Our Secure Road to SOC 2 Certification
Software and Internet security have been my personal interests since the early days of web development thirty years ago. I explored and tested web server vulnerabilities, code injection, brute force attacks, and secure encryption solutions. I once “hacked” a company's network before applying there as an employee. I got the job, including being responsible for security. This was the first “bug bounty” for me.
Later I also learned about IT security governance and audit practices as a member of the ISACA organization and completed a CISA certification. However, I still preferred practical secure software development instead of just performing compliance auditing.
Many years later, when starting eazyBI, security was one of our key priorities. One of the reasons why I like and use the Ruby on Rails framework is that it provides many secure-by-default choices. Security was one of the main criteria for selecting other components for building eazyBI. Using open-source software as your building blocks helps with security as well as anyone can always investigate how it works and if there are any potential vulnerabilities.
Six years ago, in 2016, eazyBI started a bug bounty program at HackerOne. Since my early “white hacker” experience, I have known that there are many different vulnerability types that you might not be aware of. Security researchers specialized in specific areas can help you discover these tricky vulnerabilities in your code. During the first years, we detected several high-priority security bugs thanks to this bug bounty program, and we could fix them before any customers were affected. Later, when Atlassian launched the Marketplace Security Bug Bounty Program on the Bugcrowd platform, we were one of the first participants as we already had the experience and knew the benefits.
Last year Atlassian introduced the Cloud Fortified program for Marketplace apps, and again we were among the first participants. The Cloud Fortified program makes it easier for customers to identify enterprise-ready cloud apps with additional security, reliability, and support requirements. While implementing Cloud Fortified requirements, we introduced new production system availability monitoring and integrity testing solutions. Recently, thanks to these production monitoring checks, we quickly identified a bug in the Atlassian app authentication changes and prevented downtime for all customer instances.
eazyBI has been a cloud-first solution since the beginning. Initially, the majority of our customers were using our server products. In recent years, more customers have been migrating to eazyBI Cloud (or starting on Cloud), and now the Cloud is our primary business. When customers use eazyBI as their business intelligence service, trust their data and rely on eazyBI availability, they want to be sure that we are a trusted partner. A blog post like this is not enough to achieve trust.
SOC 2 has become a “de facto” standard for Software-as-a-Service (SaaS) providers to demonstrate their compliance with security, availability, processing integrity, confidentiality, and privacy best practices. It was a frequent question that customers asked if we were SOC 2 certified. It was a natural next step in our security journey to become a SOC 2 compliant organization.
Traditionally, achieving a security or quality system certification required a lot of time, effort, and “paperwork” and therefore was done just by larger organizations with dedicated quality and security teams that did all the “paperwork”. We didn’t want to get the SOC 2 “badge” as something extra that we do. We wanted to integrate SOC 2 recommended practices in the way how we naturally do everyday business – without doing activities where we do not see any value.
The modern approach to SOC 2 compliance is to use a specialized tool for tracking all policies and controls and automating evidence collection and compliance monitoring. We evaluated several providers and selected Drata as our SOC 2 implementation platform. Drata also helps with guidance on how to proceed with the SOC 2 implementation and audit.
The next major step was to describe all our policies according to SOC 2 requirements. We already were doing the majority of required tasks, but not always they were described in the corresponding policies. This helped us to validate what are our agreed practices as well as identify some gaps that we were not yet doing. I would like to thank my colleague Jānis Plūme, who made most of the effort and coordinated others involved in the process. Janis still performs both Customer Support Consultant and Security Officer duties – we want to integrate security practices into our everyday work and do not want to create a separate security team “behind the locked doors”.
The final step is SOC 2 audit, and we chose Prescient Assurance as our auditors. SOC 2 audit also is more efficient when using a platform like Drata, where access to all necessary data is granted to auditors. Our SOC 2 Type II audit included 3 months monitoring period. You cannot “fake” your compliance just at one moment; you must demonstrate for several months that what you have described in policies is how you work.
The active phase of SOC 2 implementation for us lasted 5 months and 3 months of the audit. Our road to certification was completed on October 26 when we received SOC 2 Type II Report on controls relevant to security, confidentiality, availability, processing integrity, and privacy. If you want to learn more, visit our security page or contact us.
The road to security is never complete, and there might be dangerous turns in the future. Good security practices and controls will help us to steer in the right direction.