If you consider how rapidly organizations are increasing their cloud footprint, ensuring compliance with the different compliance standards can get challenging very quickly. SOC 2 audits are applicable for service organizations that hold, store, or process customer data. In today's digital environment, SOC 2 compliance is a necessity for any organization concerned with how their data is handled.
SOC 2 is an auditing procedure and report that is part of the SSAE (Statement on Standards for Attestation Engagements) maintained by the AICPA.
Only the security criteria is relevant for organizations in the public cloud.
Within the Security Criteria, these are the controls that are relevant for security and compliance teams responsible for public cloud infrastructure.
CC2.0: Communication and Information
CC5.0: Control Activities
CC6.0: Logical and Physical Access Controls
CC7.0: System Operations
CC8.0: Change Management
The different controls are discussed in more details below.
The communications and information criteria of SOC 2 address how service organizations handle internal and external communication and information flows.
CC2.1 states that “the entity obtains or generates and uses relevant, quality information to support the functioning of internal control.”
The control activities criteria of SOC 2 deals with how service organization control activities account for risk management and technology.
CC5.2 states that “the entity also selects and develops general control activities over technology to support the achievement of objectives.” This includes that management develops control activities to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.
The logical and physical access controls criteria of SOC 2 concern how service organization controls implement logical access to IT systems/credentials, physical access to facilities, and security measures to detect and prevent unauthorized access.
For example, CC6.1 states that “the entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” Organizations should identify and authenticate users, consider network segmentation, manage credentials for infrastructure and software, use encryption to protect data, and protect encryption keys.
The system operations criteria of SOC 2 address how service organization controls monitor systems for potential anomalies, events, and configuration changes that may carry security risks, and define incident response protocols to contain, remediate, and communicate security incidents.
CC7.1 elaborates that service organizations should monitor infrastructure and software, implement change-detection mechanisms, and detect unknown or unauthorized components. Fugue promotes compliance with CC7.1 by detecting when CloudWatch and CloudTrail are not enabled and configured correctly. For example, Fugue checks to ensure that a CloudWatch metric filter and alarm is enabled to catch changes made to IAM policies. Monitoring changes to IAM policies helps ensure authentication and authorized controls remain intact.
The change management criteria of SOC 2 deal with how organizations evaluate and determine necessary changes in infrastructure, data, software, and procedures, which gives them the ability to securely make changes and prevent unauthorized changes.
For example, CC8.1 addresses protecting confidential information - “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” The criterion further elaborates that service organizations should create baseline configurations of IT technology and protect confidential information.