Fintech startup passes SOC 2 audits with serverless security


A startup providing AI-based cloud services to financial clients is pushing serverless computing for security, despite the challenges of translating ISO and SOC 2 audit requirements for cloud native architecture.

CrossBorder Solutions began seeking certification under the American Institute of CPAs and Information Organization for Standardization (ISO) 27001 Service Organization Control (SOC) 2 programs for its cloud-based products in 2019. Fine Although it is not legally required to demonstrate compliance with these programs, the company saw a business advantage in demonstrating to its highly regulated customers that it complied with these standards.

“We have obtained the certifications to help customers understand that it is safe to do business,” said James Ford, who was the company’s chief security architect from 2019 to October 2021. “The SOC requires [them] manage supplier risks, [which is] basically, making sure all of your vendors … do more or less ISO and SOC. “

The problem with this, at first, was that the company also ported its entire IT environment in early 2020 to AWS, which provides services that don’t require IT teams to manage virtual machine resources. also called serverless computing. These include the AWS Lambda Function as a Service, as well as the AWS Fargate Managed Container Service, Aurora Database as a Service, Application Load Balancers, and CloudFront CDN.

“Serverless is not the same as without infrastructure,” said Ford. “What makes it really difficult is trying to explain to the listener what you don’t do and what you don’t have control over.”

ISO, SOC 2 audits require people and policy plans

Ford said he believed CrossBorder was one of the first companies to receive SOC 2 certification in a completely serverless environment, but the process ultimately focused more on people and process issues than on issues. technological issues.

James ford

First, there was the work required to help IT compliance auditors understand cloud services that did not match what ISO and SOC 2 controls were originally designed to describe: private data centers with servers in them.

“It’s a lot to talk to the listener and talk to them about the ledge on some level,” said Ford. “You absolutely have to work with the auditor on each service. “

Ford said it engaged with several audit firms before choosing one to use for ISO 27001 and SOC 2 certifications, to ensure they were comfortable with the approach. without a server. Getting listeners up to speed on cloud native technologies has long been a headache for companies migrating to the cloud, but by now most auditors have at least gotten used to working with IaaS environments and DevOps pipelines, Ford said.

Yet serverless computing involved relatively new concepts. For example, the AWS Cognito Identity Management Service that CrossBorder uses with its customer-facing applications takes a different approach to login failures than what is described in standard audit frameworks.

“You will get items in the audit where they want to see you block a user after five failed login attempts, but [Cognito uses a system where] by the time you get five login failures, the user is [put] up to 15 minutes of lockdown between attempts, ”Ford said. “You have to spend some time explaining, ‘Well, no, that’s not how it works. “… But that gives you the equivalent of what you’re looking for from a control point of view.”

AWS has also developed tools to help companies apply and demonstrate security in its cloud, such as Control Tower and Account Factory, which centralize control of multiple AWS accounts and apply security best practices between them. The AWS Security Hub collects logs from all CrossBorder accounts and scores them based on their compliance with the Center for Internet Security and AWS best practices, which Ford has said it can use to meet ISO audit requirements. for specific key safety performance indicators.

While SOC 2 certification documented for customers that CrossBorder followed general IT security best practices, ISO 27001 provided a more prescriptive list of controls that the company could use to link high-level SOC 2 concepts to specific practices. Ford said.

“When you do the SOC, these things are good suggestions, but when the ISO audit comes in, they’re not suggestions anymore, they’re audit points,” Ford said. “‘How did you solve A? How did you solve B?'”

The first challenge was to translate the ISO 27001 and SOC 2 requirements for serverless computing. After that first step in the audit process, however, Ford said the most important task is to demonstrate that the company is following best practices in how it organizes people and processes.

“There are a lot of policies and procedures that you have to write to go ahead and prove that you are following the program” under ISO 27001, Ford said. “And then the big thing is making sure you write it down in such a way that you have a method of generating the proof that you’re doing it.”

The benefits of serverless security

Ultimately, Ford said, the initial work to prepare auditors to assess serverless environments is more than balanced by the benefits of serverless security.

You may have an unproductive week because you spent 40 hours chatting with the listener to help them through the process. But that seems like a fair compromise against spending 52 weeks managing a bunch of extra layers of infrastructure.

James fordFormer Chief Security Architect, CrossBorder Solutions

“You can have an unproductive week because you’ve spent 40 hours talking to the listener to help them get through the process,” he said. “But that seems like a fair compromise against spending 52 weeks managing a bunch of extra layers of infrastructure.”

Eliminating server instances from the audit equation means IT professionals and enterprise security and compliance teams can focus more on business logic, whether it’s application-level security or human resource audit requirements, Ford said.

It also encourages the use of ephemeral and immutable infrastructure practices and automated deployments through CI / CD pipelines, all of which have security advantages over server-based practices, Ford said.

“I like that with serverless you don’t have to worry so much about persistent threats,” he said. “For someone to compromise one of your containers… by the time they enter it, you either destroyed it or it was replaced. [Attackers] will tackle long-lived VMs [instead]. “

Beth Pariseau, Senior Editor at TechTarget, is an award-winning veteran of computer journalism. She can be reached at [email protected] or on Twitter @PariseauTT.


Comments are closed.