SOC 2 Compliance for Cloud Infrastructure

For service organizations that hold, store, or process customer data

icon Get Compliance Check

SSAE (Statement on Standards for Attestation Engagements) is an auditing standard maintained by the AICPA's (American Institute of Certified Public Accounts) Auditing Standards Board for organizations. The latest version, SSAE 18, was formally released in May 2017.

SSAE defines three SOC (System and Organization Controls) reports for how organizations report on SSAE compliance:

  • SOC 1 Report is for organizations that may impact customers' financial reporting
  • SOC 2 Report is for organizations that hold, store, or process customer data
  • SOC 3 Report is similar to SOC 2, but less detail, and for marketing/public consumption

SOC 2 reports generally apply to any organization that stores user data in the cloud. This includes SaaS providers and other organizations that, as an example, may host customer information on AWS in S3 buckets.

SOC 2 reports evaluate organizations’ controls against AICPA’s Trust Services Criteria, which are a set of principles aligned to the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework. These principles describe how an organization’s policies should address security, availability, processing integrity, confidentiality, and privacy for systems that store user data.

While it's important to review all Trust Service Criteria for overall compliance, the following controls sections are the most relevant for organizations in the cloud:

  • CC2.0: Communication and Information
  • CC5.0: Control Activities
  • CC6.0: Logical and Physical Access Controls
  • CC7.0: System Operations
  • CC8.0: Change Management

Each control section includes sub-controls that specify how organization policies should govern cloud infrastructure. For example:

  • CC6.1 addresses managing identification and authentication - “Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software.” Organizations should define AWS IAM or Azure Active Directory password policies to satisfy this control - specifying uppercase/lowercase characters, having minimum lengths, etc.
  • CC8.1 addresses protecting confidential information - “The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality.” Organizations should ensure that storage - such as AWS S3 buckets or Azure container blobs - that contain confidential information utilize encryption at rest and in transit.

Detect Compliance Violations

Fugue continuously evaluates your cloud environments for SOC 2 compliance violations with predefined rules mapped to SOC 2 compliance controls. If a resource is determined as non-compliant, an alert will be sent to notify the compliance team. The compliance team can then determine whether to correct the non-compliant resource and set an established baseline for future enforcement.


Enforce Baselines with Codeless Auto-Remediation

Fugue utilizes baselines to auto-remediate and correct compliance violations via self-healing. With baseline enforcement, misconfiguration is automatically corrected back to the SOC 2 compliant baseline without writing automation scripts.

Enforce Baselines with Codeless Auto-Remediation

Report on Compliance Posture

Fugue makes it easy to report on your SOC 2 compliance posture. Detailed reports, dashboards, and visualizations are available to easily track and monitor your cloud resources. Daily or weekly reports highlighting compliant and non-compliant resources can be emailed to executives or auditors  to show proof of compliance.


SOC 2 Compliance with Fugue

Schedule a demo to see how Fugue can help your organization achieve SOC 2 compliance.

icon Schedule A Demo