Fairwinds | Blog

How Fairwinds Insights Compliance Self-Assessment Now Simplifies SOC 2

Written by Joe Pelletier | Feb 1, 2022 4:10:18 PM

Fairwinds Insights, our security and governance software, helps managers responsible for compliance to automate, monitor and enforce policy guardrails. And today, we are pleased to announce that Fairwinds Insights offers even more coverage for our SaaS customers. Our newest feature, Fairwinds Insights Compliance Self-Assessment  for SOC 2, provides DevSecOps teams with more than 30 assessment questions focused on SOC 2 compliance within Kubernetes. Understanding Kubernetes and container scope for compliance can be a challenge for operations teams. With this new capability, users can track the compliance status for each control, gain recommendations on how to configure Kubernetes properly, automate verification of configuration and self-certify. 

Regulated industries using Kubernetes and containers need to bake in compliance from the start by incorporating visibility and control all the way through the process. The breadth of our solutions is unique; from a single platform, DevSecOps teams can now self-assess SOC 2 compliance and access security monitoring, app right sizing, cost optimization, policy enforcement and service ownership. 

ALL ABOUT SOC 2

For those who don’t know, Systems and Organizations Controls (SOC 2) is an audit process that evaluates an organization’s ability to securely manage the data it collects and utilizes while doing business. SaaS companies can demonstrate their ability to meet the security criteria by undergoing a SOC 2 audit. This move gives potential customers the information they need to confidently share their data (and possibly customer data) with your company. 

A SOC 2 audit covers evaluates organizations based on the information and systems they use to support the five Trust Service Criteria, which are:

  1. Security

  2. Availability

  3. Integrity

  4. Confidentiality

  5. Privacy 

These days, SOC 2 is no longer just nice to have—it’s an absolute necessity for modern organizations who need to demonstrate trust with customers and partners. That said, navigating the process of a SOC 2 audit can be a tall order. Compliance is crucial to maintaining business continuity and meeting SOC 2 requirements in cloud native and Kubernetes environments. But because containers are ephemeral in nature, determining if an environment is compliant can be tricky. And the dynamic qualities of Kubernetes can also create problems when organizations try to implement governance and compliance measures. 

THREE NEW FEATURES 

The new Fairwinds Insights Compliance Self-Assessment for SOC 2 includes three major features to remember, all of which will help our customers to protect and enable developers: 

  1. Understand status across multiple clusters and compliance standards (HIPAA and ISO27001, in addition to SOC 2) with multi-cluster visibility. 

  2. Map SOC 2 controls using 30+ Kubernetes-related SOC 2 assessment questions to demonstrate compliance for each control while also generating PDFs for auditors. 

  3. Achieve and demonstrate compliance to interested parties with recommendations on Kubernetes configuration and regulatory compliance. 

Fairwinds Insights Compliance Self-Assessment for SOC 2 will include automated verification to detect if workloads are properly configured. This information helps users meet a specific control and provide automated evidence of compliance. 

STEPS TO BETTER COMPLIANCE

A specific timeframe for the compliance process is hard to determine, mostly because every organization is unique. Also, SOC 2 is a flexible framework and not a hard and fast set of rules to follow. Every business has a different starting point, and each one will choose to interpret and apply the security criteria in its own manner. 

But based on our own experience with SOC 2, the speed of the process depends on several things, including the size of your organization; the maturity of your existing processes and policies; the number of people involved; the criteria you choose to include, and the extent of executive buy-in.

Want to learn more? 

Find out how our team at Fairwinds worked together to achieve SOC 2 certification!

FAIRWINDS SOC 2 REPORT

Our official audit report from Dansa D’Arata Soucia LLP provided a thorough review of Fairwinds internal controls, policies and processes for its Fairwinds Insights software platform and managed services. It also reviewed Fairwinds’ processes relating to risk management and subservice (vendor) due diligence, as well as the company’s entire IT infrastructure, software development life cycle, change management, logical security, network security, physical and environmental security and computer operations. We found the process helpful and informative; the SOC 2 - Type I report offers our customers peace of mind when they partner with us for services or use our Fairwinds Insights platform.