SOC 2 Compliance for SaaS Startups & Top Pitfalls to Avoid | Raghu (Co-Founder, Sprinto)

Overview

In this session, Raghu (Co-Founder, Sprinto) discusses with Venky how SaaS Startups have to upgrade their security standards significantly to become SOC 2 compliant and the major pitfalls they should avoid.

He differentiates between SOC 1, SOC 2, & SOC 3 compliance in super-easy terms and highlights some overlapping parameters between security standards like ISO 27001, PCI DSS, HIPPA, GDPR, etc.

He talks about how meeting Application Security best practices is a must-have factor for any compliance. If avoided, it can make selling products/services challenging in international markets.

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Key highlights from the discussion :
  • Compliance automation with Sprinto
  • What are AICPA and NIST?
  • SOC 2 compliance and audit procedure
  • Differences between SOC 1 Vs. SOC 2 Vs. SOC 3
  • What are Type 1 and Type 2 in SOC 2
  • Disparities between FEDRAMP, GDPR, PCI DSS, ISO 27001, etc.
  • Companies need compliance for an added trust

Transcript

I’m an engineer first and a founder. Sprinto automates security compliances like SOC 2, ISO 27001, PCI DSS, and GDBR. We have support for over 15 standards.It usually takes months of manual effort to get compliance. This is possible in a few weeks; the effort is one-tenth what it used to be.

This enables many small companies to go after big-ticket deals, which was not possible before. We enable or level the playing field as far as certain larger deals are concerned.

It is growing quite fast now. If I look at the U.S., SOC 2 is growing quite fast. If I considered Europe and India as markets, ISO would grow fast.

SOC 2 is a security standard written and maintained by AICPA. It’s an American body, and CPAs write this.

SOC 2 is a 3rd party audit framework. When you want to get SOC 2 compliant, you need a third-party auditor to come in and review your environment to issue a SOC 2 report.

CPAs go through a lot of training on how to do audits. The auditing procedure is rigorous, which lends credibility to SOC2.

SOC 2 is a holistic framework covering your people, processes, and how you change your organization, infrastructure, and technical aspects.

So, it’s an all-encompassing framework that looks at security from all angles.

SOC 2 is not a certificate; it’s a report issued by a certified AICPA audit partner.

There is a SOC 1. It is used more in financial audits. SOC 2 is used in a technical security audit scenario. Both are holistic in that they look at the controls across the company, but SOC 2 is more information security related.

SOC 2 gives a very long report where each security measure you have in your company is listed.

And it clearly states how the auditor tested that particular security measure and what the auditor’s observations were.

For a person on your customer side who’s reading this report, it’s a lot of detail that they have in terms of what you are doing to ensure that you’re keeping their data safe and secure.

And it’s also audited by a third party, which gives them a lot of confidence.

There is a type one and a type two. Usually, type 1 is easier to get because it just looks at whether your security measures are in place. It’s like examining a photograph.

Type 2 is, by definition, something you are reviewing about the presence of your security measures over a period.

It ensures that your security practices are continuously running. It collects evidence of the fact that these are running.

There is a SOC 3, which is like a shareable version. You can put it out publicly. It has less information than SOC 2. But in general, it can be used to display publicly.

SOC 2 has such a level of detail that you would not want to share unless you’re sharing it with somebody under an NDA.

If you get SOC 2, you automatically get SOC 3. It is just a document shareable document of SOC 2. However, when issuing a SOC 3 report, auditors charge you separately.

SOC 2 is your table stake in closing mid-market enterprise sales. Without a SOC 2 report, selling in the U.S. market is becoming extremely difficult.

If you think about it from your customer standpoint, it’s easy to understand why. As a SaaS company, my customer’s data is on my servers, and they are naturally worried about the security processes I have to ensure that I’m protecting their data.

SOC 2 becomes an excellent way for them to understand the security practices in your company. Third-party validation of these security practices highlights that they are not just there today but continue to run regularly.

You need to get a SOC 2 certification for your company as well. But it is common for young companies to host themselves in a SOC 2 certified infra provider like an AWS, Azure, or GCP and get by without a SOC 2 report for a while.

And, for your first few beta customers or you know your pilot projects, you could get through without a SOC 2 report.

But that depends a lot on your luck regarding how much your sponsor in your enterprise customer is willing to support you online and the criticality of the data they are sharing with you.

As the criticality of the data they share increases, even for a pilot project, it becomes harder without SOC 2 report.

To get it done to the point of having a report that you can share with your customers, it’s about 5 to 6 weeks with compliance automation.

But generally, this process used to take 4 to 6 months without a product like Sprinto

It is always better to start with these processes early in your life cycle because when more and more employees join the company, adopting new practices becomes harder and harder.

You need to do basic things when you’re setting up your infrastructure like

Having the right security measures around

How you SSH into your machines

Somebody from the senior leadership needs to pay attention to this during the setup.

Some of the common pitfalls I tend to see are:

People think that they have to re-architect their systems.

This will take so much time away from my regular business running, and I will see it later.

However, you consequently lose a lot of deals, and that hurt will eventually make you realize that this is something you must do.

It covers everything that can impact the security of data. For example:

  • You need to do code processing of the data that’s coming from your customers.
  • You’ll have to ensure that it is scanned for vulnerabilities and that the vulnerabilities are fixed within a certain time.
  • You need to have processes to ensure that no single person in the company can make malicious changes to that code and push it to your production.
  • You need to have peer reviews enforced. If peer reviews are not enforced, you need to be alerted.

If you look at smaller companies targeting the U.S. as a market, I recommend SOC 2 as the primary framework to go after. It lays the foundation for you to get more things done.

For example, if you’re capturing more private individual information from California, CCP applies to you. But a significant portion of your requirements is covered by SOC 2.

If you’re going into the European market, then you might need ISO 27001, at which point SOC 2 again is like a good base layer for you to build ISO on top of it.

As a company tends to get larger, and they go into specific Industries like, let’s say

  • If you’re selling to healthcare organizations, then you’ll need to do HIPAA
  • If you’re selling to fintech companies and getting access to some financial information, especially credit card information, you’ll have to do PCI DSS.
  • If you’re selling to governments, FEDRAMP becomes important, and for Federal organizations in the U.S., FEDRAMP becomes important.

 

Compliances are becoming table stakes for companies to sell these days, so I think that 3rd party trust is becoming an increasingly important ingredient to start to do business in the SaaS ecosystem.