Compliance isn’t as simple as a connect-the-dots exercise. When you consider how fast companies are moving to and expanding on the cloud, alongside the proliferation of cloud-based security threats, compliance can be a little dizzying. We’re here to break the complexities of compliance requirements down for you, starting with SOC 2.
SOC 2 is one of the more common compliance requirements technology companies must meet today.
So what does SOC 2 compliance mean and how can you go about achieving it? In this post, we will break down the four most important things you need to know.
(Learn more about how Threat Stack Customer 6sense was able to achieve SOC 2 compliance and protect sensitive customer data.)
What is SOC 2 Compliance?
Developed by the AICPA, SOC 2 is specifically designed for service providers storing customer data in the cloud. That means SOC 2 applies to nearly every SaaS company, as well as any company that uses the cloud to store its customers’ information.
Before 2014, cloud vendors only had to meet SOC 1 (SSAE 16) compliance requirements. Now, any company storing customer data in the cloud must meet SOC 2 compliance requirements in order to minimize risk and exposure to that data.
So what does SOC 2 require, exactly? It’s considered a technical audit, but it goes beyond that: SOC 2 requires companies to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity and confidentiality of customer data. SOC 2 ensures that a company’s information security measures are in line with the unique parameters of today’s cloud requirements. As companies increasingly leverage the cloud to store customer data, SOC 2 compliance is becoming a necessity for a wide variety of organizations.
To put this into practice, here are the four areas of security practices that are critical to meeting SOC 2 compliance:
Monitoring of the Known (and the Unknown)
Achieving SOC 2 compliance means you’ve established a process and practices with required levels of oversight across your organization — specifically, that you are monitoring unusual system activity, authorized and unauthorized system configuration changes and user access levels.
That said, as fast as things move in the cloud, you need the ability to monitor for not just known malicious activity, but the unknown, too. This can be achieved by baselining what normal activity looks like in your cloud environment so you can then determine what abnormal activity is.
Customers need to know that even when the next Heartbleed, Shellshock or Groundhog threat occurs, their confidential information will be safe in your care. By putting in place a continuous security monitoring practice, one that can detect potential threats coming from external and internal sources alike, you can ensure you’ll never be left in the dark about what's happening within your cloud infrastructure.
When a security incident happens— and it’s very likely that one will, based on the current threat landscape — you need to demonstrate that sufficient alerting procedures are in place, so that if any unauthorized access to customer data occurs, you can demonstrate the capabilities to respond and take corrective action in time.
Unfortunately, often the problem with alerting is that you wind up with a lot of noise from false positives. To combat this, you need a process that sounds the alarms only when activity deviates from the norm and defined state of your unique environment.
Specifically, SOC 2 requires companies to set up alerts for any activities that result in unauthorized:
- Exposure or modification of data, controls or configurations
- File transfer activities
- Privileged filesystem, account or login access
In short, it’s important that you determine what activities would be indicators of threats within your particular cloud environment and risk profile, so you can ensure that you’ll be alerted the moment something happens and that you can take swift action to prevent data loss or compromise.
Detailed Audit Trails
Nothing is more important than knowing the root cause of an attack when it comes to response. Without that deep contextual insight, how will you know where to begin remediating the issue, especially when you are responding to an active incident ? Audit trails are the best way to get the insight you need to carry out your security operations. They provide the necessary cloud context, giving you the who, what, when, where and how of a security incident so you can make quick and informed decisions about how to respond.
Audit trails can give you deep insights into:
- Modification, addition or removal of key system components
- Unauthorized modifications of data and configurations
- Breadth of attack impact and the point of source
Your customers need assurance that you are not only monitoring for suspicious activity and receiving real-time alerts, but that you are empowered to take corrective action on these alerts before a system wide situation exposing or compromising critical customer data goes down. After all, rapid response is half the battle of cloud security nowadays!
Since your decisions can only be as good as the intelligence you base them on, you need actionable data to make an informed decision. This comes in the form of host-based monitoring, where the source of the truth lies. When you go straight to the source, you have the visibility to see:
- Where an attack originated
- Where it traveled to
- What parts of the system it impacted
- The nature of impact
- What its next move may be
Armed with these forensics, you can effectively detect threats, mitigate impact and implement corrective measures to prevent similar events re-surfacing in the future.
SOC 2 is about putting in place well defined policies, procedures, and practices — not just ticking the right compliance checkboxes with point solutions. Carrying it out effectively builds trust with customers and end-users about the secure operation of your cloud infrastructure. Whereas other compliance mandates (such as SOC 1) simply require you to pass the audit test, SOC 2 goes so far as to require long-lasting internal practices that will ensure the security of customer information (and in turn the longevity) of your business. That’s a very good thing in our book.
Feeling overwhelmed? The good news is that Threat Stack can help you quickly and automatically achieve a broad range of SOC 2 compliance regulations in the cloud with each of the above requirements.
To help you understand exactly how, we’ve developed a comprehensive SOC 2 overview you can download here.