Blog

YeshID SOC2 Type 2, Round 2

November 19, 2024

Well, I’m happy that’s over with. Until next time!

YeshID just completed our second SOC2 audit, covering a full year this round! Thankfully, our security-minded team runs a tight ship. Least privilege access? Check. Secure authentication? Check. Encrypted laptops? Check. Tackling supply chain attacks, anomaly detection, vulnerability scans, red teams, pen tests, disaster recovery, and CICD policies that prevent unchecked pushes? Check, check, check, checkmate! Phew. And that’s only scratching the surface…

With the bragging and peacocking about how amazing our team is covered, let me spend some more time bragging and peacocking; I mean—raising awareness!

First, if you think all SOC2 audits are the same, well…

The SOC2 from “How I’ll look in 40 years” is not the same as YeshID’s.

SOC2 Audits 101: What SOC2 Actually Means

In case you’re wondering, SOC2 compliance isn’t just a trendy badge you slap on the homepage. SOC2 stands for System and Organization Controls, a framework for ensuring companies manage customer data securely. There are two main types: Type 1 is a point-in-time snapshot of your security practices, while Type 2 covers the effectiveness of those practices over a sustained period (a year, in our case).

SOC2 is about defining your policies and proving to auditors that you’re following them, all to reassure customers their data is safe with you. For YeshID, this wasn’t just a one-time effort—we’ve baked security into everything we do. But even if you’re doing things right, SOC2 means documenting all of it for an external auditor, with detailed, actionable steps for every process. Now, back to our story…

SOC2, Type 2, Round 1

The first time doing SOC2 can be overwhelming. Even if you’re very mindful of security, and even if, at the core, your practices meet or exceed requirements (we’ll talk more about that later), the fact that it needs to be auditable by an external party means making significant adjustments to how we did things.

For a seed-stage startup, or a Series A or B, process changes are painful and distracting. You want as few policies as possible. When I’m screening early-stage ventures exploring the unknown, nothing screams, “these founders are super creative and open-minded” like having more procedures than that government branch…

But not everything is “exploring the unknown.” Ensuring everyone uses MFA is like wearing a seatbelt—you’re still exploring, but safer.

SOC2 is a bit like a car reminding you to put on a seatbelt—only backward. Normally, if you forget to buckle up, the car beeps until you do, then stops. With SOC2, it’s like the car keeps beeping even after you’ve buckled, and only stops once you open a ticket in your ticketing system saying “buckled up,” then check that ticket each time you get in the car. The kicker? You were already buckled up in both cases—the habit just has to shift to make it easier for an auditor to see.

Am I slightly exaggerating? Sure. There’s a lot of automation around it. Enforcing MFA for each product and user will definitely make it easier, for example. Most aspects are indeed like that, but not all! You still need a ticket for each and every access request, for onboarding and especially for offboarding. You still need a ticket for that access review and incident event. You also need to document your learnings about disaster recovery and the red team you did, and it all should be in one place that’s easy to audit. Each of these is a habit adjustment, and that’s friction.

SOC2 for YeshID was a period of habit adjustments. We were already doing things securely—thanks to the habits of an experienced team—but the infrastructure, logging, and documentation needed to be created.

Start [W]here…?

If this is your first time doing SOC2, here’s the good news! Just go to the official SOC2 website and follow their step-by-step guide: choose which chapter to audit, write each policy (they even provide examples!), implement each policy so it’s audit-ready, and, of course, find yourself an auditor...

SOC2 official website, is…

Yuck.

There’s a lot of paperwork and bureaucracy to navigate when doing SOC2 for the first time. I want to give a shoutout to Vanta. Vanta made it easier for us to start. By having ready-made policies, tests, and reminders, it saved us a lot of time navigating the bureaucracy. Think of it as a specialized TODO app that reminds you to check on your firewall settings, review access permissions, and ensure you’re following your onboarding and offboarding policy.

If this is your first time doing SOC2, either at all or in your current company, I recommend Vanta and similar solutions to set the scaffolding.

One of These Is Not Like the Other: What’s in Scope

The SOC2 certificate logo looks the same for everyone, just like the M.D. certificate on the wall of that dude in the corner selling… My point is—you have to look deeper.

When doing SOC2, you have a lot of freedom in choosing what policies you want to follow and how you want to implement them. Third-party external penetration testing? 🤷‍♂️ Optional. MFA? Up to you…

YeshID prioritizes customer data and security, so that’s where we started our focus. If you go to trust.yeshid.com and request our SOC2, you’ll see our obsession with keeping you safe and earning your trust.

I strongly recommend you do not assume that all companies with SOC2 are the same. Besides each company having a different bar, the auditor plays a huge role. And like the policies, no two auditors are the same, with some stricter than others.

If you care about your security, ask your vendors for the full report and pay attention to what’s in scope.

SOC2 surprise.

SOC2, Type 2, Round 2: A Full Year

The first time you’re doing an audit, you’re fresh on your policies. You and your team just finished defining them and passed the spot-check audit. Congratulations. But can you keep up this healthy lifestyle (don’t call it a diet; don’t make diet analogies)?

Besides the duration, you’re also likely to be working with a new auditor. That means a different way of reading those slightly open-worded policies I wrote a year ago. “All company operating systems encrypted” — are we talking laptops or servers? (Don’t worry; both are encrypted!)

The first time around, it took a few people iterating on the policies and implementation (route all alerts into a single place). The second year was easier, and it only took one person—yours truly—to pass the audit. Before you send me the “CTO of the Year” award, talk is cheap. Thanks to the amazing mindfulness of the team over the year, my job was getting the evidence needed from the places the auditor has no access to.

Besides that, I learned that, like many things, it’s best to divide the responsibility and enforce accountability between people and through systems.

One person cannot be responsible for ensuring all code changes get reviewed by at least two different people, but branch protection in GitHub sure helps. Enforcing least-privilege access is an ongoing job, but a checklist of things a role needs access to, via YeshID templates, saves a lot of time! Ensuring the CEO is accountable for updating the board on the cybersecurity of the company puts the responsibility in the right place, etc. Divide them by focus: HR, IT, Dev—whatever works for you. Someone who will remember to run that periodic disaster recovery exercise, document every incident in a single place, and ensure all employee laptops are compliant.

Make Your Own Policies

Here’s another lesson from a full year in SOC2: you can define any policy you want! The auditor’s job is to read your policy closely and then check that you’re doing exactly what you said you would. So, if your policy is “wash dishes every day,” you’d better have a log for every single day of the year.

An example of a policy I didn’t reword in time was that YeshID does background checks and reference checks for each employee. The problem is, we worked with almost every person in YeshID in past jobs; we know each other well. For those we didn’t, we did extensive reference checks. But… no background check. That’s a ding and one that’s easy to avoid if I just changed an “and” to an “or.”

YeshID and the IAM Struggle: Where We Went Beyond

Going into Year 2 of SOC2 compliance, we aimed for something simpler—especially with Identity and Access Management (IAM) tracking and enforcement. Basic policy definitions and simple automation got us through the first year, but we needed a solution that could scale without piling on complexity. Tracking every IAM change, enforcing roles across services, and automating access rights as duties shifted needed more than just the basics.

We started iterating on the features that would help us meet these needs. YeshID evolved into our source of truth for IAM, automating evidence collection—logging every access change, reviewing every offboarding, and tracking every role adjustment. IAM evidence went from "let’s scrape together what we can" to "ready for audit."

In Summary

Phew! We made it through another SOC 2 audit, and hopefully, we passed on some wisdom that is useful. Remember, not all SOC 2 reports are created equal. Dig deeper, ask questions, and make sure your vendors prioritize security as much as we do at YeshID.  For those embarking on their own SOC 2 journey, don't be afraid to leverage tools like Vanta or YeshID to streamline the process. Now, back to work!

Recent Posts
Google Workspace: Organize Org Units, Groups, Policies, Devices, and more!
How to Meet SOC 2 Access Review Requirements - A Startup's Toolkit
YeshID Monthly Release Notes: October 2024
Introducing Access Review: Simplify your compliance journey
🚀 YeshID Monthly Release Notes: : September 2024
Ready to take control of your identity access management?
Sign up