Proven compliance with the SOC 2 cybersecurity framework is a badge of honor for technology organizations.
Developed by the Association of International Certified Professional Accountants to measure adherence to certain trust services criteria, System and Organization Controls 2 is a gold standard for outfits like Kinsta, whose business is hosting other companies’ data in the cloud.
Kinsta embarked on an effort to demonstrate SOC 2 compliance in the fall of 2022 and received a successful audit under the standard’s core security service criteria in August of 2023. Along the way, the Kinsta team learned a little about preparing for a SOC 2 audit.
We also found that we could make our systems even more secure than they already were.
If your organization is contemplating an attempt at a SOC 2 designation, we’re happy to share what we know with you.
What Is SOC 2, and What Does Compliance Entail?
SOC 2 is a set of information-security standards with which companies can voluntarily choose to comply. That’s done by aligning the way a company operates with SOC 2 standards.
“We had quite a few customer leads simply decline to consider Kinsta once they learned that we could not demonstrate compliance with the SOC 2 standards.”
— Jon Penland, Kinsta Chief Operating Officer
Chief Operating Officer Jon Penland, who spearheaded the SOC 2 effort at Kinsta, says the AICPA’s criteria are general enough to be applicable to most organizations. It’s up to each organization — assisted by an independent CPA firm accredited by AICPA — to design and implement controls specific to their operations.
The SOC 2 framework includes five service criteria: security, availability, processing integrity, confidentiality, and privacy. Says Penland: “Since we were getting a SOC 2 program up and running for the first time, we focused on the core security criteria for our first SOC 2 audit.”
The final result is a SOC 2 audit report. Companies can receive two different types of reports:
- Type I: This report provides evidence that a company has designed and implemented controls sufficient to comply with the SOC 2 standard. Think of it as a “snapshot” report, which confirms only that a company has designed and implemented appropriate controls but does not confirm that the company has remained compliant with those controls for any period of time.
- Type II: This report takes things a step further by verifying that a company has complied with the controls during a defined observation period. Where a Type I report is a “snapshot” of compliance at a point in time, a Type II report verifies compliance over a defined period of time.
Penland says Kinsta opted for a Type II report, starting with the company’s performance for the three months beginning April 1, 2023.
The results are available to customers on Kinsta’s Trust Report page.
Making the Decision to Start the SOC 2 Process
Penland says compliance was on Kinsta’s radar long before the SOC 2 project kicked off in September of 2022.
“We had quite a few customer leads simply decline to consider Kinsta once they learned that we could not demonstrate compliance with the SOC 2 standards,” he says. “For many enterprise customers — and an increasing number of SMBs — SOC 2 compliance is a requirement they place on their vendors.”
“Also, in the absence of SOC 2, we had many leads ask us to complete extensive security questionnaires, which can take a lot of time and resources to complete. The SOC 2 Type II report will dramatically reduce the number of security questionnaires our team has to spend time on.”
What’s more, Penland says, “We believed that a framework like SOC 2 could help us improve our security in tangible and meaningful ways.”
Choosing a GRC Platform and an Auditor for SOC 2 Testing
“We recognized that we needed to identify two key vendors early on,” Penland says. “That’s the GRC (governance, risk, and compliance) software we would be using to automate compliance monitoring to the greatest extent possible and the CPA firm we would use to perform our first SOC 2 audit.”
“We decided to start by identifying the GRC software we felt best met our needs. We ended up researching more than a dozen competing GRC solutions, holding discovery calls with eight vendors, and demoing four or five different platforms. After weeks of work, towards the end of 2022, we settled on Vanta as our GRC platform.”
By January of 2023, Kinsta was in the process of getting internal systems working with Vanta’s automated tools for compliance monitoring.
“At the same time, we started looking at possible auditors,” Penland says. “Vanta has a number of auditor partners, and we decided to focus our search on these partners — the reason being that we wanted to make sure our auditor was familiar with Vanta and would accept evidence collected by them. After holding discussions with a few different auditors, we decided BARR Advisory was the right choice for Kinsta.”
How Kinsta Launched SOC 2 Testing
With all the players in place, March was a busy month for the Kinsta team.
“There was much to do for our Security, IT, Engineering, Development, Legal, and HR teams,” Penland says. “We held countless meetings, updated many policies and workflows, worked on SOC 2 asynchronously in Slack on a daily basis, and checked in regularly with both Vanta and BARR.”
