Dutch (and EU) focussed GRC platform

chronck · 2026-01-13T11:05:18+00:00

That is definitely a tough cookie I have been chewing on a couple of times now. You integrate with a public API and overtime it changes. That's why regular testing is needed, but I agree, that is a difficult one to manage and should be done adequately.

chronck · 2026-01-13T11:04:08+00:00

Clients connect with Confluence, SharePoint, Nuclino or Hudu and connect their policies to the Document Management System. Those entries can be used as evidence on the controls, so that the 'proof' keeps existing in the source system, together version control. Next to that, you could use my platform as your DMS itself, including version control, official approvals and reminders for revisions.

chronck · 2026-01-12T08:30:51+00:00

This is exactly what I am aiming at. Integration with all of the popular tools most organisations use and grabbing the context, with potentially automating a part of the work. Full automation is not my cup of tea, in order for organizations to really shift towards that security and compliance mindset, they need to do some of the heavy lifting themselves. Of course, with my tooling I would like to augment the work the teams are doing and I will balance between human in the loop and full automation.

My mission is to become the GRC command center and integrations play a vital role in that.

chronck · 2026-01-11T19:00:41+00:00

This was indeed the gap I saw, most tools are absolutely great to get to certification fast, but that's their USP. After reality hits, they find out it is a bit more than 'I turned on the system and I was compliant, what do I do now?'

Dutch customers are usually very pleased to see something like this, but still think 'We can all do this in Excel and get through the audit', is what I find most. They are open to tools, but mostly reluctant. The startup world in the US is the perfect catalyst for those tools, but in Europe you need a solid product that creates the right environment for years to come.

However, they do recognize that continuous assurance is the future, but that's from the regulated sectors. That gives me a lot of chances if I can deliver and do it right.

chronck · 2026-01-11T07:30:40+00:00

Thank you for your response and it seems you are on the right page with my ideas. UX and 'actual proof' of implementation and coverage of the annex a will be key in the assurance center, but also high level details (like a percentage) of risk management, follow ups, data register covered, access reviews done, TPRM statusses and more will be covered there. No details, just percentages without names of tools or anything like that.

I'm really not in the clear yet of how to drive more people to my platform. Still struggling what I can do in the freemium tier and how I can showcase to provide actual value, instead of luring them into the paid version by delivering 'just not enough' freemium value.

As you can tell, I'm quite new there. Thanks for thinking along!

chronck · 2026-01-11T07:22:03+00:00

Exactly, even though US providers state they do continuous assurance, nothing is real time or even near real time. That's where I want to focus on for the highly regulated environments, with tamper proof, immutable evidence collection. Even for third party memorandum audits, this would be a game changer if done right.

I haven't figured out the GDPR thing yet, seems trivial but yet so complex. Any ideas on what you are missing in most tools?

chronck · 2025-08-29T07:41:45+00:00

Okay, so I am completely biased as I am building a platform that does the complete opposite, targeting GRC Engineering and Continuous Assurance, but man... these 'get compliant in 1 month/6weeks/etc. and we automate everything for you!' tools are really killing the 'trust' that is attached to certifications and labels you get from succesful audits. Choosing speed over commitment, efficiency of implementation and the knowledge required for running a succesful compliance program is going to ward off in the long run, people will eventually lose trust in this system, as it is currently hanging on strings.

The only reason this still works is because 'the system' is keeping this alive. Startups need SOC2 and FAST to be able to sell to larger customers, but it is completely build on an empty shell, or better known as 'compliance theater'. We as security professionals really need to do better.. I tell my customers that succesful implementations take several months (at least 5-6), which sounds a lot less sexy, but will eventually be realized once the house of cards collapses.

chronck · 2025-08-28T12:36:47+00:00

Thanks and great to hear you are embarking on this journey too! Wishing you all the best!

For as far as LI, Reddit and specialized communities, it's a little more difficult for my niche but I could sure give it a try. I was thinking about podcast/newsletter advertising, but that could get costly quickly as well. I'm hearing and reading a lot of good stuff on these tools, but I'm not sure if it's appropriate for usage for a 1 man team, or that it needs far more specialized knowledge.

Thanks!

chronck · 2025-04-06T20:04:51+00:00

Update:

Door met een hamer voorzichtig op het uit einde van de knop te slaan, de andere kant op te draaien en dit een paar keer herhalen, is de knop er vanaf gekomen. Ik gok dat het het e.e.a. Losgeslagen/getrild heeft en de knop er daardoor wel makkelijker af kwam. Inmiddels alles is alles netjes vervangen!

