Macrometa on What SOC II Compliance Means for Developers

Edge computing and data network provider Macrometa obtained SOC II compliance in July. It’s part of the company’s efforts to make it easier for developers to deploy real-time or near-real-time applications at the edge, said Chief Information Security Officer Eddie Garcia. He explained to The New Stack how the process of SOC II compliance (System and Organization Controls) affects Macrometa developers and what it means for its developer clients.
Macrometa manages deployment at the edge across multiple cloud providers, rather than just on one provider. Garcia compared app building for the edge to building an air traffic control system. There are multiple factors that need to be considered that are local — such as weather and landing/departure times — but there are also global calculations. The solution helps manage those variables through a proprietary system, he said.
“If a developer today wanted to build an air traffic control for, let’s say, drones, that works globally — they don’t need to worry about the infrastructure, which cloud provider, how are they going to move the data, how are they going to receive the data from the sensors that are off of those drones and devices,” he said. “You can just think about all the complexity of the cloud and the edge going away.”
Developers can instead write an application with JavaScript and SQL, and build APIs off of that — while not worrying about how the data is stored (or that it needs to be retrieved within milliseconds) and how to distribute it across all regions and across all continents, he said. Macrometa also offers a global data network, which ensures that an application is leveraging locally stored data. The two-pronged approach has yielded latencies of less than 50 milliseconds, he added. It also has a use case with retailers who have a global inventory, he noted, helping match the consumer to inventory within a region.
What SOC II Compliance Requires of Developers
Internally, SOC II requires an organization to meet an industry standard that addresses security, privacy, confidentiality and the integrity of the platform or services provided. The process examines policies and procedures at the company, including questions about how the organization hires employees, to how it performs background checks. Garcia said it also looks at issues such as:
- Who has access to source code?
- How does the organization control access?
- How does the company deploy changes to the platform into production?
- What are the user security controls?
- What are the security controls around the network and infrastructure?
“It’s a very detailed audit that you need to, one, prepare for; two, make sure that you’re following these policies and procedures,” Garcia said. “Then when auditors come, you have to be able to provide the evidence that you’re following all of these procedures. So it’s a pretty lengthy process.”
What SOC II Compliance Means for Developers
For developers specifically, SOC II compliance requires looking at the change management process — such as who can commit or change code, and whether there’s a peer review (so that someone else is validating the code to ensure there’s no risk of causing customer downtime).
“That for means that they also have to have security controls on their laptop devices, as well — screen savers, password logins, encryption of the data on discs — so it impacts them as well,” Garcia said.
It also involves security scans of the code.
“So if we introduce, for example, any third-party libraries that would make sure that they’re up to date, that they are not exploitable by any recent zero-day attacks or anything, that we’re addressing those, and that we’re scanning on a regular basis,” he added.
It takes significant effort on the part of the company to prove SOC II compliance, he said, but he contended that compliance is worthwhile because it’s “going to provide our customers with the trust of storing their most sensitive data on our platform.” That’s a “huge achievement”, particularly for a startup, he added.
For their client developers, it means one less thing to worry about, Garcia said.
“It’s great when developers can just focus on the issue that they have at hand,” he said. “They’re just focused on their use case, their business, and their differentiators on what they’re trying to offer.”