Esper achieves compliance and grows security at scale with JupiterOne

Esper’s founding team believes in a fundamental truth: every engineering project starts with infrastructure. Esper’s cloud-native DevOps platform incorporates the functionality cloud developers love, re-imagined for edge devices. The platform helps companies bypass building a traditional internal DevOps infrastructure allowing developers and engineers to securely streamline deployment and management for distributed fleets of Android edge devices. Esper is creating positive user experiences that can rapidly scale.

Since 2020, and as the demand for seamless digital experiences spiked, Esper has seen significant customer growth. Major brands across a number of industries, including CloudKitchens, Spire Health, Uber, and more, turned to Esper to bring its in-app and Android experiences to market faster. The pandemic expedited the transformation of industries like connected fitness, digital health, hospitality, and food delivery, further accelerating the adoption of intelligent edge devices.

Rapid Compliance & Visibility Across Cloud-Native Assets

Jasmine Henry, Director of Cybersecurity at Esper, realized early on that due to significant customer growth, Esper’s cybersecurity and compliance team needed to mature and scale its security strategy.

Compliance became a top priority for the team when Esper entered a POC with a Fortune 500 customer that required proof of controls as part of its vendor risk assessment process. Jasmine and her team needed a solution that could quickly provide value and objectively show security maturity for its customer requirement.

With digital transformation and cloud-first adoptions, many companies see the value in service and solution providers like Esper. However, in the rapidly growing ecosystem of value-added solutions and technologies, vendor risk management is a critical issue. Esper discovered that its customers are focused on better vendor risk management to meet compliance and security needs.

Jasmine wanted a solution to help her team achieve compliance and help with its audit processes across multiple frameworks, including PCI, SOC II, and ISO 27001. She added, “We required something that could provide visibility into the environment and dynamic cloud changes against compliance controls.” In addition, she was looking for the best compliance solution that could bring value quickly and scale as customer and internal strategies changed.

Achieving PCI Compliance in Two Weeks

Jasmine’s extensive background in governance, risk, and compliance was advantageous in the evaluation process for compliance tools. The team evaluated several compliance solutions, including Tugboat, Vanta, Hyperproof, QRadar, and JupiterOne. Esper’s compliance and cybersecurity group initially signed up for the free trial of JupiterOne, and quickly realized the value they could gain in the platform. They evaluated multiple compliance solutions and selected JupiterOne as the top vendor.

Within two weeks of connecting with JupiterOne, Esper was PCI compliance ready for its official auditing process. The Esper team found that during its audit process, the auditors were impressed with the simple evidence collection and alerts, using them to avoid compliance drift and security incidents. Throughout the entire PCI audit process, the Esper team quickly resolved specific types of evidence (e.g., admin logging for AWS) that their auditors requested by querying the dynamic graph database with JupiterOne's Smart Search functionality. Jasmine noted that the requested data would’ve been very challenging to generate manually without JupiterOne.

“JupiterOne has a level of sophistication that wasn’t present in other vendors we considered. In addition, JupiterOne is really responsive, the support is superior, and it is truly built for cloud-native companies like us,” Jasmine explained.

Jasmine expressed that, “many other GRC solutions in the market today almost feel like spreadsheets that someone’s put into a web app. Check off this evidence for SOC II. Unlike other solutions in the market, JupiterOne is truly dynamic, providing real-time visibility against multiple frameworks making it very scalable.”

Winning Customer Trust with JupiterOne

“We've achieved significant ROI on both JupiterOne and our compliance program as a whole since these are table stakes issues for around 1/3 of our prospects, especially prospects at larger organizations.”

With JupiterOne’s automated evidence collection, reporting and more, Esper has successfully completed PCI, SOC 2 (Type 2), and ISO 27001 audits and compliance requirements.

JupiterOne’s dynamic visibility and compliance functionality helped Esper gain new enterprise customers by meeting stringent requirements in the vendor risk management process. For example, despite not having a dedicated compliance readiness budget, the Esper team completed the PCI compliance audits in less than one month with JupiterOne’s automated evidence collection and reporting.

Currently, Esper is using JupiterOne to improve GDPR and CCPA processes and scale to new compliance frameworks.

Beyond Compliance - Visibility Across AWS, Google Cloud, and Atlassian

In addition to compliance coverage, the teams at Esper also leverage JupiterOne for cloud-native asset and configuration monitoring.

“We had some layers of visibility in place including GuardDuty and CloudWatch for cloud monitoring and threat detection. JupiterOne is the first platform to give us complete visibility and understanding of our assets across our AWS, Google Cloud, and Atlassian environments.“

Today, the main users at Esper include the DevOps, Cloud, and Cybersecurity teams. Esper embraces a distributed security model across its teams. The blue team sits under DevOps, and the DevSecOps resources blend traditional SOC and SRE roles. The teams have a 24/7 monitoring program where alerts are entirely automated in JupiterOne via Slack and PagerDuty integrations when there's a potential risk that an incident or compliance drift could occur. Esper also leverages JupiterOne’s alerting for AWS monitoring, certificate expirations, and encryption. “We're creating a unified incident management pathway for all incidents that affect customer confidentiality, integrity, and availability.”

Esper continues to expand their strategic usage of JupiterOne. Jasmine added that, “Another huge strategic project I'll be working on over the next few months is figuring out how to understand our critical assets in a distributed, immutable, and ephemeral cloud environment. We're also becoming a multi-cloud shop with the addition of Azure and JupiterOne will be integral in that process.”