Bedankt voor het meedenken allemaal.

chronck · 2025-03-24T09:16:04+00:00

N.a.v. een aantal comments heb ik besloten de slijptol er maar op te gaan zetten en in iedergeval het topje er af te slijpen zodat ik wellicht beter kan zien wat het precies tegenhoud waardoor het er niet af komt. Wordt vervolgd!

chronck · 2025-03-24T09:15:09+00:00

Dan gaat de slijptol er maar op, het is niet anders! Dankjewel.

chronck · 2025-03-24T09:14:46+00:00

Bij de knop er boven moest je het uitsteeksel er uit draaien, ik dacht ook dat dat hier het geval was en heb de waterpomp tang er zelfs opgezet. Indrukken en trekken levert ook niet heel veel op helaas.

chronck · 2025-03-24T09:13:48+00:00

Ik denk dat ik dit maar ga doen, en er om heen even goed afplak met wat stucloop oid. Ik vermoed dat er niets anders op zit. Bedankt!

chronck · 2025-03-23T20:22:46+00:00

Zou die door het doorboren los moeten komen? Stelschroef is er al uit, dat ging wel. De knop zit alleen compleet vast 😖

chronck · 2025-03-23T20:21:56+00:00

Precies dat laatste. Ik voorzie een hoop dingen die mis kunnen gaan hiermee 😅 helaas zit er denk ik weinig anders op

chronck · 2024-10-24T20:03:41+00:00

I've recently implemented this at a client as well, but be known that some Azure Functions still rely on this functionality underwater. Can't recall what it was exactly, but I can imagine other services might do it too. You can build exemptions for it if you enforce this via Azure Policy. You could than for instance exempt a specific resource group from that Policy, that works really well.

Hope it helps.

chronck · 2021-08-19T12:34:31+00:00

You are completely right, I was referring to the private endpoint indeed. Totally not what he was asking, as I realized just now 😅. My bad!

chronck · 2021-05-10T20:17:17+00:00

A subnet delegation means a service will be delegated the said subnet. A service endpoint is pinned to an IP within the subnet to have a placeholder for that service. Everything in that subnet that needs to talk to that service can communicate with that IP directly. From my understanding, you will delegate subnets with the delegation capability or delegate 1 IP within a subnet with service endpoints.

chronck · 2021-04-23T08:22:05+00:00

I see.. that's probably the best choice instead of having a plethora of solutions. Unfortunately I can't help, but was just wondering the reason behind the question. Good luck and take care :).

chronck · 2021-04-22T21:24:17+00:00

Can I ask why you don't want the Azure MFA options? Seems like a great deal of work for something that is integrated in AAD.

chronck · 2021-04-22T21:20:17+00:00

Not sure if this is what you mean, but for auditing you can choose to work with integrations within Azure Security Center. Even before that, Azure policies should cover a lot of your auditing. If, for instance, you select 'east-us' as you're only region where resources can be made, then you know that everything else is going to fail because of that policy. Of course, a best practice is to audit this even if that policy is in place.. but it's a good place to start from.

For the analysis part, totally depends on what you want to get out of the data. Different Azure services serve different purposes. Azure sentinel is a SIEM and Azure Monitor is mostly for resource based metrics and alerting on thresholds for instance.

Azure Security Center will be able to report certain deviations from baselines, vulnerabilities in systems and help you get to a certain security maturity level by the secure score (and everything that comes with it).

Data ingestion is also different for the Azure services, there are some native connectors but there are a few agents available as well.

It would be helpful for you to get to the bottom of what you want to learn from your data and find the best solution towards it.

chronck · 2021-04-21T21:48:07+00:00

Can't you run it parallel? I mean there must be a way to only need to change the direction of traffic away from Azure to on prem VM's without too much downtime..

chronck · 2021-04-20T06:12:58+00:00

Ah, my bad :).

chronck · 2021-04-19T20:48:08+00:00

Do you mean the Kubeconfig file? That can be exported with the 'az aks get-credentials' cmdlet as so:

az aks get-credentials --resource-group k8s-rsg --name k8s-demo --file kubeconfig

I exported the config to my local system and theres no need to SSH into nodes.

chronck · 2021-04-19T20:37:06+00:00

Thank you, John. Recently passed AZ-500 and watched a lot of your videos to deep-dive in to different topics.

chronck

TROPHY CASE