September 14, 2021

Liquibase is SOC2 Compliant! Here’s How We Got There

For over 15 years, Liquibase has supported teams behind their own firewalls, VPCs, and other secured infrastructure. Recently, Liquibase released a new platform — Liquibase Hub, a SaaS application hosted in AWS cloud, and we needed to take on the responsibility of securing this data.

Liquibase Hub connects Liquibase users to a dashboard view of their database schema changes, to help developers collaborate and troubleshoot database code issues faster and easier. Since security and privacy are a top priority, we immediately got to work to ensure we implemented best practices. We began by incorporating mechanisms such as encryption, Row-Level Security, and multi-factor authentication (MFA). We also had an independent firm perform penetration testing.

Pursuing SOC 2 Compliance

While all of our work in improving our security posture had helped us prove to ourselves that we take security seriously — we also wanted to prove to our users that we do everything in our power to keep their data safe. This led our team to pursue a SOC 2 Type 1 audit that would provide evidence in the form of a certification that details our compliance with security practices.

What is SOC 2 compliance?

As part of the American Institute of CPAs’ Service Organization Control reporting platform, SOC 2 aims to ensure the safety and privacy of customer data using five principles: security, availability, processing integrity, confidentiality, and privacy.

Secure code. Secure infrastructure. Secure application.

No application is immune to malicious security breaches. However, we now have much stronger controls in place at every level. SOC 2 audits go above ensuring that the right tools are in place — they ensure that the right policies, procedures, and controls are operating effectively.

Audit phases

From start to finish, the whole process took about six months with several phases running in parallel.

  • Vendor evaluation
  • Gap assessment
  • Remediation
  • SOC 2 policy creation
  • Company-wide rollout of tools and training
  • LastPass (password manager)
  • Security training
  • Vanta agent installation
  • HD Encryption
  • Antivirus software
  • Policy Acceptance
  • Mock/Dry Run Audit Test

Lessons Learned

Here are some of the key takeaways I learned from leading our team to earn our SOC 2 Phase 1 certification.

Do your research

Whenever you embark on a new experience, research always pays dividends. I did not have a lot of prior experience in security engineering, so I reached out to knowledgeable people before I got started. I asked a lot of questions and if I needed something else, I didn’t shy away from asking for introductions to other experts.

Evaluate different options

There are a lot of different options out there for organizations wanting to pursue SOC 2 compliance. It all really depends on where you are now with security, what your long-term plans are (beyond SOC 2), how many resources you have on hand to help with manual efforts, and the price.

Option 1: Hire a security consultant to do all the work for you + hire an auditor

Consultants can get your team ready by doing all of the heavy lifting for the audit, serve as a mediator for the audit, and help to remediate issues and help you gather more evidence when needed.

Option 2: Hire a vendor that provides a platform for uploading evidence + supplies an auditor

Some vendors offer a platform along with an auditor. This typically means that your team does all the heavy lifting in terms of gathering and uploading evidence. Auditors can work with your team to do some security consulting. The costs of using this option will depend on how much manual labor your team ends up doing.

Option 3: Choose a platform that automates evidence gather + hire an auditor

If you don’t want to pay a hefty fee to a security consultant, but don’t want to do a gap assessment and remediation manually, it makes sense to choose a vendor like Vanta. This is the path we chose because it allowed us to make the process much more digestible (we controlled how much we did and when) and we also wanted to set ourselves up to easily repeat the audit process ourselves every year.

Vanta automates some of the processes and integrates with many tech tools to automatically retrieve information and then aggregate the data in their UI. It was super helpful to see that when we addressed an issue, Vanta would automatically detect it and update the results. Beyond the helpful technology, I also really appreciated their assistance with weekly calls about our progress and they were always willing to help.

Get the buy-in you need

Having your leadership team on board and supportive in your pursuit of SOC 2 is essential to your success. Security programs like this involve company-wide changes that extend to every single employee.

It’s going to take longer than you think

Everything takes longer than expected, especially when security is involved. Make sure to add some buffer in your timeline and then add some more buffer to that!

Summing It Up

Having a SOC 2 certification is a public statement that everyone can see — it shows that your organization truly cares about providing secure applications and infrastructure that your customers can count on. This is very true at Liquibase. We plan on continuing to follow security best practices but also proving that we follow them. Next, we’ll be revisiting our audit to earn the SOC 2 Type 2 compliance (tentatively by January 2022) and also ISO 27001 certification.

Kristyl Gomes
Kristyl Gomes
Share on: