Get smart with tips for securing AI applications. Register today to learn how to secure your environment with an expanding attack surface.
Get smart with tips for securing AI applications. Register today to learn how to secure your environment with an expanding attack surface.

What a SaaS Provider Should Know about SOC 2 Compliance

SOC 2 auditing is a voluntary way to ensure that they are performing up to industry standards for data security.

If a company is operating under the SaaS model, they know better than anyone how important it is to keep data secure. Regardless of the purpose of the software or the content it is delivering and receiving, when it comes to consumer data and protecting the interests of clients, security is everything. Unsurprisingly, different compliance checks and balances exist, such as HIPAA with personal healthcare data, but pursuing cybersecurity excellence for SaaS companies looks a little different than typical compliance checks. SOC 2 Type 1 and SOC 2 Type 2 are common compliance undertakings by SaaS companies in the United States. These are not actually based directly on regulatory needs, but rather, SOC 2 auditing is a voluntary way to ensure that they are performing up to industry standards for data security.

What is SOC 2?

SOC 2 compliance considers 5 major trust principles to establish whether a business is using best practices for maintaining data integrity and safety: privacy, security, availability, processing integrity, and confidentiality. SOC compliance can only be accomplished with the use of an outside auditor observing the present and long-term efficacy of a SaaS’s security measures. A company engaging with SOC 2 is not required to meet all 5 principles’ standards but depending on the industry a company is operating within, some principles might be more pertinent (or even required for the purposes of this auditing) than others. Let’s dive into what each of these principles looks like.

1. Security

Where privacy is not a primary principle being addressed, security must be processed as part of an organization’s SOC 2 audit. In general, every privacy principle connects with security in some way, and it should be a top concern for any SaaS provider as more user entities come to depend on secure data acquisition and storage. By examining the security of an organization’s services, they can establish any gaps in access controls that might leave the door open to fraudulent activity or unauthorized access. This principle can also be an incentive to implement new security measures, ahead of time or as a result of the audit, such as two factor authentication and network firewalls to better protect client data.

2. Privacy

The privacy principle is an umbrella requirement that could easily apply to any SaaS group, regardless of its sector. How a company reports its privacy policy to clients and consumers and how their privacy standards perform must line up. The way an organization both stores and distributes consumer data is also subject to the American Institute of Certified Public Accountants’ standards known as Generally Accepted Privacy Principles, or GAPP. When all users agree to a policy that meets these standards, a privacy audit through SOC 2 should be a breeze.

3. Confidentiality

Here’s where the industry an organization is servicing becomes more relevant. Certain forms of personal data and engagement require confidentiality measures to be in place, and the SOC 2 audit is a great way to assess them in more detail. If a SaaS provider is servicing groups collecting or storing certain forms of personal data, namely personal health information and personally identifiable information. Most clients agree to have their data collected and used only in very specific circumstances, and this principle should be implemented in order to confirm that that obligation is being met.

4. Processing Integrity

Another instance where a principle is most applicable in certain sectors is seen in the processing integrity SOC 2 principle. With e-commerce and financial services, it is expected that data is both processed and delivered consistently, in the contractually agreed upon way, and in a timely manner. Not to be confused with data integrity, processing integrity refers to the monitoring of data’s movement and usage, while ensuring that a provider’s ideal or required method and means of transmission is enforced. If the existing data is not accurate to begin with, processing integrity still seeks to ensure that it is protected, but this principle alone will not produce more accurate data. It will, however, be useful in establishing better practices for acquiring and transmitting useful data.

5. Availability

When SaaS providers work with user entities, their clients have a reasonable expectation for when their data will be available and accessible, and how accessible their resources really are. This principle won’t directly make an impact on functionality of the organization’s platform, but network performance and failover checks play a role in the success of their availability principle in action. SaaS groups providing hosting or data center services are the most likely to benefit from this trust principle.

How Does the Process Work?

SaaS companies looking to participate in a SOC 2 audit have a few steps to take prior to the actual audit.

It would behoove most to put together a team responsible for all audit-related issues that will be addressed and that they be able to set aside time and resources to prepare. This team’s responsibility could cover both plotting out the intended scope of the audit and the preparation for the audit before it arrives. This preparation could include adding measures to fill in any security gaps, improving network performance, or even securing the physical space that an auditor would be touring, if applicable.

With a couple of months of preparation, the audit could take between a few weeks and 6 months, depending on the type of SOC 2 audit you are looking to accomplish. SOC 2 Type 1 is the result of an audit studying a given point in time, without contextualizing previous or future performance. SOC 2 Type 2 considers a minimum of 6 months’ worth of performance to gauge the long-term efficacy of a group’s implementation of the major SOC 2 principles.

Why Should SOC 2 Compliance Matter to a SaaS Provider?

User entities looking to work with any SaaS provider will want to feel confident that they are electing to use a secure and well-performing organization to improve their own products. While these audits are voluntary, they are credible ways to provide a reference point, and many businesses do reach out to auditors to delve into the results. To acquire new customers as a SaaS provider or cloud computing organization, there needs to be demonstrable benefits to moving onto a provider’s platform. There may not always been client opportunities to point to as a successful trait that sets a provider apart, and these SOC 2 audits might be the best way to show prospective user entities what a company is made of.

Top 3 SaaS Provider Certifications

With so many compliance frameworks within the digital economy, each business must determine the necessary compliance frameworks most applicable and more importantly, those required for their business operations. With this in mind, here are the top 3 certifications to consider as a SaaS provider.

  1. SOC 2
  2. ISO 27001

While this post focuses on SOC 2, the other two compliance frameworks offer businesses the opportunity to have a more robust approach to their security program.

Learn more about how Cobalt’s Pentest as a Service Platform can help you fulfill your company’s SOC 2 Compliance needs.

Complaince-Driven Pentesting Image CTA 2022
Back to Blog
About Caroline Wong
Caroline Wong is an infosec community advocate who has authored two cybersecurity books including Security Metrics: A Beginner’s Guide and The PtaaS Book. When she isn’t hosting the Humans of Infosec podcast, speaking at dozens of infosec conferences each year, working on her LinkedIn Learning coursework, and of course evangelizing Pentesting as a Service for the masses or pushing for more women in tech, Caroline focuses on her role as Chief Strategy Officer at Cobalt, a fully remote cybersecurity company with a mission to modernize traditional pentesting via a SaaS platform coupled with an exclusive community of vetted, highly skilled testers. More By Caroline Wong
Spanish Speaking Community in the Cobalt Core
The Cobalt Core is a diverse community filled with pentesters from all over the world. We want to highlight the Spanish-speaking community we have.
Oct 13, 2022
Cobalt's First Pentester: Shashank
Shashank was Cobalt's first official pentester in the Core. We sat down with him to talk about how his journey into pentesting started and how he has seen the Core grow.
May 11, 2022