At InfluxData, we focus on our customers’ productivity — time to awesome, as we call it. Usually this is about product capabilities — InfluxDB’s features, speed, scalability, etc.
But for some, your project will grow in size to the point where you need to purchase InfluxDB. And in some cases, you’ll need your compliance and/or security teams to sign off on the purchase. While that can be a slow process in the best of times, choosing a vendor with SOC 2 certification can help move things along faster, allowing you to go back to focusing on building apps and systems.
So, we’re pleased to announce that InfluxDB Cloud is now SOC 2Ⓡ Type 1 and Type 2 certified. Our SOC 2 attestation report is available to customers, under a non-disclosure agreement given the sensitive nature of the information. To request a copy, please contact your InfluxData account manager, or [email protected].
What is SOC 2 compliance?
Service Organization Control 2 (SOC 2) is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform. SOC 2 is a technical auditing process and certification that serves as an assurance to customers that their data is being managed in a controlled and audited environment.
When a business is SOC 2 compliant, it means that an independent auditor has reviewed their processes to ensure the security, availability, confidentiality, integrity, and privacy of customer data, and validated that they meet the standards of the AICPA.
SOC 2 compliance is essential for technology-based service organizations that store customer data in the cloud. This makes it applicable to most SaaS businesses, and any business that relies on the cloud to store its customers’ information.
There are two types of SOC 2 audits:
- Type I: The report describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.
- Type II: Essentially, Type II is Type I over time; it includes a historical element that shows how controls were managed by a business over a minimum period of six months.
InfluxDB Cloud became SOC 2 Type I compliant in March 2020, and as of January 2021, became SOC 2 Type II compliant.
Why does SOC 2 compliance matter?
A typical company typically has between 100 to 300 SaaS applications. Let’s suppose you evaluate three vendors for any given category of SaaS app. That means 300 to nearly 1000 vendors. Looking at vendors with SOC 2 compliance provides a way to quickly weed out vendors that haven’t invested in the policies and processes to earn their customers’ trust.
Customer compliance requirements
Thousands of our customers store massive amounts of data in InfluxDB Cloud. This data includes everything from the details of their internal computing systems to the behavior of their users. Understandably, this much data in one place has sometimes required our customers, especially larger ones, to require that InfluxDB Cloud become SOC 2 compliant. Often, this comes from in-house compliance and procurement teams. Now that InfluxDB Cloud has SOC 2 certification, approval from these teams should come faster.
Foundation for additional certifications
SOC 2 requirements are similar to those of ISO 27001, which is on our roadmap of additional certifications to tackle.
What did our SOC 2 audit include?
Our SOC 2 audit focused on a number of criteria, one of which is availability. In the context of SOC 2, availability means, simply, whether InfluxDB Cloud is accessible as stipulated by a contract or service level agreement (SLA).
We take numerous steps to ensure continual availability of InfluxDB Cloud. For data durability, InfluxDB Cloud replicates all data in the storage tier across three availability zones in a cloud region, automatically creates backups, and verifies that replicated data is consistent and readable. You can track InfluxDB Cloud availability on our status page, and view more of our availability practices in this video:
Other aspects of our SOC 2 report included:
- Monitoring: In an upcoming post, we’ll describe how we use InfluxDB Cloud to monitor access to our own systems.
- Auditing: We use InfluxDB Cloud to audit system access. Using a time series database, rather than a traditional SIEM, allows us to store many more events at a lower cost, since a time series database avoids the noisy data inherent in log files.
- Alerting: InfluxDB Cloud supports a range of alerting options, which we use to become notified when we detect a potential breach.
Need to become SOC 2 compliant?
Since many of you reading this are developers, you might be asking yourself, How do I make my own cloud service or SaaS application SOC 2 compliant?
Here are some steps you can take that can simplify your process of getting SOC 2 certification and improve your overall security posture:
- Use Single Sign-On (SSO) using Okta, Google Cloud Identity, or similar, to sign into your applications and VPN, and integrate multi-factor authentication (MFA) into your SSO.
- Secure your repos by locking your deploy branch, requiring pull requests to merge to it, and using continuous integration / continuous deployment (CI/CD) to automate your deployment.
- Centralize your logging, using a SIEM and/or a time series database.
- Automate provisioning, using Terraform or similar, storing configs in GitHub or similar, in a secured repository.
- Secure your cloud configurations, for instance by using CloudTrail and AssumeRole on AWS.
- Vendor security, by tracking all the software that you use and understanding their security postures.
- Secure admin consoles, by putting your admin consoles behind a VPN accessible only with SSO and thus MFA.
SOC 2 certification requires much more than this, of course, but implementing the above should help. There’s much, much more in this blog post about the realities of SOC 2 compliance, and it’s worth a read.
SOC 2 compliance is but one more step on our journey to make InfluxDB Cloud easier to purchase, which is part of our overall user experience. Earlier steps in that journey include placement of InfluxDB Cloud in the AWS Marketplace, the Google Cloud marketplace, the Azure marketplace, and our usage-based pricing that puts you in control of your cloud database spend.
If you have further questions about our SOC 2 compliance, or would like to see our SOC 2 report, please contact us so we can help you out.