Service Organization Control, more commonly known as SOC, comes in two flavors: SOC 1 and SOC 2 reports. SOC 1 reports are for businesses that handle financial information for clients; these types of businesses are known as service organizations. SOC 1 reports assure your customers that your organization has the right controls in place to protect their financial information. SOC 2 reports address your organization’s controls related to operations and compliance standards.
SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), and it specifies how organizations should manage customer data. This standard is based on the following Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality and privacy. The Type I report allows auditors to perform risk assessments and lets organizations know that they can perform critical assessment procedures. Type I reports describe an organization’s system — and test how controls achieve specific objectives on a chosen date. The SOC 2 audit focuses on a service organization’s non-financial reporting controls as they relate to the security of a system.
Fairwinds’ audit was conducted by Dansa D’Arata Soucia LLP (www.darata.com). In doing so, Fairwinds maintains its adherence to one of the most stringent, industry-accepted auditing standards for service companies. It “provides additional assurance to its clients through an independent auditor, that its business process, information technology and risk management controls are properly designed.”
We chose to go through the process for a SOC 2 report to show our customers that we have the appropriate controls in place to mitigate risks related to the services we provide. Bill Ledingham, CEO of Fairwinds, said “A critical part of the value we offer our clients is giving them guardrails and governance to simplify Kubernetes complexity. It only makes sense that we apply governance to our business operations, as well.” Our team worked hard to ensure we are SOC 2 Type 1 compliant, and we will maintain compliance going forward.
As such, we have initiated the process for a SOC 2 Type 2 audit, which demonstrates adherence on an on-going basis. To help others understand how we achieved compliance quickly, we’re sharing some of our processes and how our teams worked together to make everything go smoothly.
Andy Suderman, Director of R&D and Technology
There were a few choices that made the process a lot easier. We partnered with Kintent, which makes it simple to respond to security questionnaires and share our security and compliance program with customers. Kintent also helped us complete our compliance certification by automating the program using APIs and testing our controls and policies.
Going through the SOC 2 process was a good opportunity for Fairwinds to button down a lot of processes that we had in place already. This was a great opportunity for us to make sure that those processes were documented well for internal purposes.
We found some areas for improvement, and many of those align to great practices regardless of whether or not we were doing SOC 2 certification. A lot of the best practices that we recommend in Fairwinds Insights are ones that we need to follow in our own infrastructure:
The entire process provided an excellent opportunity for us to review all of our own internal controls, as well as the ones we continue to build into our Fairwinds Insights platform.
Robert Brennan, Director of Open Source Software
Getting our application and development processes to the point of SOC 2 compliance was a lot of work, but absolutely worth it. Most of the changes came in two large buckets: security scanning, and development process.
On the security side, we were already doing quite a bit — for example, we used container scanning to find known CVEs in our Docker images, and had automatic PRs to keep our dependencies up-to-date. But in order to get full SOC 2 compliance, we added:
- Static code analysis — this helps ensure that we don’t introduce things like opportunities for SQL injection, and even helped us spot a few places where errors were unhandled.
- OWASP scanning — we now scan every deployment for common OWASP-related issues, like vulnerability to clickjacking or cross-site scripting.
- Penetration testing — we now engage with a third-party to conduct annual penetration tests of our application. The initial pentest turned up some interesting (but thankfully sub-critical) findings
But the most impactful changes were to our development process. While we had already been tracking our work in a ticketing system and put all changes through code review, some changes (e.g. small fixes) never went into the ticketing system. SOC 2 forced us to formalize this process. Now, every pull request has to be linked to a ticket (enforced by our CI system), and changes are tracked, reviewed and QA’ed consistently from release to release.
It took a good deal of work to get through SOC 2, but we have a lot more confidence in the security and stability of our application as a result.
Mary Henry, Chief Financial Officer
Our team approached getting the company SOC 2 very efficiently by ensuring we were working closely together. We had a small team of people who got things done and had weekly meetings to track our progress against the requirements for a SOC 2 — Type I report.
We started by quickly identifying the ownership of systems and each set of controls early in our process. That helped us set up the right teams from the beginning, so we could move at an accelerated pace. We identified long lead items early as well. The gap analysis itself typically takes two to four weeks from beginning to end and helped us ensure we had core policies, consistent employee background checks, a system for ensuring password complexity (we rolled out a password manager for all employees to help them manage complex passwords) and ensuring we had employment agreements in place. We also updated our employee handbook, which was a significant undertaking. A major lesson of becoming SOC 2 compliant is the need for all policies and procedures to align across the organization.
Fairwinds SOC 2 — Type I Report
Our official audit report from Dansa D’Arata Soucia LLP provided a thorough review of Fairwinds internal controls, policies and processes for its Fairwinds Insights software platform and managed services. It also reviewed Fairwinds’ processes relating to risk management and subservice (vendor) due diligence, as well as the company’s entire IT infrastructure, software development life cycle, change management, logical security, network security, physical and environmental security, and computer operations. We found the process helpful and informative; the SOC 2 — Type I report offers our customers peace of mind when they partner with us for services or use our Fairwinds Insights platform.