FusionAuth has had our SOC2 Type 2 for a few years now. Yes, we took the red pill early and dove head first into what has mostly become a requirement in the industry.
We began our SOC2 journey in 2021 - right around the time when software vendors were starting to provide tools to help automate the necessary data collection. Being an engineering company, automation is one of our love languages, so we were excited to dig in and use these great tools.
The first few years were tumultuous because the SOC2 tool industry was quite new. In this post, we’ll talk about specifics and companies, which will help you make the right decision for your SOC2 “adventure”.
But before we do that, let’s talk about access. SOC2 automation tools need to have access to documents to gather evidence. There are two main ways to access systems. You can use a service account, which is a special kind of account designed to be used by a piece of software. Or you can use OAuth, which lets a user delegate access to software on their behalf. The software inherits the access level of that user at that time. If the user later changes access levels, the software is granted the new level of access automatically.
Being authentication nerds, the particular access method really mattered to us. Service accounts are security smells. You have to remember they exist, their privileges have to be high (and maintained!), and you need to make sure you build in rotation of their credentials.
Back to our regularly scheduled SOC2 adventure.
We started out using Vanta, but they had a number of fundamental architecture issues that caused high levels of pain at the time. To be fair, they’ve since fixed a lot of these issues and are now worth a look. Specifically, they only allowed employees to come from Google G-Suite and it was challenging to control. Given this was at a time where service accounts were heavily used, and we manage multiple email domains, this approach caused major headaches. Due to the way they managed employees back then, it also made it challenging to manage other features of their platform.
From Vanta we switched over to A-LIGN’s ASCEND, but this only lasted a few months. In 2021 (and to be honest, we haven’t re-evaluated them to see if anything has changed), ASCEND was a glorified spreadsheet with no automation at all. It simply wasn’t the shiny SOC2 automation and management tool we needed.
We had selected A-LIGN for our audit, but concluded we couldn’t use ASCEND to help with the automation. To help us alleviate this issue, we signed on with K-Intent (now TrustCloud). This was a dramatic improvement, but still not as sophisticated as Vanta. We made it work and passed that year’s audit. We worked hard to help the team at TrustCloud understand our requirements and provide deep product feedback and direction, but in the end our needs weren’t prioritized on their roadmap.
In 2022, based on our knowledge of the industry and our history with various vendors so far, we decided that we would perform a full vendor analysis each year to make sure we were using the best tool available.
Some folks might read this and think, “you all are nuts!” The reality is that the cost of switching tool vendors ends up being pretty low. This is because the tools are there to automate a lot of the SOC2 process. This just boils down to manually capturing and uploading screenshots and documents. Don’t get me wrong even with automation, SOC2 still requires a s@#! ton of screenshots and uploading.
As part of our vendor analysis, we built a decision matrix with features and integrations that were important to us. I’ve shared this with my network in the past, but felt after this year’s analysis, why not publish the whole thing for everyone to see?
One caveat before we dig in: We are a security company and use some tools that other companies might not. We select our SOC2 automation vendor each year based on the criteria that best fit our needs. These might differ quite a bit from yours, so as usual, take everything with a grain of salt. You can view the set of criteria in the matrix below.
Each year we select between 5 and 7 vendors to evaluate. We always try to include the main players and often are pleasantly surprised with new entrants into this market. This year we added Sprinto after I met them at the Founderpath Conference in NYC earlier this year. Quick sidebar: Having a booth and networking the hallways at conferences does work to generate leads!
Our analysis and the matrix reviewed vendors against criteria including integrations, evidence management, user experience of the tool, price, and communication. We try to ensure that each cell is a “yes” or “no”, but some are more nuanced. The vendors are the columns, the criteria are the rows, and the results are the cells.
Vendors we evaluated this year were:
- Trust Cloud
- Tugboat by OneTrust (we didn’t end up talking to them - they don’t have an online demo booking tool, and we made a decision on another vendor before we were able to get this conversation established)
For each vendor, we set up a 30-60min call to review the tool against our needs. These are usually a fast fire of questions and the vendor walking us through their UI to get the answer. To save time and avoid the standard vendor demo, which rarely provides enough information, we ask vendors to bring a sales engineer or solution architect to the first call. We also prep them ahead of time or at the start of the call that we will be driving. Surprisingly, vendors appreciate this and it makes for a quick way to collect a ton of information.
There is an argument that could be made that this approach is more time-consuming than just trolling docs, forums, and Reddit. While this avoids interacting with salespeople, in our experience, it’s actually much faster and more informative to just talk to people, as long as they know the product.
As we take these calls, we update the matrix in real time, taking notes on anything that needs further explanation or might require another call or a series of emails with the vendor. This helps avoid going down rabbit holes on calls.
After each call, we have a quick internal follow-up while all the information is fresh. This helps update any missing cells in the decision matrix because sometimes it’s hard to keep up during the actual call. We also debate the finer points of a solution.
Here’s a high-level set of pros and cons for each of the vendors we evaluated in 2023
Get the Full Matrix
Here’s our complete matrix in all its glory! It’s a Google Sheets template, meaning you can easily clone it, edit it and deploy it for your business.
Ultimately we decided to go with Secureframe this year. They check many of our boxes, the tool seems highly usable, and their integrations meet our security requirements of OAuth vs. service accounts. The upside of being able to see what permissions our team and vendors have via integrations, a solid customer portal behind an NDA, the ability to auto-answer vendor questionnaires, and the all-important Slack pings when things are late, pushed it over the line.
We’re excited to get into it and we will keep you posted as we dig in with Secureframe.
We’ll be running this exercise again next year, simply because we love how this industry is evolving and want to stay on top of the options. Check back in late summer 2024 for our next round, SOC2 - The Matrix Reloaded.