SOC2 Certification for SaaS companies

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi welcome to this session open security summit uh where we're going to look at sock 2 and uh abbas from uh the gospel security team and we've heard of you for a second security there it insecure is going to take us through this and uh and actually i hope he's also one of many sessions that we want to have here about sock 2 27000 certifications where you know we should be sharing and collaborating on uh on how to get this done but also how to make it scale and how to put it as a graph and uh and really you know created something that is highly scalable so over to you abbas uh thank you dennis so uh welcome everyone to my session today i'm gonna my name is abbas and as most of you know that i am the head of ign infosec at glaswool um so today we're going to talk about sock2 certification for sas companies so we're gonna have a walk through what is stock in general just for the people who don't know uh just what are the types of stock and then why do we need society for sas companies um yeah so as you know like you know information security um it's always a reason uh of concern for all organization um especially people like you outsource like you know um some key business operations um to third-party vendors um sas you know if cloud computing providers so um so as you know so um sock is is a kind of a compliance which um which is offered which sorry it's a it's a type of um it's a type of compliance that ensures that service providers securely manage uh their data um to protect immense data and their customers their customers data um so um there are a couple of types of stock which i'm going to go through but i mean i want to say stock to your compliance is a minimal requirement when considering a sas provider and at least that's what we are told uh by um fsis and like you know large uh enterprise companies where we are trying to sell them a product or something like that i'll get the testimonials later on but i just want this is just an introduction so basically what is what is sock do um procedure which ensures that service providers securely manage their uh their and their their their inclined data uh to protect the interest of the two parties um so on the sock we have a sock one and we have sock to you and now we have sock three so under each shock type we have two types types one type one and type two um so if i want to talk about sock one it is designed it is designed to address internal control controls over financial reporting stock to that addresses a service organization control that are relevant to their operations and compliance and stock 3 which is the highest level here um it's it's assurance of operation excellence so basically stock 2 reports that only occlude audited testing testing report but you know the stock 3 is provide a system description and the auditor's opinion so here as you see i uh let me move my banner so here as you see is this blocking your view okay we know so uh stock stock comparison so um and it says what do we have in in um in each report and how to use it and these are the sock types so the type 1 it describes a vendor system and whether their design is suitable to meet relevant trust principles type 2 details the operation of effectiveness of these systems so this is a um sock to certification stock um this is the sock to um certification trust so and that's what we when we are we are doing a software certification that's what we look for it is um these five uh trust principles um one of them the privacy when you address your access control to factory authentication encryption uh confidentiality again its encryption access controls network fire rule and applications uh process integrity this is where qa comes in and processing monitoring availability and that's where we discuss like where we we work on performance monitoring disaster recovery and security incident handling and on the security bay it is you know again the you know uh securing your endpoints network and application firewalls to factor authentication and intrusion detection uh so the sock do you um you know certification newton it is addressed by outside auditors um so and you know outside others check how much the vendor complies with one of more of the five trust principles i listed here yeah so if i want to go and talk who needs stock to and why and and this is very important here um to understand why do we need soccer and why organa you know when i go to i um you know to our client and say you know i have this great product here i want to sell said sell to you um you know why is it important for you know for um for the sas companies to have stock 2 compliance so i watch honestly system and organization controls compliance is isn't mandatory um one of the reasons um we need soc2 is the customer demand so protecting you know customer data is it's a headache so and it is um it is important like you need to protect it from unauthorized access um so without stockto at the station or probably sock 3 in some cases um you can't lose business easy um if we talk about cost effectiveness um if we're going to think that an audit is going to cost a lot of money because you know let's say let's say a stock to audit courses is going to be like 20 grand as an example it depends you know here on how big the organization if it is big or small but you know a single single data breach cost on average it goes 3.86 million dollars um and you know that figure raises rises every single year and as you know after covered we have a lot of businesses which are online and that we know it's it's just going mad here so imagine i think that 3.8 which was in 2018 i think might be like seven million now here um so and sock do it's a proactive and and stock three or it's a proactive measure to help avoid those costly security breaches so i would i think a company like as look at small companies so i think they would rather pay 20 20 grand you know i'm paying 7 million because 7 million would make them pro you know they'll make them broke and they won't they won't be able to uh carry on and if we're going to talk about competitive um advantage um so having stock to an or three report um enhanced like gives you the organization the edge over your the competitors and we can say listen to our stock to certified you know i i tried this with a another certification this cyber essentials cyber essential plus which if i want to compare this to sock to you they are mickey mouse um i call them sorry i just call them mickey mouse certifications and it makes a difference you know when you go for a small business we know with a dynamic one you know a couple of pages website and they sell that