Defining the Enterprise Cloud Service – Part 3: Benchmarked and Audited Service

I recently released the first and second installments of a six-part blog series about what it takes to have an enterprise-ready cloud service. While the identity hack of Wired’s Mat Honan (and the media fallout that followed) spurred the idea, the focus is on the three characteristics that differentiate an enterprise-grade cloud service from a typical consumer cloud service: security, reliability and trust.

So, what makes services like Box, ServiceNow,, and Okta enterprise clouds? As I outlined in my first post, there are five categories to look at when evaluating a cloud service for security, reliability and trustworthiness.

  • Development for the enterprise
  • Endless 9s reliability
  • Benchmarked and audited service
  • Strong encryption throughout
  • Singular focus on the customer

I am going to fast-forward a bit to discuss the “benchmarked and audited service” category in this post. In a classical sense, this means achieving a compliance certification by a trusted independent audit firm. This, however, can be a challenge for cloud-based services. Let’s use Okta as an example.

Choosing the Correct Certification

At Okta we don’t store, process or manage any credit card numbers or personal health information. We don’t deal with electronic signatures or store data pertaining to FDA rules. As CSO, I could go out and get compliance attestations for PCI, HIPAA and 21 CFR part 11 — all of which would attest to the strength of Okta’s security program. But it’s difficult to justify the cost for these certifications since they’re not directly related to our identity service. When selecting an enterprise cloud service, check to make sure the compliance certifications align with the product. ISO 27001/2 and FISMA are great, but those standards are so general in scope for a specifically cloud-based service.

There is, however, a certification that’s a great fit for cloud services, and it just so happens to focus on the key points of security, reliability and trust. It’s the SOC 2 Type II report, accredited by the AICPA. There is a tremendous amount of literature online that provides deep background on the SOC 2 reporting criteria. Start at the AICPA’s website and you could read for hours. Suffice it to say, SOC 2 goes well beyond the SAS 70 criteria.

Not All SOC 2 Reports Are Equal

It’s important to remember that not all SOC 2 reports are the same. Companies can choose to be audited against one or more of what are known as the 5 Trust Service Principles (TSP): security, availability, processing integrity, confidentiality and privacy. As an enterprise CIO or CSO evaluating a cloud service, look to see if the vendor has a SOC 2 Type II report, and make sure it is audited against all trust principles. Fewer than 1 percent of all service organizations that elect to be SOC 2 audited achieve all 5 TSPs. Why? It’s really hard to do but demonstrates the vendor is committed to a high level of security.

At Okta, we are audited against all 5 TSPs. Credit goes to our founders Todd McKinnon and Frederic Kerrest for having the wisdom to invest precious startup capital — money, people and time — to do so. Our SOC 2 report is a reflection of the investment we’ve made into our secure and rapid development environment, our zero downtime infrastructure, our focus on security and strong encryption and our dedication to customer success.