SOC 2 Compliance in The Cloud

By Sabrina Lupșan
Wednesday, August 3, 2022
SOC 2 Compliance in The Cloud

SOC 2 is an international compliance standard that defines rules for B2B (business-to-business) organizations regarding data security. 

SOC (Service and Organization Controls) 2 was developed by AICPA (The American Institute of Certified Public Accountants). 

It regulates data security management based on the following five cybersecurity principles, which are also defined as Trust Service Criteria (TSC)

  1. Security 
  2. Availability 
  3. Processing Integrity 
  4. Confidentiality 
  5. Privacy 

SOC 2 requirements, explained for cloud 

In order to become SOC 2 compliant, you must fulfill 64 controls across the 5 TSCs mentioned above.   

In this section, we will look at some of the points of focus necessary to obtain the accreditation. They should be taken into account by companies that use cloud services.  

Grouped by criteria and explained, here are examples of requirements: 

1. Security 

  • Implements Boundary Protection Systems - The company uses firewalls, IDSs, DMZs to secure devices. 
  • Requires Additional Authentication or Credentials - Multi-Factor Authentication (MFA) is configured for all users. 

2. Availability 

  • Designs Detection Measures - Logging and monitoring are implemented. 
  • Implements Alerts to Analyze Anomalies – Targeted alerts are used to ensure fast remediation for high-priority assets. 

3. Processing Integrity 

  • Protects Stored Items – Sensitive data is safely stored in order to prevent it from being tampered. 
  • Creates and Maintains Records of System Storage Activities – Logging and monitoring are required for this criterion as well. 

4. Confidentiality 

  • Restricts Logical Access– Access to sensitive cloud assets is limited, and the Least Privilege Principle is implemented. 
  • Identifies and Authenticates Users – The company follows good practices regarding IAM

5. Privacy 

  • Uses Encryption to Protect Data – All assets of type storage are encrypted. 
  • Protects Identification and Authentication Credentials – Managing access to cloud assets is a matter of privacy since an entity that isn't authorized should not be able to access them. 

How do you obtain the SOC 2 accreditation? 

The process of obtaining it depends on the type of accreditation you’re going for. There are two types of SOC audits, which require different reports: 

  • Type 1: a single audit and a single report are required at a specific date and time. For this type, the design of the security program put in place is evaluated. 
  • Type 2: to obtain the SOC 2 Type 2 accreditation, an audit is carried out over a period of time, usually a minimum of six months. For type 2, the execution of the security program is evaluated. 

There are advantages and disadvantages to both types.  

While type 1 requires less effort and is easier to get, it is also less valuable, since the evaluation result only reflects the state of the company's data security at a given point in time.  

With type 2, you invest more time and resources into getting accredited, but the result shows more effort and commitment toward the customer's data security

Once you’ve decided which SOC 2 type you want to obtain, you need to start the long process of obtaining the accreditation. 

Use Cyscale to make this process easier for you 

Cyscale can help you obtain the SOC 2 accreditation for your company by: 

  • checking with the use of in-app controls whether you're implementing the requirements, 
  • providing you with remediation steps for any findings, 
  • helping you to demonstrate, during the audit, that you’re SOC 2 compliant and should receive the accreditation. 

In the image below, you can see a part of the SOC 2 standard page in Cyscale, which gives you metrics to know how you're doing in your process of becoming compliant. 

SOC 2 standard page in Cyscale

A large set of technical controls included in this standard are mapped to SOC 2 points of focus to easily understand which ones you’re correctly implementing, and which require your attention. 

Stay connected

Receive new blog posts and product updates from Cyscale

Interesting? Share it

Product Playground

View a fully-populated product demo. All features - no setup, no commitment.

Schedule a Demo

Sign up for a custom demo to see how we close security gaps and help you move to the cloud.

Request a Demo >
Types of Encryption for In-Motion, In-Use, At-Rest Data
CSPMTuesday, August 9, 2022

Types of Encryption for In-Motion, In-Use, At-Rest Data

By Sabrina Lupșan
5 Hybrid Cloud Best Practices
CSPMFriday, July 29, 2022

5 Hybrid Cloud Best Practices

By Sabrina Lupșan
What Is Data Classification And Why Is It Important?
CSPMComplianceThursday, July 21, 2022

What Is Data Classification And Why Is It Important?

By Sabrina Lupșan