small product um it's a very small price avoid that just a tool like you know which does something um but you know um they you know especially when they talk a small business like trying to attract medium-sized businesses you go there and say yeah i tried to sell you this great it was like yeah but you know how can we confirm that this is um uh this is it's a good tool so basically you know stock to use n3 like give you that um kind of uh reassurance um if you want to talk about peace of mind pass in a sock to you that provides assurance that your system and networks uh are secure it provides the assurance as you know so well it always have the the human element here i can i can argue on this and say it has that um you know it depends on how honest people are as well because he had a lot of questionnaires stuff like you know that infosec and i.t team is going to go in and fill um i just want to say that because sock 2's requirement um overlap like i don't know how do you know what you call it like it it yeah it kind of overlaps or like dovetail with other frameworks um let's say iso 2701 so you know if you have that thing you know um if you have that certificate it can speed your organization over all compliance efforts efforts so let's say one of the things like we are working um ourselves in in in the infosec team um is so how i call this like i i like to call it like from a nike background like a blade so basically if i just get stuck to you as a base um as a baseline there so i'll go i'm gonna go and check against i say iso 2771 it's like oh if i want to achieve iso 27.71 i just need to have that bit just go and work on it i call it a blade i just put that blade in a minimum like a little bit of work and here we go so our customers required iso 27001 and we have it so and and if you want to look at the value um so i mean the stock to uh let's say uh talk to you soccer reports it provides kind you know valuable insight to the organization risk and security posture vendor management internal controls governance and um and like you know um if you are like you know compliant with um regular uh regulatory stuff so it is it is it is it is a benefit for everyone it is a benefit um i'm going to talk let's later on from how how why salespeople say like and um in a second so so hey i just want to say this is a great thing i found online to be honest so uh we sock to you can sell to compliant industries and their vendors so you can um sell to financial industries um you know sensitive data firms like law firms they all require stock to they all require shock to uh third-party sas vendors they require stock too i mean in the red circle here you can't break in there i know that soccer is not the only requirement and the main probably but it is it is definitely a um it is a main requirement but i mean i know you might have more stuff like that to look into but this is definitely stocked you definitely require that you can't break in there without it and you know third party stars and vendors and for you for us like you know as a yeah as a as as you know as a company soccer would do us really good um i'm just gonna go for a testimonials uh from one of her sales team um so um and rod you know he's leading a lot of um you know he goes and you know talk to customers and try to sell them our products and and he just told me that global nfsi customers told us that they will not deploy any product in their it will also reduce the overhead of security sign-off uh for pocs without stock2 we need to answer next an extensive questionnaire uh sorry for the uh typo here for most engagements so basically and i want to tell you from my from my own experience you know in the infosec team we have the sales team coming to us even if you have a security document about your product um you know this like big banks big big companies they're going to come back to you this is our question go and fit it and that question is seriously there is no like there is no standard like you know same exactly same question every every single like company they're going to go and ask their security questionnaire in a different view and gets really complicated and it is time consuming i tried you know we started doing playbooks at glasgow where you can have um you know this question has most of the questions covered in there and start trying to merge them even so we still have a new one coming in and that takes ages uh to go through it and just like go and fill that question out and and then you're gonna need to send that back to um do the you know to the to the bank or to the financial uh institution i meant in terms of customers here and they're going to come back to you and say why you're not doing this and it's a big big big headache to be honest so i think soc2 is a very very good it's a very very good complaint um it's very important it is important to be compliant with sock to for any medium um for any sas stas a sas company it is it is essential any questions i have one question um what why did glasswood decide to go with sock2 and not iso 27001 or is that further down the pipeline um so it you know for sas you know there is a difference between iso 2771 and um and and sock too and um and from my um from a compliance stock to is is is is something for sas and glasweld decided to go that because you know all companies we are talking to you that are asking for stock to you they're not asking for iso 27001 so let's say 90 percent of the companies you go to say no we want um are you compliant so um that's the that's one of the main reasons okay cool uh any any more questions so um i had a question on you know when you go to the areas can you zoom in more on on actually the practical elements of it areas yes if you go back up the slides and you had um yeah this yeah okay so um in terms of like the the trust principles right uh yeah okay so um uh you need to be compliant to three if you want to achieve soccer you need to be compliant with uh fourth three areas here um as far as i know so um one of them is a privacy i mean so you want me to go and discuss every single one in particular so i think i misunderstood your question dennis you know so what's you know if you zoom more in right in practice wha what are you you know where are you putting this right so access control to factor encryption network firewalls you know like so what's the next level down from this so on your on your okay so basically that's got you know in in sock we're going to have it's a three three stages the first stage is where you assess um assess what you have so you go let's say you're using um let's say aws or azure you're gonna go and assess your environment to check um to check on all these controls to check