Ubiq Achieves SOC 2 Type II Compliance
We’re thrilled to announce that we’re SOC 2 Type II compliant!
Security and privacy are at the core of everything we do at Ubiq – so it shouldn’t surprise you that we built a product that, by design, helps you protect your sensitive data. Since our early days, we’ve worked with expert security teams and cryptographers to validate our controls and security architecture, to ensure we’re running the most secure environment possible. We view our SOC 2 Type II compliance as an important step in our continuous journey towards increased transparency and trust with our customers. In this post, we’ll talk a bit about our journey, the types of artifacts we produced, some of the important controls we have in place, and a few recommendations on how you can achieve compliance as efficiently and painlessly as possible.
SOC 2 Type what?
Before we get into it… sometimes people conflate SOC 2 Type I with Type II, so we’ll take a minute to quickly discuss the two. SOC 2 Type I audit verifies that internal policies and procedures are in line with industry standards to keep your information safe – as validated by an independent auditor. SOC 2 Type II report verifies that you’re actually following these policies and procedures. Whereas a SOC 2 Type I report looks at a snapshot of controls at a moment in time, and whether or not those controls have been appropriately defined, a SOC 2 Type II report looks at controls over a period of time and whether or not those controls have actually been put in place and are effective.
To learn more about the overall SOC 2 and the overall process of achieving compliance, check out this great post from our homies over at Drata.
A big part of compliance are policies and procedures
One of the more “painful” aspects of SOC 2 compliance is documenting of important policies and procedures. I mean, we all love writing documentation and defining through processes, right?
Pro tip: with the right compliance automation partner (in our case Drata), it’s far less painful that you’re probably thinking.
Our SOC 2 Type II report contains a detailed list of the policies we have in place. For example:
- Requiring single sign-on (SSO) and multi-factor authentication (MFA) to access our environments and limiting access based on job function
- Requiring that a second engineer approve any non-emergency changes before releasing them to our production environment
- Sending automated alerts to the engineering team when changes are made to the production environment
- Testing our data restoration procedures to confirm the integrity of backup data
- Following our incident response process for security and availability incidents, including completing a post-mortem and contacting impacted parties
- Continuously reviewing our security policies
- Performing routine audits of access to critical systems that power our infrastructure
- Enrolling new employees in security training and running routine security awareness exercises
Our report validates that we’re complying with these policies and measures (and many others) and that they’re effective in protecting our customers’ data.
Implementing the right tools to ensure – and maintain – compliance
Our SOC 2 Type II report allows you to verify that our internal procedures and policies are in line with what we should be doing to keep your information safe, as validated by an independent auditor. But it doesn’t stop there. It’s equally as important (and many practitioners would argue more important) to have critical security controls in place:
- Using SSO and MFA in as many places as possible – no excuse today not to
- See first bullet
- Deploying endpoint detection and response tools on all endpoints
- Protecting email infrastructure with advanced email protections
- Deploying runtime level detection and response across cloud infrastructure
- Leveraging cloud security posture management to ensure you have the basics covered
- Requiring employees to have a business need to access the production environment, using SSO and MFA
- Requiring peer review of all source code changes
- Encrypting data at rest and in transit
- Backing up data regularly
- Leveraging a centralized security incident and event management platform to collect, correlate, and identify malicious activity
- Working with security firms to perform assessments and ongoing 24×7 monitoring
- Responding to security issues reported to security@ubiqsecurity.com
- Requiring employees to regularly complete security awareness scenarios and training
- Building in SAST, DAST, SCA, and IAC into your CI/CD pipelines
Our SOC 2 Type II report contains a more complete list and detailed explanations of our security controls, with validation from our auditor. If you are an Enterprise customer and would like access to Ubiq’s SOC 2 Type 2 report, please email security@ubiqsecurity.com. Please note that as standard practice, our certification reports are only released under a non-disclosure agreement for both existing and prospective customers.
Even with lots of prep, it will take a while
Even with good security controls in place, defining our internal processes took the most time. SOC 2 is a standard that was developed by accountants, so there are many requirements related to job descriptions, org charts, performance reviews, and other things that you might not think of as “security” but are essential to addressing potential risk. It’s painful, but necessary and really makes you think about the things that many of us tend to subconsciously (but in most cases consciously) avoid thinking about. You know who you are. 😉
You don’t need to go it alone
We are fortunate to partner with some incredible companies that provide us with invaluable controls and visibility, helping us to both achieve and maintain compliance. Drata, for instance, helps us with automation of control tests, documentation, and observing compliance status in real time. ClearVector helps us discover and isolate risks in real time across our cloud infrastructure using an entirely identity-driven approach. SolCyber provides us with crucial security monitoring services and key security tools and controls to monitor our infrastructure for signs of compromise. Finally, Right-Hand Cybersecurity enables us to provide our employees a real-time and behavior-based approach to security awareness training, that is both engaging and educational.
By partnering with the right companies, we were able to streamline the SOC 2 process, save 100’s of hours, save hundreds of thousands of dollars in costs, and ultimately achieve compliance with greater ease. We highly recommend seeking out partners who can help you in this journey. Feel free to ping us if you want to learn more about who we work with and how they earned our trust.
Trust and transparency are a core part of our ethos
Our SOC 2 Type II compliance is an important milestone and validates some of the important security work we’ve been doing, but our work in security is never done. Compliance is not a one-and-done thing. And compliance isn’t security – simply meeting compliance requirements isn’t enough, which is why we’re always working to improve our security controls.
If you’re going through the process or thinking about it, please reach out. We’re more than happy to share lessons learned. We hope that by being as transparent as possible about how we keep your information safe, your trust in us will continue to grow.
Blog Photo by Josh Carter on Unsplash