I joined Gatsby earlier this year – mid-Q2 2021 – to formalize, mature, and expand the cybersecurity program at Gatsby. One of the first priorities identified was to achieve SOC 2 compliance attestation. I’m excited to announce that Gatsby has achieved a successful SOC 2 Type 1 audit at the end of this past quarter, and is continuing to meet the standard through a SOC 2 Type 2 audit, where our practices will be observed over the next half year.
What is SOC 2 Compliance Attestation?
A SOC 2 – or Service Organization Control 2 – attestation is a voluntary compliance report that service organizations can share with stakeholders that describes the effectiveness of implemented security and IT controls. A SOC 2 Type 1 attestation – not to be confused with SOC 1 – demonstrates that controls have been designed effectively. A SOC 2 Type 2 attestation demonstrates that the organization can operate within the boundaries of the controls over a period of time.
Why SOC 2?
Simply put, SOC 2 is one of the most recognized standards in the industry to demonstrate a maturity around security and data handling. The standard is provided by the AICPA – the American Institute of Certified Public Accountants – which at face value sounds a bit strange. Why would accountants be putting together cybersecurity standards? As I typically explain to people, “…as it turns out, accountants are really good at auditing!”
The standard is broken out into five Trust Services Criteria (TSCs): Security, Availability, Confidentiality, Processing Integrity, and Privacy. Each TSC has a set of controls that are to be met. Security has the largest set of associated controls, and is also mandatory for all SOC 2 audits. The additional controls are optional. It’s often the case that an organization may choose another TSC to be audited against. It’s very rarely the case that an organization would choose to be audited against all five TSCs. Here at Gatsby we chose, in addition to Security, Availability and Confidentiality. The reasoning was simple.
Besides Security being a requirement for SOC 2, the first and foremost reason we want SOC 2 certification is to demonstrate to our customers that we are building a world-class security program at Gatsby. Availability is a no-brainer as well. For the Gatsby Cloud to be useful to our customers, we need to demonstrate the ability to have the controls in place to ensure continuity of service. Finally, Confidentiality was chosen because our customers trust us with their data in the Gatsby Cloud, and it’s a responsibility we don’t take lightly. We work hard to ensure that the data processed by our service remains confidential.
Don’t go it alone
In implementing SOC 2 we chose to engage with Laika, who has been an excellent partner with us in compliance. Laika’s expertise has helped us not only meet the requirements of each SOC 2 control, but has ensured to us that we are implementing industry best-practices along the way.
Laika’s feedback has proven to be extremely valuable, especially since there are multiple ways to meet many SOC 2 controls. It was important to us to not look at SOC 2 in a cookie-cutter approach. Instead we wanted to build out the compliance program in a way that fit our culture and current procedures at Gatsby.
…but, compliance isn’t security
Many professionals in cybersecurity often lament that compliance isn’t security, and they are correct! I’m one of these professionals. That said, achieving SOC 2 compliance is critically important in demonstrating to other organizations the maturity of our security program at Gatsby.
While I would love to welcome teams from around the world for around the clock Zoom conversations about the inner workings of our security program at Gatsby, there’s no security team out there that’s well staffed enough to do that. That’s where a SOC 2 attestation shines, as it answers the majority of the questions most organizations may have about organizational security and privacy practices, when evaluating vendor exposure… and, it provides this with a stamp of approval by a third-party auditor.
All that said, at Gatsby we aim to not only build a compliant security program, but one that embraces modern best practices.
At a bare minimum, all security programs need to meet certain core functions, such as vulnerability and patch management, establishing best practices with regard to account permissioning and authentication, disaster recovery, and establishing a robust application and network architecture. Modern security programs should be doing so much more.
SCYTHE’s “Ethical Hacking Maturity Model” is a great visual to show where the security industry was and where it is headed.
Many companies are stuck in the low maturity category, only conducting vulnerability scanning and perhaps quarterly or yearly vulnerability assessments. SOC 2 requires both these, as well as the next item, a yearly third-party penetration test.
At Gatsby, I have stressed the importance of developing offensive security capabilities internally. To this end we have this year begun internal penetration testing on a regular basis, as well as testing the security of applications in our stack that may be targeted by adversaries.
We have also begun mixing in threat modeling to determine where best in our architecture we should focus our resources, and to understand what attacks we may see on that surface. Currently, we are building out our detection engineering capabilities, so we can conduct adversarial emulation and purple-teaming exercises on a regular basis within our environment to tune our defensive tooling.
We at Gatsby are truly excited about what we have in the works next year! On the security-front, we will continue to share both technical and business relevant information on an ongoing basis. Stay tuned! Have any questions or feedback about this article? Reach out to me on Twitter at: @mlgualtieri.