where you are to check if you have access control policies let's say to your resources there so are you allowing access to your quality to your resources from everywhere um we um let's say um um us as an example we restrict access to a couple of you know couple of areas uh on azure and aws and we require we have some requirements like ufa we have uh requirement like um like you know uh location and um you know or minimum require yeah so uh you go and audit all your um you need to go first and do the assessment and then on stage two you're gonna go after the edit assessment gonna go go and try to sort out the closures and the last last stage where you're gonna have the uh the auditors like the official auditors coming in uh to audit you so basically in terms of privacy you're gonna need to make sure that um as far as i know so that you are you have access control let's say policies applied um conditional access ones uh two-factor authentication like you cannot connect your you know when you know wherever you are saving your code or some of that you can connect and how can they connect um you need to make sure that you have encryption on your local storage as well so i mean in terms of how can you connect so you need to connect are you connected via vpn do you have two-factor authentication applied on that um what is your password policy uh i'm not talking about password expires or not about what is is it strong password policy uh if you go on things say and you know these like access control to factor authentication encryption they go under confidentiality as well um so basically the um the audit will be on on these five trust principles and you're gonna need to go and check on uh on your performance motioning like you know when we are let's say as an example the glass wall is one of the you know um we go and do some uh quality and fuzzing testing and stuff like that on our product how how is it how is it well i can do we have any disaster recovery plan so if that cluster uh kubernetes cluster or whatever goes down how do we recover from that how long would you do you have a procedure for that and um do you have an incident management so if let's say you have a security incident happening how do you handle that do you have you have a process in place what would you do in such a in such a in such a situation so let's say as glassful one of the great things we achieved over over the last couple of months is to have uh security incident playbooks so which means that you know we have a profit procedure so when we have a security incident we do a b c d and e so we go and let's say we start a playback we have that will automatically open an incident on our um on our chat communication platform and then we're gonna go there and we will have a channel just for that and we're gonna go and start communicating with and adding stakeholders and people who are involved in this incident um and they're going to go and investigate everything going on and happening and after that we'll um you know we have a whole questionnaire that is affecting our customers um um how what is the risk and and all of this um and definitely like on security like you know we're gonna have uh definitely network a network and here um a software application fire software firewalls do we have that how are you protecting your application um in terms of security do you have insecurity intrusion detection uh system so if someone is trying to attack you um do you like you know does your system attack specif specific stuff as an example like you know things we did um at glasgow we have created our own book which gonna go and look into our different cloud platform to say and say oh um user a is um you know he just start deleting things aggressively or user a started doing um user user a started like you know he just created a vpc or user a uh he just is deleting our resources or trying to delete the resource so this is something very important to have all these controls in place and um and and soc2 is going to go and and audit you against against all of this um so one of the examples on intrusion detection is as well like here um control is like you know we should take into consideration his berlin so anomalies oh suddenly um you know on that um on on that platform we start having like someone spinning ec2 instances crazily and um and you know the cost is going to go up so if you can monitor your cost as well you can you can get yourself uh secure um availability i i spoke about security in the handling disaster recovery but uh do you you know are you protected against this attack what are what do you do um so do you have load balancing do you have all of this you kind of need to go and audit all of this um you know yeah so uh in terms of um confidentiality we spoke about this you need to have your access controls and network applications firewalls does that answer your question dennis or yeah but i was kind of looking at is there like a checklist where it's like a kind of uh all those things they're like a question like the next level it's a very long question like 300 questions but every every single one is to have like too many questions i don't have that on me um because the thing that we should try to do is actually put that into you know we're gonna probably put on jira right or put or some kind of workers yeah how do people do this is like just a bunch of spreadsheets it is you know what when we started this like in 2019 we received a big big big questionnaire from uh from the people who were helping us on stage one and it's a very long questionnaire and you can you know usually these companies they provide you with a platform where you can um go and audit everything online you can still download the report but you can go and do it online and insert stuff let's say yeah i've answered this question now this question requires more more information or this is not applicable uh when we did it it was it was an online platform and when we started and it was when we don't you download the questionnaires like about 2 300 questions that you're gonna go and eat and take uh you know yeah and talk about but i i don't have that here and even if i have i can't show it because uh i it's not i don't know what i have is not anonymized at the moment yeah no i thought that would be like a generic one now uh i can i can look for some i don't have i don't have a general okay all right all right yeah because i think we need to see if we are how to make it scale we definitely need a platform to do that right uh yeah usually i mean it will be cool if i you know the people who will be working with uh it's going to have the ability to integrate um whatever they have with jira uh it will it will be very