How Startups Can Use 3rd-Party Audits to Provide Business Class Cloud Services
Here at Spanning, we recently completed our SSAE 16 Type 1 audit. This is a compliance report issued by an independent auditing firm which attests that a company has laid out a set of management and operational controls and is actually following them.
Why would a company want to do this? Well, there are two main reasons:
- In order to do business with regulated or public companies, who have their own audits to pass, you have to show that they will not compromise their controls by using your services.
- To ensure that you are taking the appropriate steps to keep your customer’s data safe.
All of this can sound overwhelming and time consuming, particularly to startups and smaller organizations. It’s definitely time consuming, but there’s no reason it should be scary.
The most significant thing we learned from this whole process was that we were already operating with a reasonable set of operational controls, but we needed to keep documentation to prove that we were using them. This is where the bulk of the effort came in. Here are a few notable points from this process. Over the next few weeks I’ll dive into some of these details, but for now here’s a quick overview:
As a startup, most if not all of the leadership team’s focus is on building products, engaging with customers, doing market analysis, and generally figuring out how to build a viable business. The last thing any founder wants to think about is management meetings, organizational charts, employee 1-1s, written policies, and pre-employment background checks. This stuff just feels too “big company-ish”. But for the same reason that you write down your business hypotheses, you want to document these management controls: it keeps everyone clear about how you operate as a company, and it allows you to easily identify where you need to make iterative changes rather than re-evaluating everything at each management meeting. Ultimately, the main point here is to show that as a management team, you are taking the time to evaluate how your business is running from an internal perspective, paying particular attention risk management.
Application Change Management
This is another area where many startups come up short, especially if they follow the “hacker mantra”. But if you intend to store and manage critical information for other companies, you need be sure that you won’t lose any of that information and that your application is always available. Sorry kids, this is more, way more, than just laying down a MongoDB and Node.js application and assuming Amazon will auto-scale to infinity. This area covers a lot of ground, so here are a few of the main points:
- Have good change management controls in place so that you can show exactly why any line of code was changed, when it went to production, and that it was tested before and after the production push.
- Use a stable, lightweight build and deployment process for your application.
- Have an infrastructure that allows you to update your application with minimal (should be zero when averaged over a month) downtime.
- Be able to prove that what is running in your data center is exactly the same thing that you built and tested.
This area initially seems like a real speed bump since you are going to constrain who has access to what parts of your system, but just like mastering a new Zen koan, once you get your head around these things, you will be much more enlightened and wonder how your company ever survived before you took these steps. In this area, you will cover a lot of ground. Some of the main points are:
- Use multi-factor authentication for all of your production system access.
- Use a simple authorization model that clearly identifies who has access to what systems. At a minimum, you will want 3 levels: development, production, and sysadmin.
- Review who has access to what systems on a regular basis.
- Rotate passwords, reduce the number of shared passwords, use certificate based access, and wherever possible delegate authentication to someone else who does that for a living.
- Hire a firm to do both active and passive security audits of your application and production environment. Do not try to save money here, this is the one area where there is a vast difference between the bargain vendors and the folks who know what they are doing.
Backup and Recovery
This one seemed pretty obvious since we are in the backup business, but the real point here is not backup of a specific data file, but recovery of our whole application. How much effort will it take for you to get your application up and running after your database has an index go corrupt, or Amazon has another major power outage? I bet you don’t know. Here are a few points to help out:
- Let someone else handle your backups, preferably someone who specializes in exactly that.
- Make sure that you restore from backups as a normal part of your operating model. A great practice is to use previous backups to build out a test environment. For large and busy systems, there is a huge difference in the amount of time that it takes to restore from the last snapshot (older) versus the last point-in-time (newer) backup.
- Make sure that you can build and deploy your application from most any point in time.
- Automate all of this and write it all down. Oh, and be sure that you can get at this information when your wiki is one of the systems that is now offline.
Again, the process for SSAE 16 Type 1 is absolutely time consuming, but it shouldn’t scare you off. The benefits are many—it turns your product or service into a viable option for a lot of companies that need to ensure they can pass their own audits. And that’s a big slice of the global market.
Second, you’ll learn a lot about how you run your own business and the areas where you can make easy and quick improvements. Whether that means better documentation of your own processes, or finally getting to those baseline to-do’s that have been lingering for years, it’s a great way to get the house in order.
Stay tuned in the coming weeks for a more detailed rundown and details of our experience.