Macrometa on What SOC II Compliance Means for Developers
Edge computing and data network provider Macrometa obtained SOC II compliance in July. It’s part of the company’s efforts to make it easier for developers to deploy real-time or near-real-time applications at the edge, said Chief Information Security Officer Eddie Garcia. He explained to The New Stack how the process of SOC II compliance (System and Organization Controls) affects Macrometa developers and what it means for its developer clients.
Macrometa manages deployment at the edge across multiple cloud providers, rather than just on one provider. Garcia compared app building for the edge to building an air traffic control system. There are multiple factors that need to be considered that are local — such as weather and landing/departure times — but there are also global calculations. The solution helps manage those variables through a proprietary system, he said.
“If a developer today wanted to build an air traffic control for, let’s say, drones, that works globally — they don’t need to worry about the infrastructure, which cloud provider, how are they going to move the data, how are they going to receive the data from the sensors that are off of those drones and devices,” he said. “You can just think about all the complexity of the cloud and the edge going away.”
What SOC II Compliance Requires of Developers
Internally, SOC II requires an organization to meet an industry standard that addresses security, privacy, confidentiality and the integrity of the platform or services provided. The process examines policies and procedures at the company, including questions about how the organization hires employees, to how it performs background checks. Garcia said it also looks at issues such as:
- Who has access to source code?
- How does the organization control access?
- How does the company deploy changes to the platform into production?
- What are the user security controls?
- What are the security controls around the network and infrastructure?
“It’s a very detailed audit that you need to, one, prepare for; two, make sure that you’re following these policies and procedures,” Garcia said. “Then when auditors come, you have to be able to provide the evidence that you’re following all of these procedures. So it’s a pretty lengthy process.”
What SOC II Compliance Means for Developers
For developers specifically, SOC II compliance requires looking at the change management process — such as who can commit or change code, and whether there’s a peer review (so that someone else is validating the code to ensure there’s no risk of causing customer downtime).
“That for means that they also have to have security controls on their laptop devices, as well — screen savers, password logins, encryption of the data on discs — so it impacts them as well,” Garcia said.
It also involves security scans of the code.
“So if we introduce, for example, any third-party libraries that would make sure that they’re up to date, that they are not exploitable by any recent zero-day attacks or anything, that we’re addressing those, and that we’re scanning on a regular basis,” he added.
It takes significant effort on the part of the company to prove SOC II compliance, he said, but he contended that compliance is worthwhile because it’s “going to provide our customers with the trust of storing their most sensitive data on our platform.” That’s a “huge achievement”, particularly for a startup, he added.
For their client developers, it means one less thing to worry about, Garcia said.
“It’s great when developers can just focus on the issue that they have at hand,” he said. “They’re just focused on their use case, their business, and their differentiators on what they’re trying to offer.”