Drata’s Acquisition of oak9 Ushers in New Era of Compliance as Code

Drata expands automated control monitoring and evidence collection throughout the SDLC becoming the only compliance automation solution to ensure compliance from code to production.

by Adam Markowitz

May 02, 2024
Image - oak9 acquisition

Today at Drata, we’re thrilled to announce the acquisition of oak9—a pivotal milestone in our journey of redefining the possibilities of compliance automation and one that brings a cloud-native compliance platform into our ecosystem. 

This acquisition is more than strategic—it's a reinforcement of our core value of trust, enabling GRC teams to seamlessly integrate continuous compliance throughout the software development lifecycle.

With Drata Compliance as Code, now available in beta, Drata is the only GRC platform that monitors compliance before and after code is deployed to production. Previously, this was only solvable through manual processes which lacked necessary contextualization. 

Before introducing Compliance as Code, teams across DevOps, GRC, and engineering often found themselves trapped in a reactive cycle, scrambling to address compliance issues after changes had already reached production—a costly and inefficient process. In these situations, teams face resource-intensive fixes, release setbacks, misconfigurations, and ultimately, gaps in their security and compliance posture. 

These challenges also create unnecessary tension between GRC and DevOps teams, often labeling security policies and compliance as blockers to innovation and production, rather than a necessary symbiotic partnership.

With the acquisition of oak9 and the launch of Compliance as Code, we're equipping thousands of DevOps, GRC, and engineering teams with a revolutionary platform that saves them hundreds of hours every year.

With Compliance as Code, engineers and developers who are already resource-constrained can learn compliance best practices by simply reviewing high-fidelity risk alerts mapped directly to their compliance frameworks and policies. For example, Compliance as Code can detect infrastructure code tied to data encryption at rest, restricting public access to cloud resources, and how cloud resources are tagged. Through the alerts, engineers quickly see any misconfigurations, receive a code snippet to resolve the issue and understand why and how that misconfiguration affects company compliance readiness.

A Sneak Peek at Drata Compliance as Code

Alerts provide GRC teams with a human-in-the-loop remediation solution, enabling swift and precise risk resolution. This blend of technology and human insight exemplifies cutting-edge compliance practices. The team can also opt-in to auto-generated pull requests to address the issues right within their existing SDLC, further reducing alert fatigue for developers and engineers. 

What previously took hundreds of hours of manual review and remediation has shifted to just minutes and is being continuously monitored.

Imagine it as Grammarly for Compliance—just as Grammarly guides your writing, Compliance as Code guides your development, ensuring every line of infrastructure as code meets the highest standards of compliance.

Image - Compliance as Code Snapshot

We are shifting compliance left in the SDLC to solve infrastructure as code misconfigurations, saving customers time and resources, and fostering a culture of true continuous compliance.

Built-In, Not Bolted On: Contextualizing Compliance Risks in Development

Compliance is the context here. Compliance as Code continually monitors for infrastructure risks specific to your frameworks such as SOC 2, ISO 27001, HIPAA, and PCI DSS.

“oak9’s mission from day one has been to address critical gaps throughout the software development lifecycle, including gaps with compliance, which is all too often viewed as an afterthought. That mindset can be costly for the entire organization,” said Om Vyas, Co-Founder and CEO of oak9. “Being integrated into Drata’s platform is exceptional validation of our team’s commitment to realizing this mission. This sets a new standard in how teams tackle cloud-native compliance.”

Compliance as Code was built from the ground up with compliance in mind, which means that the alerts are focused on elevating risks to GRC teams and providing context around them. Clearly stated, compliance is priority one and not just bolted on as an afterthought. And customers see results already:

“With Drata, we can clearly provide the necessary context on how a particular infrastructure as code change will introduce risks to the business and impact our posture, guiding our developers towards better compliance-focused decisions.”

