SOC 2 Compliance for SaaS Startups & Top Pitfalls to Avoid
In this episode of SaaSTrana, Venky and Raghu, Co-Founder of Sprinto, discusses why SaaS companies should pay close attention to security measures to become SOC 2 compliant.
Compliance Automation with Sprinto
Can you introduce yourself and your company Sprinto?
I’m an engineer first and a founder. Sprinto automates security compliances like SOC 2, ISO 27001, PCI DSS, and GDBR. We have support for over 15 standards.
It usually takes months of manual effort to get compliance. This is possible in a few weeks, and the effort is one-tenth what it used to be.
This enables many small companies to go after big-ticket deals, which was not possible before. We enable or level the playing field as far as certain larger deals are concerned.
SOC 2 Compliance and Audit Procedure
Is SOC 2 a very common requirement?
It is growing quite fast now. If I look at the U.S., SOC 2 is growing quite fast. If I were to think about Europe and India as markets, ISO would be growing fast.
What is SOC 2 compliance in a nutshell?
SOC 2 is a security standard written and maintained by AICPA. It’s an American body, and CPAs write this.
SOC 2 is a 3rd party audit framework. When you want to get SOC 2 compliant, you need a third-party auditor to come in and review your environment to issue a SOC 2 report.
CPAs go through a lot of training on how to do audits. The auditing procedure is rigorous, which lends credibility to SOC2.
SOC 2 is a holistic framework covering your people, processes, and how you change your organization, infrastructure, and technical aspects.
So, it’s an all-encompassing framework that looks at security from all angles.
Is it a certificate called SOC 2 certification, or is it just a report that you self-comply with?
SOC 2 is not a certificate; it’s a report issued by a certified AICPA audit partner.
Is there something called SOC 1, or is it directly SOC 2?
There is a SOC 1. It is used more in financial audits. SOC 2 is used in a technical security audit scenario. Both are holistic in that they look at the controls across the company, but SOC 2 is more information security related.
SOC 2 gives a very long report where each security measure you have in your company is listed.
And it clearly states how the auditor tested that particular security measure and what the auditor’s observations were.
For a person on your customer side who’s reading this report, it’s a lot of detail that they have in terms of what you are doing to ensure that you’re keeping their data safe and secure.
And it’s also audited by a third party, which gives them a lot of confidence.
Is there something like SOC level 1 and level 2?
There is a type one and a type two. Usually, type 1 is easier to get because it just looks at whether your security measures are in place. It’s like examining a photograph.
Type 2 is, by definition, something you are reviewing about the presence of your security measures over a period.
It ensures that your security practices are continuously running. It collects evidence of the fact that these are running.
There is a SOC 3, which is like a shareable version. You can put it out publicly. It has less information than SOC 2. But in general, it can be used to display publicly.
SOC 2 has such a level of detail that you would not want to share unless you’re sharing it with somebody under an NDA.
If you get SOC 2, you automatically get SOC 3. It is just a shareable document of SOC 2. However, when issuing a SOC 3 report, auditors charge you separately.
SOC 2 for SaaS Companies
Why is SOC 2 important specifically to SaaS companies?
SOC 2 is your table stake in closing mid-market enterprise sales. Without a SOC 2 report, it’s becoming extremely difficult to sell in the U.S. market.
If you think about it from your customer standpoint, it’s easy to understand why. As a SaaS company, my customer’s data is on my servers, and they are naturally worried about the security processes I have to ensure that I’m protecting their data.
SOC 2 becomes an excellent way for them to understand the security practices in your company. Third-party validation of these security practices highlights that they are not just there today but continue to run regularly.
Is it recommended that SaaS companies obtain SOC 2 audit reports?
You need to get a SOC 2 certification for your company as well. But it is common for young companies to host themselves in SOC 2 certified infra provider like an AWS or an Azure or GCP and get by without a SOC 2 report for a while.
And, for your first few beta customers or you know your pilot projects, you could get through without a SOC 2 report.
But that depends a lot on your luck regarding how much your sponsor in your enterprise customer is willing to support you online and the criticality of the data they are sharing with you.
As the criticality of the data they share increases, even for a pilot project, it becomes harder without SOC 2 report.
How long does SOC 2 compliance take?
To get it done to the point of having a report that you can share with your customers, it’s about 5 to 6 weeks with compliance automation.
But generally, this process used to take 4 to 6 months without a product like Sprinto.
What are some essential practices that a new SaaS founder should consider to be prepared for building their business?
It is always better to start with these processes early in your life cycle because when more and more employees join the company, it becomes harder and harder to adopt new practices.
You need to do basic things when you’re setting up your infrastructure like
- Having the right security measures around
- How you SSH into your machines
Somebody from the senior leadership needs to pay attention to this during the setup.
Any mistakes that people make?
Some of the common pitfalls I tend to see are:
- People think that they have to re-architect their systems.
- This will take so much time away from my regular business running, and I will see it later.
However, you consequently lose a lot of deals, and that hurt will eventually make you realize that this is something you must do.
SOC 2 is only restricted to infrastructure, or is it also to the applications running on infrastructure?
It covers everything that can impact the security of data. For example:
- You need to do code processing of the data that’s coming from your customers.
- You’ll have to ensure that it is scanned for vulnerabilities and that the vulnerabilities are fixed within a certain time.
- You need to have processes to ensure that no single person in the company can make malicious changes to that code and push it to your production.
- You need to have peer reviews enforced. If peer reviews are not enforced, you need to be alerted.
Understanding SaaS Compliance
What are the top compliances besides SOC 2 that a SaaS company will have to look for?
If you look at smaller companies targeting the U.S. as a market, I recommend SOC 2 as the primary framework to go after. It lays the foundation for you to get more things done.
For example, if you’re capturing more private individual information from California, CCP applies to you. But a significant portion of your requirements is covered by SOC 2.
If you’re going into the European market, then you might need ISO 27001, at which point SOC 2 again is like a good base layer for you to build ISO on top of it.
As a company tends to get larger, and they go into specific Industries like, let’s say
- If you’re selling to healthcare organizations, then you’ll need to do HIPAA
- If you’re selling to fintech companies and getting access to some financial information, especially credit card information, you’ll have to do PCI DSS.
- If you’re selling to governments, FEDRAMP becomes important, and for Federal organizations in the U.S., FEDRAMP becomes important.
Compliances are becoming table stakes for companies to sell these days, so I think that 3rd party trust is becoming an increasingly important ingredient to start to do business in the SaaS ecosystem.
To know more, listen to the podcast here.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.