So now Cosmo is secure - officially

Björn Schwenzer

Björn Schwenzer

min read

Cosmo: Full Lifecycle GraphQL API Management

Are you looking for an Open Source Graph Manager? Cosmo is the most complete solution including Schema Registry, Router, Studio, Metrics, Analytics, Distributed Tracing, Breaking Change detection and more.

There’s this start-up moment when you think: all is cool, we’re onto something, and then there comes this customer asking conversationally: “ok, all good, just one final tiny request before moving on - could you send over your latest SOC 2 report?” Your response: “Err… let me get back to you on that”. And then, in solitude, you panic. Here’s why we think that’s actually a good thing (SOC 2, not the panic), and how we got compliant with our rocket boosters strapped on.

No overhead, please!

In a start-up, the last thing you want is overhead. Meetings, powerpoint decks, hierarchy, forms to fill in - anything that’s keeping you from coding and doing stuff a customer actually pays you for is the realm of evil. Don’t go there, or it’ll kill your company before it has a chance to spread its wings! Not a single blog post or first-time founder guide that doesn’t carry this warning in big scarlet letters.

As much as everybody agrees that security is good and important, it’ll also take you very close to that realm of evil because it requires following processes, which you of course have to document and establish first. The goal is to make everyone follow a path you know is safe and secure, even if it takes longer and is more cumbersome to tread than what people were used to. Naturally, this is super hard, and if you’re the poor soul (like me) who has to deliver the message (and eventually enforce the entire framework) - well, say goodbye to your internal popularity score.

Just kidding - it isn’t that bad, but telling everyone (including your fellow co-founders busy coding and doing stuff) that there now is a process for this and that which must be followed and documented is a challenge. The same goes for a healthy balance between security essentials and security overkill.

Why security matters

Frankly speaking, there will be a customer simply telling you that without a badge that says your service is secure, there’s not going to be a deal. For many larger companies and every enterprise customer, compliance really matters (they’re audited on that themselves), and security is an important part of that. In this scenario, it’s super convenient if you can work with suppliers who are secure beyond doubt. Security frameworks like SOC 2 or ISO 27001 warrant that any company audited on these standards meets the defined set of requirements.

In addition, it also is a very good opportunity for you to learn as a team and a company, and to bolster your security as a result. If we’re honest, we all had our “oops” moments in security, and getting some rules implemented firmly to prevent them is a really good idea.

Funny conversations

But that’s all easier said than done, because first, you need to write all that stuff down in a format that satisfies SOC 2. And once you start writing, you will come across quite a few processes where you’ll ask: “wait - how do we actually do these things?”

Reverting back to the team to check, this can spark funny discussions when things that you thought were clear to everyone actually aren’t so clear after all. There was more than one occasion when I had to rewrite things that I had checked as done in my mind.

Also, telling your fellow team members that the days of wild west are finally over will probably not go without some resistance: Which customer will actually see this? Does this really matter? Can’t we keep it more lightweight? Do you realize this slows me down? (quotes edited for language)

That’s why it’s key to get everybody on board with security right from the start (i.e. from the moment people join the company), because this is the foundation that helps you find common ground when you’re aiming to get audit-ready. If we all want security, then we need to want it in a way the customer is able to trust. And this requires a certain level of protocol, and, yes, overhead.

SOC 2 vs. ISO 27001

We decided to go for SOC 2 instead of ISO 27001 as it simply was easier to achieve as a first step. SOC 2 allows you to control the audit scope by selecting the applicable categories of TSC (Trust Service Criteria), which is helpful if you want to keep the effort at bay for starters.

Even though we went with Security as the main TSC for the SOC 2 audit, we still built out a full ISMS (Information Security Management System), which is my recommendation. If you put in a little more time, you will end up with a sound basis for all future audits to come, and you can help your fellow team mates to get used to someone cracking the whip on following processes.

How did we actually do it?

I created a folder in Google Drive and started creating a structure of narratives, policies and procedures accessible to all staff. There was somewhat of an unfair advantage though as I’ve built an ISMS before, and I’m fairly familiar with ISO 27001, so I could simply dig right in as I knew what was required.

On the structure, you’ll need four things:

  1. Narratives. This provides a general overview of your company, your security set-up, your ways of working. Not really mandatory, but important as overarching guideline for all the stuff you’ll be implementing through processes and procedures.
  2. Policies. These are the “how to” docs for security, which essentially contain the rules by which to satisfy the SOC 2 TSC controls.
  3. Processes. Some things need clear guidance, such as incident management, employee on-/offboarding or vendor vetting. For this, you should create documentation for people to follow. We also added templates for these processes in Linear, which we use to track these processes.
  4. The company description. It’s like an amalgamation of all the items mentioned before, and required for the SOC 2 audit.

You also should create some kind of overview page for quick access to all docs, and find a place where to store evidence and supplementary documents. Again, it’s all about documentation. If you’re a person with organizational talent it will be a breeze, if you’re more the creative kind it could get… interesting.

The core step for the audit is to define the controls that satisfy the TSC. This is what auditors look at to tell if your framework actually does the job. So, if the TSC call for risk management, you need to define how you’re addressing this, and how it is measurable. After all, you’ll have to provide evidence that your whole carefully built security setup actually works for SOC 2 Type II.

The fast lane

Of course, we could’ve worked with (expensive) consultants, but thanks to the knowledge we already had in-house, we decided to just leverage it. Admitted: I’m a business guy, so I am allowed to spend time on stuff like this. :)

But then, even if you use a platform like Vanta or Drata, this doesn’t mean you won’t have to do a major part of the work yourself - templates give you a head start, but they don’t reflect all the things that are relevant for your business. From my point of view, these solutions make sense if your setup has reached a certain complexity and you can leverage the integration capabilities of such platforms, which is helpful for automated evidence collection. It all really comes down to opportunity costs, and how comfortable you feel about calling the shots.

Besides that, getting ready for SOC 2 isn’t rocket science. It took us just three months from starting to work on the docs until receiving our audit report (and that included Christmas!). It also helped that we worked with an auditing firm in the US that was no-frills and straightforward.

What’s the cost of a SOC 2 audit?

A good deal will be somewhere in the range of 5 - 10k for each type, depending on the complexity of the audit. Being a platform customer usually also gets you discounts with their auditing partners.

Pro tip: if you’re vetting audit companies and they show up with more than one person on the call, you can be sure that you’ll have to pay for these extra people with your fees, no matter how fancy their titles. I remember one meeting with a Sales rep, a customer success rep, and another dude whose title I don’t remember, and later received a quote for a SOC 2 Type I audit of over 25k. Insane, but not exactly a surprise.

Security: check. What’s next?

After the audit is before the audit. We’re already gearing up for SOC 2 Type II asap - looking forward to telling you more about our journey!

tl; dr

Security matters to users and customers. SOC 2 compliance is the best way for us to prove that we’re serious about security. Getting audited successfully isn’t hard if you know a little about the way audits and controls work, and if everybody in your company is on board with it. If not, someone needs to crack the whip, and that’ll likely be you.