Just as important, this guidance system makes the shift left mentality, a significant culture change to DevOps processes and the SDLC, seamless. Rather than blockers, slowdowns, and friction, GRC teams have an automated system that creates clear control-based guardrails and continuously provides “the why” behind them.

Alignment With Continuous GRC Monitoring

In addition to contextualizing compliance risks in pre-production environments, Compliance as Code aligns with the concept of Continuous GRC. Rather than manually spot-checking for risks, the always-on system improves visibility by 80%.**

This is where organizations gain real-time visibility into their risk and compliance posture through automated tests and evidence collection. It has now been fully extended to a more proactive state. Identifying risks of non-compliance prior to code making its way to the public significantly reduces the probability of occurrence and impact.

What previously looked like writing tickets with minimal context for developers and engineers, which makes it a challenge to prioritize, Compliance as Code has automatic pull requests that identify the issue, specific line of code, and the solution with relevant documentation. GRC teams previously used to wait for days, if not weeks, for code to be refactored, but now issues are fixed within minutes.

This approach not only solidifies our infrastructure controls but also reduces the likelihood of non-conformities during audits, ensuring that issues are resolved promptly at the commit stage. We’re paving the way for a future where compliance is seamlessly integrated into every development phase. Compliance as Code is designed to bring the risk lens to every change without burdening engineers and developers.

Shifting Left the Right Way

As DevOps teams grow, the need to shift left to address these compliance gaps earlier in the SDLC significantly increases in order to maintain compliance standards without sacrificing speed of development. oak9 specialized in infrastructure-as-code to build security and compliance into cloud-native applications as they are developed, and offered a catalog of out-of-the-box blueprints that ensured that customers can meet their security and compliance objectives for any architecture on any cloud provider.

The concept of shifting left can look like an unfriendly term to DevOps teams and their engineers because there is often a misperceived notion that the onus will be on them to do their job AND put on a GRC hat.

“In the past, as a security engineer we were often a middleman in these situations. The GRC team would see a check or control failing in the platform, they come to our team to get an opinion and triage getting a fix, then we would work with the DevOps team to implement and deploy a fix,” said Josh Stuts, Drata Senior Manager of Security. “However, with Compliance as Code, it starts with the DevOps team getting the alert, which skips us as a middleman unless they have questions or need additional context. It puts us in a position to be partners, advisors, and a resource to support rather than be in a position that blocks or constrains them.”

It’s time to break down infrastructure and compliance silos. This is the future of GRC and it’s here now.

*According to Drata’s Risk Trends Report

Trusted Newsletter
Resources for you
SOC 2 Points of Focus

Everything You Need to Know About the Revised Points of Focus for the SOC 2 Trust Services Criteria

List Shift Left Security

What is Shift Left Security and Why Should Businesses Incorporate It?

List 13 states with comprehensive privacy laws

These Are the 13 States With Comprehensive Consumer Privacy Protection Laws

Adam Markowitz
Adam Markowitz is the co-founder and CEO of Drata, a continuous security and compliance automation platform. Prior to Drata, Adam was the founder and CEO of Portfolium, an academic portfolio network for students and alumni to visually showcase their work and projects directly to employers, faculty, and fellow students/alumni. Portfolium was acquired by Instructure (NYSE:INST) in 2019. He also worked as an aerospace engineer designing, analyzing and testing liquid rocket engines for NASA’s next generation space launch vehicle as well as the Space Shuttle Main Engine. Adam earned a B.S. in Structural Engineering from UC San Diego and an M.S. in Astronautical Engineering from the University of Southern California.
Related Resources
Image - Attend Drataverse

5 Reasons to Attend Drataverse

Image - oak9

Drata’s Acquisition of oak9 Ushers in New Era of Compliance as Code

Image - Drataverse '24 Full Agenda List

Chart Your Course: Drataverse ‘24 Lineup Released

Gartner DCCA Market Guide Announcement

Drata Recognized in the 2024 Gartner® Market Guide for DevOps Continuous Compliance Automation Tools Report