SOC 2 was designed and developed by the American Institute of Certified Public Accountants (AICPA). It has been specifically designed and developed for the service providers that store their customers’ data in the cloud environment. In 2019, this means that SOC 2 applies to almost every SaaS company.
At the core, it is more of a technical audit. However, it requires SaaS companies to establish, implement, and follow strict information security policies, processes, and procedures. The framework is based on five trust service principles (TSPs) –
- Processing Integrity
- Privacy of customer data
Compliance with SOC 2 framework is evaluated by independent auditors who assess a SaaS company’s compliance with the TSPs and other specific requirements. Many prospective customers have now started asking SaaS companies about their SOC 2 certification. In the last 2-3 years, SOC 2 has become a compulsory requirement for SaaS companies while acquiring new customers. However, this does not make compliance any easier for a SaaS company. In this article, we discuss essential requirements for SOC 2 certification.
Establishing a baseline and monitoring for the unknown
The theory of knowns and unknowns is well-known in the information security community. To achieve SOC 2 certification, a SaaS company must monitor for unusual activities in its technical infrastructure, along with authorized and unauthorized changes in system configuration, and user privileges. To comply with the requirements of SOC 2 certification, it is necessary to monitor for known activities such as ransomware, phishing attacks, unauthorized access, etc., while at the same time, it is essential to monitor the unknowns – such as zero-day attacks and new types of misuse.
To start with, a SaaS organization must define a baseline, i.e., what is normal, so that it is in a better position to recognize the unknowns.
Setting up fine-tuned security alerts
Once a SaaS company implements monitoring practices, it is now time for receiving information about threats promptly. SOC 2 requires a service organization to implement sufficient procedures for generating alerts and demonstrating the ability to respond to these alerts and take corrective actions when a security incident occurs. According to SOC 2, a SaaS company must receive alerts about any activity that results in unauthorized –
- File transfer
- Privileged account, file system, or log in
- Exposure or modification of data, controls, or configurations
Here, one concern that must be noted is that too many alerts can flood the concerned team of a service organization with false–positive alerts, eventually resulting in important (read critically) alerts being missed.
Creating audit trails
For identifying an attack’s root cause, a SaaS organization needs in-depth audit trails that provide insights into –
- Impact of the attack and its point of origin
- Unauthorized modifications of stored data and system configurations
- Modification, addition, or removal of key system components
Only after gathering all the relevant information about an attack, a service organization can determine what, who, where, when, and why of a threat to remediate the issue. Moreover, maintaining audit trails also helps a SaaS organization in legal and regulatory proceedings.
The battle is lost if a service organization fails to take corrective actions before sensitive customer data is compromised or exposed to the public at last, even after implementing monitoring tools, alerts generation, and audit tools. For the decision-makers of a service organization, it is necessary of the time that they have actionable insights so that a rapid action plan is prepared to mitigate the existing threat(s).
Information gathered must be able to give clear visibility into –
- Point of origin of an attack
- Travel path
- Impact on an organization’s technical infrastructure or its components
- Possible damages