What is SOC 2 Compliance?

The System of Organization Controls (SOC), developed by the American Institute of Certified Professional Accountants (AICPA), is a group of reports that:

• Are created during an audit of Service Organizations
• Validate the Internal Controls of the Organization’s systems
• Ensure that service providers storing customer data in the cloud are compliant with these controls.

That means SOC 2 applies to nearly every SaaS (online Software As A Service) company, as well as any company that uses the cloud to store its customers’ information.

Before 2014, cloud vendors only had to meet SOC 1 compliance requirements, which only address Internal Controls over Financial Reporting. SOC 2 addresses the need to protest client data stored in the cloud in order to minimize risk and exposure to that data.

So what does SOC 2 require?

It’s considered a technical audit, but it goes beyond that. SOC 2 requires companies to:

• Establish and adhere to strict information security policies and procedures, including the security, availability, processing, integrity, and confidentiality of customer data.
• Ensure that information security measures are in line with the unique parameters of current cloud requirements.
• Ensure that these controls continue as a cornerstone as companies increasingly leverage the cloud to store customer data.

There are four areas of security practices that are critical to meeting SOC 2 compliance:

1. Monitoring the Known (and the Unknown)

A company is required to have processes and practices with the required levels of oversight across the organization. Specifically, SOC 2 requires a company to have an established process, with 9-12 months of evidence, for monitoring unusual system activity, authorized and unauthorized system configuration changes, and user access levels.

That said, as fast as things move in the cloud, companies need the ability to monitor for not just known malicious activity, but the unknown, too. This can be achieved by using a baseline of normal cloud activity to compare against future periods to identify abnormal activities .

Companies need the ability to identify the next Wannacry, NotPetya, CloudBleed,
or Spectre Next Generation threat occurs in order to protect their confidential information. By putting in place a continuous security monitoring practice, one that can detect potential threats coming from external and internal sources alike, companies can ensure a continuous awareness of what’s happening within your cloud infrastructure.

2. Threat Alerts

When a security incident happens — an unavoidable event – companies need to demonstrate that sufficient alerting procedures are in place and actions to protect client data are executed and an audit trail of the event and response are captured.

Unfortunately, false alarms can create false alerts which can diminish the quality of the alerting process. To combat this, the alerting process needs the intelligence to filter out false alarms and only sounds the alarms only when activity deviates from the norm that has been defined for your unique environment.

The SOC 2 standard calls for maintaining an audit trail of the following events, and generating an alert if a breach is suspected:

• All access or modification to client data, controls and configurations
• All File transfer events
• All access to Privileged Logins, accounts or file systems

In short, companies must determine what activities would be indicators of threats within their specific cloud environment and risk profile, to ensure that real alerts are triggered the moment real threats happen and take swift action to prevent data loss or compromise.

3. Detailed Audit Trails

Knowing the root cause of an attack is EVERYTHING when it comes to response. Without that deep contextual insight, how is a company to know where to begin remediating the issue, especially when responding to an active incident? Audit trails are the best way to get the insight you need to carry out security operations. They provide the necessary cloud context, providing the who, what, when, where, and how of a security incident to make quick and informed decisions about how to respond.

Audit trails can provide deep insights into:

• Modification, addition, or removal of key system components
• Unauthorized modifications of data and configurations
• The origins of a breach
• Scope of an attack

4. Actionable Forensics

Customers need assurance that their service providers are not only monitoring for suspicious activity and receiving real-time alerts, but that providers have the ability to take corrective action on any breach before exposing or compromising client data. To do this companies need to measure and actively manage to minimize “Mean Time To Detect” and “Mean Time To Remediate”.

The quality of responses to threats is driven by the quality of the intelligence available. Quality actionable data is the main ingredient of intelligent decisionsnent to make informed decisions. This requires extensive real-time monitoring of data facilities with t ability to distinguish friendly and unfriendly actors to:

• Identify the origin of an attack
• Track the attack activities
• Identify affected components
• Assess the impact of breach
• Anticipate the next move

It may seem a tall order, but there are tools and methods, when combined with expertise, to reduce the work.

These forensics can effectively detect threats, mitigate impact, and identify corrective measures to prevent similar events from resurfacing in the future.

Conclusion . . .

SOC 2 is all about putting in place well-defined and integrated policies, procedures, and practices, and much less about ticking compliance checklists with stand-alone solutions. Establishing a continuous real-time capability to detect threats, minimize impact and prevent recurrences is a sound business investment. Simply put, SOC 2 compliance demonstrates a company’s trustworthiness that clients and service partners needs to entrust you with their data.