Compliance isn’t as simple as a connect-the-dots exercise. When you consider how fast companies are moving to and expanding in the cloud, and then take into account the proliferation of cloud-based security threats, compliance can be a little dizzying. We’re here to break down the complexities of compliance requirements for you, starting with SOC 2.
SOC 2 is one of the more common compliance requirements technology companies must meet today. But what does SOC 2 compliance mean, and how can you go about achieving it? In this post, we break down the four most important things you need to know.
More on SOC 2
- Built for Success: How Threat Stack Achieved SOC 2 With Zero Exceptions
- ZoomInfo Tackles Security and Compliance Using Threat Stack
- Threat Stack Secures Highfive’s Evolving Infrastructure
- Threat Stack Successfully Completes Type 2 SOC 2 Examination
- Threat Stack Successfully Completes Type 2 SOC 2 Examination With Zero Exceptions — Again!
What is SOC 2 Compliance?
Developed by the AICPA, SOC 2 is specifically designed for service providers storing customer data in the cloud. That means SOC 2 applies to nearly every SaaS company, as well as any company that uses the cloud to store its customers’ information.
Before 2014, cloud vendors only had to meet SOC 1 compliance requirements. Now, any company storing customer data in the cloud must meet SOC 2 requirements in order to minimize risk and exposure to that data.
So what does SOC 2 require? It’s considered a technical audit, but it goes beyond that: SOC 2 requires companies to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data. SOC 2 ensures that a company’s information security measures are in line with the unique parameters of today’s cloud requirements. As companies increasingly leverage the cloud to store customer data, SOC 2 compliance is becoming a necessity for a wide variety of organizations.
To put this into practice, here are the four areas of security practices that are critical to meeting SOC 2 compliance.
1. Monitoring the Known (and the Unknown)
Achieving SOC 2 compliance means you have established a process and practices with required levels of oversight across your organization. Specifically, you are using a process for monitoring unusual system activity, authorized and unauthorized system configuration changes, and user access levels.
That said, as fast as things move in the cloud, you need the ability to monitor for not just known malicious activity, but the unknown, too. This can be achieved by baselining what normal activity looks like in your cloud environment so you can then determine what abnormal activity is.
Customers need to know that even when the next Wannacry, NotPetya, CloudBleed, or Spectre Next Generation threat occurs, their confidential information will be safe in your care. By putting in place a continuous security monitoring practice, one that can detect potential threats coming from external and internal sources alike, you can ensure that you will never be left in the dark about what’s happening within your cloud infrastructure.
2. Anomaly Alerts
When a security incident happens — and it’s very likely that one will, based on the reality of today’s threat landscape — you need to demonstrate that sufficient alerting procedures are in place, so that if any unauthorized access to customer data occurs, you can demonstrate the ability to respond and take corrective action in time.
Often, unfortunately, the problem with alerting is that you wind up with a lot of noise from false positives. To combat this, you need a process that sounds the alarms only when activity deviates from the norm that has been defined for your unique environment.
Specifically, SOC 2 requires companies to set up alerts for any activities that result in unauthorized:
- Exposure or modification of data, controls, or configurations
- File transfer activities
- Privileged filesystem, account, or login access
In short, you must determine what activities would be indicators of threats within your specific cloud environment and risk profile, so you can ensure that you’ll be alerted the moment something happens and that you can take swift action to prevent data loss or compromise.
3. Detailed Audit Trails
Nothing is more important than knowing the root cause of an attack when it comes to response. Without that deep contextual insight, how will you know where to begin remediating the issue, especially when you are responding to an active incident? Audit trails are the best way to get the insight you need to carry out your security operations. They provide the necessary cloud context, giving you the who, what, when, where, and how of a security incident so you can make quick and informed decisions about how to respond.
Audit trails can give you deep insights into:
- Modification, addition, or removal of key system components
- Unauthorized modifications of data and configurations
- Breadth of attack impact and the point of source
4. Actionable Forensics
Your customers need assurance that you are not only monitoring for suspicious activity and receiving real-time alerts, but that you have the ability to take corrective action on these alerts before a system-wide situation exposing or compromising critical customer data occurs. In addition to being obsessive about driving down MTTD (Mean Time To Detect), security organizations should be equally obsessive about slashing MTTR (Mean Time To Remediate).
Since your decisions can only be as good as the intelligence you base them on, you need actionable data to make informed decisions. This comes in the form of host-based monitoring, where the source of truth lies. When you go straight to the source, you have visibility into:
- Where an attack originated
- Where it traveled to
- What parts of the system it impacted
- The nature of the impact
- What its next move might be
Armed with these forensics, you can effectively detect threats, mitigate impact, and implement corrective measures to prevent similar events from resurfacing in the future.
Wrapping Up . . .
SOC 2 is about putting in place well-defined policies, procedures, and practices — not just ticking all the compliance checkboxes with point solutions. Doing so effectively builds trust with customers and end users about the secure nature and operation of your cloud infrastructure. Whereas other compliance mandates (such as SOC 1) simply require you to pass the audit test, Type 2 SOC 2 requires long-term, ongoing internal practices that will ensure the security of customer information and, in turn, the long-term success of your business.
Want to learn more? The good news is that Threat Stack can give you full stack security observability and help you quickly and automatically achieve a broad range of SOC 2 compliance regulations in the cloud with each of the above requirements. If you want to learn more, here are 9 common questions about SOC 2 compliance, and to help you understand exactly how, we’ve developed a comprehensive SOC 2 overview you can download here.