“Vanta’s Private Integrations are poised to be a game changer! Finally, all organizations can integrate Vanta’s automated compliance platform with any application in their portfolio regardless of whether it’s hosted in a private cloud, custom developed, or even a SaaS app that is restricted by source IP or doesn’t have a pre-built Vanta integration. If your team needs help getting started, our Private Integrations developers can do it for you or train your team.“Eric Shoemaker – Advisory CISO – Genius GRC
Private integrations – An Overview
Vanta created the automated compliance market. Take it from someone who still manages SOC 2 environments and audits where there is no automated compliance platform; Vanta makes it easier. Still, there’s no getting around the fact that the risk and compliance team still has to put in the work to implement, maintain, and mature the compliance program within the organization. One of the ways Vanta helps reduce your burden is to continually monitor your applications, cloud services, vulnerability results, and other platforms. Their continuous monitoring does 2 things: (1) notifies your team when something needs attention and (2) grants your auditor more assurance that your compliance program was implemented fully during the entirety of the audit period.
Until now, the only way in which an application or platform could be monitored is if Vanta built a direct integration or if the vendor decided (or could be persuaded) to build and manage the integration. There was no option for organizations to build their own automation for monitoring an application or platform that Vanta didn’t natively support. Vanta’s Private Integrations now provide that capability.
As an example, many organizations maintain a private Active Directory Domain infrastructure that serves as the primary identity provider. Until now, the only way to integrate the private AD infrastructure with Vanta was by leveraging the Azure AD Connect tool to sync accounts to Entra ID (the artist formerly known as Azure AD) and leveraging Vanta’s direct integration with Entra ID. Now, Active Directory users can be directly synced using the same API that Vanta integration partners use, and the organization has full flexibility to scope resources using whatever logic required. Now AD user entitlements can be reviewed independently within Vanta.
To get the creative juices flowing, here are some ideas I have for organizations with complex self-managed environments to integrate with Vanta:
- Sync Active Directory Domain user accounts with Vanta and leverage Vanta for access reviews.
- Sync local SQL database users with Vanta and leverage Vanta for access reviews.
- Sync VMWare vSphere users to Vanta for regular privileged entitlement reviews.
- Sync Microsoft SCCM/ECM computers to Vanta to prove compliance with BitLocker, screensaver, password settings, and anti-malware compliance requirements.
- After a user is offboarded, automatically upload the offboarding ticket to the user record in Vanta.
- Automatically upload repeating task tickets to Vanta after they have been closed. Think regular firewall reviews, backup restoration tests, health checks. The list is practically endless on this one.
- Automatically upload change requests to a custom document in Vanta.
- Integrate custom application users to Vanta. I’m thinking Line of Business applications, backend administrative consoles, and others.
- Sync vulnerabilities discovered and managed by the self-hosted Tenable.SC vulnerability platform or any other vulnerability management platform into Vanta.
If you have another idea that we should add to the list, feel free to reach out to us. If you need help building an integration, we can help with that too!
A Short List of Requirements
Before we point you towards the resources to creating the private integration, first, it’s important to know what the requirements are:
- You must have the ability to automatically export user accounts (or other relevant resources) from the source system or application on a schedule (hourly recommended).
- Currently, you must request access to the Private Integrations feature from Vanta. Organizations that purchase Vanta through Genius GRC get this enabled automatically.
- Your team must have the expertise to write code that can interact with REST API’s. Additionally, the automation should be monitored and must be maintained as the environment changes.
- Your organization must have the infrastructure to host and schedule the automation. This can be via a Windows Server scheduled task, Azure Function, AWS Lambda, or any other automation workflow tool.
Creating Your First Private Integration
Here are direct links to the resources you will want to review as you create the integration:
- Vanta Private Integrations – Integrating Active Directory (PowerShell)
- Developer Introduction
- Create an Application
- Authorize using OAuth
- Sending Resources
- Sync All User Accounts API Reference
The basic steps for building your first integration are as follows:
1. Create the Private Integration application in Vanta (Set the visibility to “Private”.).
- Copy the OAuth Client ID and Client Secret from the application.
- Define the resource type within the Vanta application. An example of this would be a “UserAccount” resource type which has a different set of properties than the “WindowsUserComputer” resource type.
- Copy the generated JSON schema for use within your automation. You may find it helpful to create a reusable component to consistently build this object according to the schema (C# class, PowerShell function, etc).
2. Build the logic for exporting the resource from the source application.
- When building the export, scope the sync only to objects that are necessary for proving compliance.
- Build the scope to include only “enabled” resources. During each sync, resources in Vanta that are no longer in scope of the automation will be removed from Vanta. For example, once an account is disabled, it will be removed from Vanta or marked as disabled if the logic is built properly.
3. Schedule the Vanta sync
- Create the proper resource syntax for each object based upon the generated JSON schema. It’s important to take note of the data type for each field. For example, all dates must conform to the RFC3339 format (“2023-09-15T12:32:44Z”). Do not skip reviewing the Vanta page regarding sending resources.
- Use the Sync All API endpoint to upload a current list of enabled resources. Typically, it is best to run the automation at least hourly, but resources such as document uploads may need to be done according to the cadence of the requirement.
4. Validate and monitor the integration
- Once you have successfully performed your first sync, navigate to the relevant resource, document, or access review in Vanta and validate the resource exists.
- Perform ongoing monitoring of the automation to ensure it continues to run appropriately.
- It may become necessary to modify the automation logic as business requirements change. This could be during a merger or acquisition, divestiture of a business unit, application changes, etc.
We’ve encountered a couple of limitations that you may recognize relatively quickly. It’s our understanding that Vanta is addressing these, but it’s good to know about them so you aren’t blindsided. This list is current as of 9/15/2023.
- Primary identity providers are not supported as a Private Integration at this time. In other words, you can’t create new people records using the Private Integration. This is the most significant limitation to be aware of.
- There is currently a bug where User Account records aren’t automatically linked with the person record. This causes the private application to not appear as a resource when looking at the person record. Additionally, Vanta doesn’t alert to an enabled record when the person is offboarded. We’ve been in touch with the developers on this, and it is expected to be fixed in Q4 or 2023.
- We had decent results with the user account sync all API endpoint, and it seems to be able to injest a little over 1,000 accounts per minute. Syncing 1000 accounts consistently took less than 60 seconds. 5,000 accounts took about 5 minutes each time. We were able to sync 7,000 accounts in under 7 minutes, and we never observed 10,000 accounts successfully sync. It failed twice. Once at 2 minutes and once at 9 minutes. This is sufficient for user accounts in most organizations. Even small organizations can hit these numbers quickly with internal vulnerability scans, so scope appropriately (critical and high only).
- Once an application is created, there’s no way to delete it. The same applies to resources. We aren’t sure if this is a design limitation or a missing feature.
There are likely some additional limitations you may run into, but these are what we’ve seen in our engagements. We are still building and testing document uploads and vulnerability syncs, so there may be some limitations added to this list over time.
Where To Go From Here
We are huge fans of Vanta and have been impressed with the progress they’ve made in their product and integrations over the past year. While there are a few bugs to work out and potentially some additional scale needed, we are confident that their team will continually iterate, improve, and release new features and bug fixes quickly. Remember that as of this writing, the Private Integrations feature is being actively developed, and maturity will come with time.
Whether you need guidance on deploying or managing Vanta or you need specific help with your compliance program, we are here to be a trusted resource. Finally, our developers can setup your first Private Integration. If you want us to host, manage, and monitor a private integration for your environment, talk to us. Happy audits!