SOC 2 Compliance for Cloud Infrastructure

For service organizations that hold, store, or process customer data

icon Get Compliance Check

What is SOC 2?

SOC 2 is an auditing procedure and report that is part of SSAE (Statement on Standards for Attestation Engagements) maintained by the AICPA's (American Institute of Certified Public Accountants) Auditing Standards Board for organizations. The latest version, SSAE 18, was formally released in May 2017.

 

SSAE defines three SOC (System and Organization Controls) reports for how organizations report on SSAE compliance:

  • SOC 1 Report is for organizations that may impact customers' financial reporting
  • SOC 2 Report is for organizations that hold, store, or process customer data
  • SOC 3 Report is similar to SOC 2, but less detailed, and for marketing/public consumption

Why is SOC 2 Compliance Important?

 

SOC 2 reports generally apply to any organization that stores user data in the cloud. This includes SaaS providers and other organizations that, as an example, may host customer information on AWS in S3 buckets.

 

SOC 2 reports evaluate organization controls against AICPA’s Trust Services Criteria, which are a set of principles aligned to the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework. These principles describe how an organization’s policies should address the following for customer data:

  • Security (also known as “common criteria”): protect systems from malicious attacks, data loss, and other security events
  • Availability: ensure that systems maintain high availability
  • Processing Integrity: ensure that system processing occurs as intended in a timely fashion
  • Confidentiality: ensure that confidential information/data is protected from unauthorized access
  • Privacy: ensure that personal information/data is protected from unauthorized acc

The most relevant criteria for organizations in the cloud are those pertaining to security. These include:

  • CC2.0: Communication and Information: Addresses how organizations handle internal and external communication and information flows. 
  • CC5.0: Control Activities: Deals with how organization control activities account for risk management and technology.
  • CC6.0: Logical and Physical Access Controls: Is concerned with how organization controls implement logical access to IT systems/credentials, physical access to facilities, and security measures to detect and prevent unauthorized access.
  • CC7.0: System Operations: Addresses how organization controls monitor systems for potential anomalies, events, and configuration changes that may carry security risks, and define incident response protocols to contain, remediate, and communicate security incidents.
  • CC8.0: Change Management: Deals with how service organizations develop and implement change management approaches to infrastructure, data, software, and policies.

Each control section includes sub-controls that specify how organization policies should govern cloud infrastructure. For example:

  • CC2.1 states that “the entity obtains or generates and uses relevant, quality information to support the functioning of internal control.” This applies to monitoring and logging where enterprises should log all relevant activities such as network access, API calls, and storage bucket access. 
  • CC5.2 states that “the entity also selects and develops general control activities over technology to support the achievement of objectives.” This includes that management develops control activities to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats. This is applicable to cloud infrastructure as granting the principle of least privilege where users and service accounts should only have the minimum set of responsibilities required to do their jobs.
  • CC6.1 addresses a variety of cloud infrastructure areas such as user authentication, credentials management, network segmentation, data encryption, and key management.  Organizations should adopt practices such as locking down security group or virtual network configurations to prohibit unnecessary network access, or encrypting log data with customer-managed keys, or defining password policies of sufficient complexity such as specifying uppercase/lowercase characters, having minimum lengths, etc.
  • CC7.1 elaborates that service organizations should monitor infrastructure and software, implement change-detection mechanisms, and detect unknown or unauthorized components. Examples of applying CC7.1 include using CloudWatch metric filters or Azure Monitor logs to monitor for meaningful events such as permission changes, unauthorized API calls, usage of the “root” account, or disabling of encryption keys.
  • CC8.1 addresses protecting confidential information - “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” Organizations should ensure that storage resources - such as AWS S3 buckets or Azure container blobs - that contain confidential information utilize encryption at rest. Also, organizations should create baseline configurations of cloud resources and look for unauthorized changes.SOC 2 reports generally apply to any organization that stores user data in the cloud. This includes SaaS providers and other organizations that, as an example, may host customer information on AWS in S3 buckets.

 

Detect Compliance Violations

Fugue continuously evaluates your cloud environments for SOC 2 compliance violations with predefined rules mapped to SOC 2 compliance controls. If a resource is determined as non-compliant, an alert will be sent to notify the compliance team. The compliance team can then determine whether to correct the non-compliant resource and set an established baseline for future enforcement.

soc2-list

Enforce Baselines with Codeless Auto-Remediation

Fugue utilizes baselines to auto-remediate and correct compliance violations via self-healing. With baseline enforcement, misconfiguration is automatically corrected back to the SOC 2 compliant baseline without writing automation scripts.




Enforce Baselines with Codeless Auto-Remediation

Report on Compliance Posture

Fugue makes it easy to report on your SOC 2 compliance posture. Detailed reports, dashboards, and visualizations are available to easily track and monitor your cloud resources. Daily or weekly reports highlighting compliant and non-compliant resources can be emailed to executives or auditors  to show proof of compliance.

soc2-report-1

SOC 2 Compliance with Fugue

Schedule a demo to see how Fugue can help your organization achieve SOC 2 compliance.

icon Schedule A Demo