good for us and it should be like a two-way so if i update something on jira it goes as well and played the report that's a dream to be honest but i i hope so i i will look for a generic questionnaire and try to oh we will analyze what we have and we can share it publicly if if required and you know whatever we have is going to be uh we're going to go and add it to jira cool all right all right any other questions from i've got one more question how how would we ensure that we're compliant going forward so once we've got the certification how do you ensure that we're meeting so basically um so basically i just want to say um you know sock 2 is going to be added every six months but one of the great things we have i mean you know all these big cloud providers uh they are doing um and so it is it is two things it is what you are doing as a company as an infosec and infosec team um and you know um and what are you doing as what are the you know third parties cloud cloud providers company are doing i will give you an example about um about azure and aws and azure ws you have now a compliance center center where you can go and you set up all you know um you can check on all your resources all your azure resources or aws resources and my compliance with stock too and it's gonna go and check on that and give you um and give your recommendation say you need to do this here i need to do this there and the other thing it will be as well on you as an infosec and uh as an infosec team and you know you need to implement this in in your ssdlc and say everything we are spinning every single time we have a design change uh every single time we have change i mean design change means that change to the data flow diagram which means data change to the threat model every single time you have this you're gonna need to go and make sure this compliant with sock too got you okay because i know with iso 27001 you would have like regular internal audits um have like an internal audit team who would go yeah yeah i mean that's definitely that's at least six months i think on got you okay so you end up the thing with stock 2 um you know it it provides an assessment of the controls yeah so i mean the iso 27 the one is a like top-down view of security um which you know that establishes that the court control i just want to to make this clear so yeah then sorry well i was gonna say so the you know when you're using third-party providers right like to provide some a lot of stuff and they they start to comply and how much more is then to to do for a company how much more see if all the hosting for example is done by you know if you run everything on azure on aws yeah right then what what's the bits that are relevant is it the development is it you know like how like when you talk about access controls and encryption and all that stuff well it is both i mean well from as far as understand it is um it is on the development and infosec teams here too yeah what i'm saying is that you know for example when you do pci dss right you know basically you you define what's in scope right i mean scope tends to start with where the credit card is then you kind of go around some circles around it like so what's in scope in a pure cloud play right like where all the services are provided in and they're hosted in the cloud provider how much of the company is in scope um i'm not really sure about this one but i'm pretty sure what i'm pretty sure about it is the scope will be um any cloud platform anyone accessing that like cloud platform uh i need to any team accent that cloud platform um and the scope will be all the resources uh you know on that uh use you know for a specific product or because stock to hey you can do it on a product or you can do it for the whole business for your old product for everything so um it starts with the product and it comes down to all con all all your um all your controls and i'm really sorry if i'm not i'm not a sock to ex you know sock to expert i'm just trying to break through this all right sorry cool right any other questions all right do you have any more materials no that's what no that's what i that's what i have i think in in in in jan we'll have more uh definitely we'll have more material into this and we can definitely we want to look at the scalability of this right because yes what i'm looking for right so so the thing that we did in the past i was in fact you can see some of the worldly maps now one of the guys that was on my team it is we we basically took the view that we put the whole of the pci stuff in um what's it called in uh in jira so basically the auditor just literally navigated to jira and he basically went through every one of the items that was basically on the check right you know the extended list and and linked or attached to that item and jira was the documentation right basically was the reference and we could we even i think exported it to to spreadsheet this thing says to double check but but i think that allows it to also to track the project right to really understand what's going on i mean when we started this last year it wasn't it wasn't me directly involved because i was involved later in in a little bit but what i remember that it it was on we didn't have jira at the time i think so it was it was um it was you know it was a portal where we logged in and we start like you know taking boxes and answering questions but in this occasion i think what we can do is um i have that probably we can try to import what we have see if we can import it automatically but if we can't maybe we can just get that generic questionnaire yeah and and and import it there we need we need to find a way to to automate and ask you know and um to be able to be like scalability here is an automation or are keys in here yeah i think let's also use this forum now to ask questions on and i think now that we got the first session let's create another set of sections on like a good session to do it next time you know in january is scaling sock too right and see how others are doing right yeah and i was hoping like we're gonna have uh i don't know if anyone had done sock to you on this school no no so basically myself it's my very first experience with this we've done pci compliance and stuff like that before but i mean this is something uh absolutely nearby it's very very exciting so yeah that's so good all right i think we can wrap up so okay you can stop recording and i think we'll continue next month brilliant thank you everyone
Info
Channel: Open Security Summit
Views: 64
Rating: 5 out of 5
Keywords:
Id: _OAWjA5H6mA
Channel Id: undefined
Length: 29min 36sec (1776 seconds)
Published: Mon Dec 14 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.