Navigating compliance is a critical part of running a SaaS business, especially if you want to attract larger, more mature customers. These companies care about security frameworks for a number of reasons, ranging from showing due diligence to evaluating the enterprise readiness of a vendor.
If you're interested in attracting larger or more security-aware customers in the cloud, you may be thinking about compliance with popular frameworks like SOC 2 and ISO 27001 to show customers you're ready to meet their needs.
As more Atlassian customers move to the cloud and evaluate cloud apps, more and more Marketplace Partners are up-leveling security to meet these customer expectations. But what exactly does it take to get your company and app(s) ready for a security audit?
Midori is a platinum Marketplace Partner who was asking this question 6 months ago as they embarked on their SOC 2 journey. With popular apps for exporting Jira data and automatic archiving for Confluence content, Midori was starting to hear SOC 2 coming up in customer conversations. They decided to commit to a SOC 2 audit with the help of Vanta, a leading trust management platform that offers discounts for Atlassian Marketplace Partners.
Choosing the first security framework to pursue
The first step toward achieving a compliance milestone is deciding where to start. Fortunately, the Midori team was guided by the advice of other Marketplace Partners and then advised by Vanta to look at their major target markets and previous conversations with customers.
Midori knows that their biggest market is currently in the US, where SOC 2 is more prevalent. SOC 2 was also coming up more frequently than other frameworks in their customer conversations, so it was clear that pursuing a SOC 2 audit as a first step was the most strategic investment for Midori.
Of course, committing to one framework to start doesn't mean that's the only one the team will pursue. With up to 96% of the controls shared across SOC 2 and ISO 27001, Midori plans to pursue ISO 27001 certification in the future as well.
Pro tip: When it comes to building compliance controls look to address the control as comprehensively as possible to make it flexible enough to meet multiple compliance requirements.
Preparing for the SOC 2 audit
In order to prepare for the SOC 2 audit, the Midori team had to go through a number of product tests and create several new policies and documents governing the company's operations. In order to keep track of all the updates needed to prepare for the audit, Midori used Vanta's platform, which integrates with your software and tracks your progress on various controls and tests, to automate compliance. This platform, paired with hands-on guidance from Vanta, helped Midori stay on track throughout the preparation process.
"The best thing about Vanta is the online interface where you manage your tests, track progress, and create key documents. That user-friendly system helped us understand exactly what is being requested for each test. They ensured that we didn't waste time and that everything we do will take us one step closer to completion." — Levente Szabo, Customer Success Manager at Midori
Once the required tests and documents were in place for SOC 2 compliance, the audit was easy. For Midori, passing all the tests took 5 months to complete, but in the end, the auditor didn't find any issues with their company or app(s), and they received their report after about a month.
Investing in security for long-term value
As part of the process for implementing Vanta, Midori needed to grant the platform access to key systems where they manage and store valuable IP. After some initial hesitation, the Midori team spent some time learning more about how Vanta works and what permissions the platform needed and why. After initially investing some time in learning more and assessing the value Vanta would bring compared to a conventional audit, Midori's concerns were addressed and their compliance journey accelerated.
Midori also needed to make some technical investments. Most notably, they had to reorganize and configure their Virtual Private Clouds (VPCs) in AWS. A VPC offers increased isolation inside AWS infrastructure. The SOC 2 standard required Midori to move certain resources across VPCs to increase security, which was a challenge to accomplish while minimizing downtime for their apps.
Up-leveling their infrastructure from a security perspective also meant an increase in operational costs. Up to this point, Midori's AWS operational costs mostly varied based on app features and usage. Stepping up their security game added to their ongoing operational costs with the addition of AWS services like VPC or AWS GuardDuty for intrusion detection.
In the end, going through the SOC 2 process made Midori a more enterprise-ready company
At first, Midori thought that certifications were mostly a formality to put customers at ease. After all, their apps were already benefiting from a number of security best practices. But as many of their enterprise customers were migrating from on-premise environments to cloud, achieving compliance seemed like a useful customer retention tool that would take a few risk factors out of the equation for customers.
However, by the end of the audit process, their opinion had changed completely.
"It was a valuable learning experience for individuals on a professional level. So it serves a dual purpose – fortifying our security standards and also empowering our team members with invaluable skills that extend well beyond this compliance framework." — Aron Gombas, Midori CEO
Going through the process with Vanta as a partner helped Midori move faster, but it also helped them increase their team's overall learning, and ultimately up-level their security awareness as a company. Through the audit preparation process, the Vanta team's knowledge and explanations helped the Midori team learn security and infrastructure management best practices that they'll carry with them when building new apps or managing existing ones going forward.
Final thoughts from Midori
At the end of their audit process, we asked Midori if they had any final thoughts for other partners considering pursuing SOC 2 or similar security standards. Here's what they had to say:
“Every software company has to take data security seriously, but if your market is very competitive, a certification or a compliance report can be a real market differentiator. If compliance standards are a decisive factor for your customers, then make sure you find the time and investment for it to stabilize your business for the long term.” — Levente Szabo, Customer Success Manager at Midori
Marketplace Partners, get the latest resources and self-check your app’s trust posture by checking out Grow customer trust in the Partner Portal. Log in with your partner account or request access.