“When our observation period began April 1, there was little to note and no fanfare. The interesting thing about SOC 2 is that if you’ve operationalized your compliance activities, compliance doesn’t take all that much work. Preparing to comply takes work, and gathering evidence in support of the audit takes work, but the act of complying with the controls effectively means business as usual, provided you’ve assimilated those SOC 2 controls into operations.”
Says Penland: “In the second half of June we held a series of meetings with our auditor, during which they went over the evidence collected to ensure they had a complete understanding of how the evidence related to our agreed-upon controls. While using Vanta certainly saved us a lot of time, we still put quite a bit of effort into collecting, organizing, and clarifying the evidence we provided to BARR.”
Kinsta’s first SOC 2 Type II report was published on August 15.
A Closer Look at Kinsta’s SOC 2 Controls
Kinsta’s first SOC 2 Type II report includes 38 different controls, which fall into a few different categories:
- Automated platform tests: Since Kinsta uses Google’s Cloud Platform as its infrastructure provider, a lot of the tests around the security of GCP were automated by Vanta. “Once these tests were set up, they pretty much just hum along in the background, but getting them set up was no easy feat,” Penland says. “We have literally thousands of GCP VMs, and our Engineering team moved mountains getting all of those VMs properly categorized and organized so that Vanta could monitor them effectively.”
- Policies: Prior to SOC 2, Kinsta already had a fairly robust policy framework. “The challenge we ran into is that our policies were not set up the way Vanta expected,” Penland says. “That meant that we had to compare our current policies to Vanta’s expected configuration and decide how to align the two. This took a tremendous amount of coordination and work — far more than I expected — and was probably the most time-consuming step in the process.”
- Workflows and procedures: “It’s great to have a policy that says something like ‘all team members will complete security awareness training during onboarding,'” says Penland, “but if you don’t integrate that policy into a workflow, you’re at risk of failing to abide by your policy. We had to spend a lot of time thinking through various workflows and updating them with checkpoints or additional steps to ensure we were following through on the commitments we had made as part of SOC 2.”
- Recurring tasks: There are several recurring tasks Kinsta needs to stay on top of to comply with the SOC 2 controls. These tasks include things like disaster recovery and security incident tabletop meetings, penetration testing, annual policy reviews, and more.
“SOC 2 ultimately goes a long way towards describing and controlling how you operate across IT, HR, Engineering, Development, and Security,” Penland says. “So it’s important to design controls that align with how you actually operate or adjust your operations as needed to align with your SOC 2 controls. SOC 2 can’t just be something you do once a year — it has to be how you operate every day.”
Looking Back on Key Lessons Learned
Penland says a key to the SOC 2 project’s success was consistent buy-in across the entire Executive team and, in turn, the rest of the organization.
“To complete SOC 2, we had to tap into significant resources, in particular on our technical teams — Development, Engineering, Security,” he says. “If our CTO and Technology team leadership had not bought into the necessity of going through this process, we would have been sunk. So, one piece of advice I would have for any organization thinking about going after SOC 2 is to make sure you’ve done the work of selling the importance of SOC 2 internally and getting buy-in from the top leadership of the company.”
“I do think finding a GRC system that has the right integrations and features that fit your business is a great way to start,” Penland adds. “I also think moving quickly to identify your auditor and begin working with them, before you think you’re actually ready, is also a good idea. We found the pre-assessment readiness work completed by our auditor to be invaluable in helping us identify the exact steps we needed to take to be ready to begin our observation period.”
Also important was choosing an auditor familiar with operations like Kinsta’s.
“Kinsta is a modern technology company,” Penland explains. “Our entire business runs in the cloud, we have no offices, and our team is spread all over the world. “If we had opted for an auditor who was used to working only with traditional brick-and-mortar businesses and on-premises infrastructure, it could have been a very bad experience for both us and the auditor.”
With a growing number of potential customers demanding SOC 2 compliance from their cloud hosting providers, Kinsta committed to meeting the framework’s security criteria in the fall of 2022 and achieved its first successful audit in August of 2023. Along the way, the company fine-tuned numerous policies and procedures and adopted a third-party platform to automate some monitoring of governance, risk, and compliance.
Kinsta Chief Operating Officer Jon Penland says the process of working towards SOC 2 reporting also gave the company an opportunity to enhance its security posture in “tangible and meaningful ways.”
The company aims to expand the number of SOC 2 criteria to be audited and make compliance monitoring a continuous process.
Remember to check in on Kinsta’s SOC 2 status using the Trust Report page.