedicated module.

Obsidian Extend features application retrievers that query SaaS app APIs to pull the relevant configuration and user data for the applications. The extractor is run periodically to capture data from the applications and store it in a database within the Obsidian platform which is then processed and transformed into an Obsidian common schema to evaluate and surface insights in the UI.

Obsidian’s platform discovers and scans for application-specific configurations, user behaviors, and permissions across all federated applications within minutes, Chisholm added.

“SaaS posture management tackles challenges around the consistency of setting and applying policies and controls, dealing with scale, managing access, and meeting compliance requirements,” said Melinda Marks, an analyst at Enterprise Strategy Group. “Organizations need solutions like Obsidian’s to help their security teams manage risk, eliminating tedious manual processes by giving them clearer views of security posture and helping them efficiently take actions that reduce security exposure and risk.”