Fintech startup passes SOC 2 audits with serverless security

A startup providing AI-based cloud services to financial customers favors serverless computing for security, despite the challenges of translating ISO and SOC 2 audit requirements for the cloud-native architecture.

CrossBorder Solutions began to seek certification under the American Institute of CPAs’ Service Organization Control (SOC) 2 and the Information Organization for Standardization (ISO) 27001 programs for its cloud-based products in 2019. While it isn’t required by law to demonstrate compliance with these programs, the company saw a business advantage in demonstrating to its highly regulated customers that it was compliant with those standards.

“We did the certifications to help clients understand that we’re safe to do business with,” said James Ford, who served as the company’s chief security architect from 2019 until October 2021. “SOC requires [them] to do vendor risk management, [which is] basically making sure all your vendors … are more or less doing ISO and SOC.”

The problem with this, at first, was that the company also ported its entire IT environment in early 2020 to AWS, which provides services that don’t require IT teams to manage virtual machine resources — also known as serverless computing. These include AWS Lambda function as a service, along with the AWS Fargate managed container service, Aurora database as a service, application load balancers and CloudFront CDN.

“Serverless does not equate to infrastructure-less,” Ford said. “What it really makes difficult is trying to explain to the auditor what you don’t do and what you don’t have control of.”

ISO, SOC 2 audits require people and policy plans

Ford said he believes CrossBorder was among the first companies to receive SOC 2 certification in a fully serverless environment, but the process ultimately involved more of a focus on people and process issues than technological problems.

James Ford, former chief security architect, CrossBorder SolutionsJames Ford

First, there was the work required to help IT compliance auditors understand cloud services that didn’t fit what ISO and SOC 2 controls were originally designed to describe: private data centers that contain servers.

“It’s a lot of talking to the auditor and talking them off the ledge at some…