Here are some basic facts about SOC2 that most people do not understand.
- SOC2 is a US audit standard that supersedes the old SAS70 standard by the American Institute of Certified Professional Accountants (AICPA)
- If focuses primarily on governance and not on product design.
- When a business wants to obtain a SOC 2 report they contact an audit firm which then works with the business to determine what should be ‘in scope’, that is to say what parts of the service being offered to customers needs to be audited. Businesses can ‘carve out’ parts they want to exclude, but the auditor or the end customer may find that to be inadequate.
- Different legal entities that are in scope need to have their own SOC 2 reports. We call this chaining reports. So if Storj uses a data center to host their satellites then the data centers are in scope and must have their own SOC 2.
- There are two types of SOC 2: Type I (design only) and Type II (design and operations) - most enterprises will require a Type II since it proves that the service continues to operate according to best practices.
- The audits are extensive - usually requiring 150 or more controls for the basic (required) ‘security principle’ and months of evidence that the controls are effective.
- Controls will cover things like employee org chart being kept up to date, job descriptions, separation of duties (AP/AR), risk management and many other controls. Most CISOs will fully understand this. Most startups will never pass.
- Basic security practices are required such as annual penetration testing, vulnerability management, patch management, code reviews, etc.
If I were a potential customer, I would expect that Storj has a SOC 2 Type II and that the code repository is protected from malicious access (including 2FA), code and system review with detailed threat model analysis, etc from a well respected audit firm. I would also expect that the Enterprise SNO have a SOC 2 Type II and their hosted datacenter have one as well, and each one of these have an annual pen test as well.
It is very hard for me to imagine how an independent (individual) SNO could possibly afford a SOC 2.
It is conceivable that an independent SNO could be considered ‘secure enough’ if the architecture of Storj was such that a individual’s node was ‘fool proof’, that no matter what they could screw up, the node could never put at risk the Storj system or any customer data. In this way an auditor might be able to legitimately ‘carve out’ the node such that it is out of scope.
Best for Storj to first contact a good auditor to clarify the roadmap and value of a SOC 2. Then talk to a few enterprise customers to see what they value. There are several optional ‘trust principles’ that make up SOC 2, but few businesses opt for them, especially privacy.