About Carta Group:
Carta is a global technology company that is trusted by more than 40,000 companies and over two billion people to manage cap tables, compensation, and valuations. Carta also supports nearly 7,000 funds and SPVs, and represents nearly $130B in assets under administration. Today, Carta’s platform manages nearly three trillion dollars in equity globally.
DoControl Secures Business-Critical Data for Carta
Carta is a rapidly growing company that uses various Software as a Service (SaaS) applications such as Google Drive, Box, and Slack to facilitate internal and external collaboration and communication. With the amount of sensitive data generated and shared through these applications, security needs increased. The security team was challenged with effectively quantifying the risk associated with their SaaS data across the entire tech stack.
Automating the remediation of data overexposure was critical for Carta's business to scale, while at the same time maintaining a strong security posture. They needed the ability to monitor and control high-risk users and events within their SaaS ecosystem. With the increasing number of identities, such as external collaborators, customers, prospects, vendors, and partners, scalable access to data within their core SaaS stack has become challenging. Thousands of SaaS events took place daily, creating a scalable problem in identifying activities that posed a risk to the business. The security team needed a solution that could differentiate between standard business practices and malicious or anomalous activities.
Foundational SaaS Application Data Access Controls
The DoControl solution provided Carta with visibility, monitoring, and risk remediation throughout their business-critical SaaS applications. DoControl ran an initial query to identify the amount of publicly accessible data, external collaborators with access, private domains that had access, and more. The team quickly identified the most exposed domains and high-risk users and provided foundational controls to automatically remediate their risk exposure within their SaaS ecosystem. The DoControl No-Code SaaS Security Platform allowed Carta's security team to create granular data access control policies that met the security requirements of their business. They could now define workflows that were API-powered and event-driven, and would automatically trigger during high-risk events.
The DoControl solution provided Carta with strong visibility and asset management throughout their SaaS environment. They now had complete insight into user activity and the SaaS events taking place within their tech stack. The business-context of what was taking place in their environment was fully exposed, providing a baseline understanding of their SaaS data risk. Alerts could then be customized and configured to elevate the events and activities that were relevant to their business to facilitate appropriate response and mitigation, as necessary. Through self-service remediation, the security team was enabled to take immediate action on high-risk activities, such as revoking access or changing ownership over sensitive files.
"The DoControl solution allowed our business to be as agile as possible, without compromising security within our SaaS estate. Our security team could create the necessary data access control policies that worked for our business." – Simon Ng, Sr. Manager, Information Technology
Carta’s security team leveraged DoControl to implement solutions for a number of access control use cases including 3rd to 4th party sharing, anomalous download activity, and streamlining revocation of access at employee off-boarding. In addition, by leveraging DoControl’s events aggregation, Carta was able to validate events that have occurred within their Google instance. DoControl was the preferred method of log validation due to how the data is presented, in a much more user friendly UX compared to a Google event log.
The DoControl Impact
The DoControl solution enabled Carta's SaaS data to be automatically monitored and protected against malicious activity, ensuring that no unauthorized user has access to sensitive company data. As a completely agentless solution, with no software installation necessary, DoControl was implemented quickly and provided immediate time to value.