I may got brain washed by the podcasts that I listened to but this is the 2nd blog posts I read from Fly.io and it seems like they are a fine company with the right product. This post seems to hit everything I struggled with for the last 3 years about compliance frameworks… I mean, screenshots? really?
I really want to get some free time to test out their VMs… I have some use case for a firecracker management platform.
It’s a damn shame this is the state of things. I too have seen that even in the largest of companies (think Microsoft) where the criticality is much higher than just SOC2 the auditors are more than happy with screenshots showing, for example, what the permissions are on directories containing logs with PII. It’s of very little comfort to know a company has SOC2, or anything of that ilk, as the work to be done outside of that is of far greater importance and insight into whether that is being done is impossible.
I’ve been looking for ideas as to how we can do our own auditing - preferably continually - before our internal auditors come along, so that we are always aware of how we are doing, and of course better prepared for an official internal audit.
Do you have anything you can share that might help us here? I was thinking perhaps of articles / blog posts describing how others had done similar, but personal opinions or ideas would be welcome too, if you’re happy to share.