The American Institute of Certified Public Accountants (AICPA) publishes various audit and reporting guides designed to keep companies and their stakeholders safe. One that applies to most service organizations, including but not limited to cloud computing providers, is the SOC 2 framework. So, why is SOC 2 compliance important? Read on to learn why it matters, how it helps cloud organizations specifically, and how its criteria can help all companies.
Why is SOC 2 Compliance Important for All Service Organizations?
There are two primary reasons SOC 2 compliance is essential for service organizations, especially those that deliver cloud services or rely on the cloud to best serve their clients:
- SOC 2 compliance helps ensure the protection of customer data, garnering trust.
- SOC 2 compliance is also uniquely apt to address common cloud computing risks.
These two benefits and the full extent of compliance are best understood by also breaking down the Trust Services Criteria framework, upon which SOC 2 assessments are based.
How Does SOC 2 Compliance Ensure Protection of Customer Data?
SOC 2 compliance is a result of successful SOC 2 reporting. SOC reports at all levels (SOC 1, SOC 2, and SOC 3) help ensure that service organizations protect customer data by measuring all internal practices against specific criteria. The primary purpose is minimizing financial losses to the customers and businesses; the secondary aim is building customers’ confidence and trust in said businesses.
The specific ways in which a SOC report can help secure your customers’ data depend on:
- SOC level – Based upon your business activity and customer audience
- SOC Type – Based upon the SOC assessment’s duration
The SOC Compliance Authority—AICPA and ASEC
SOC reporting and compliance are part of a broad umbrella of AICPA services related to trust services and information integrity. In particular, these services are overseen by an AICPA subgroup, the Assurance Services Executive Committee (ASEC).
ASEC comprises experts such as preeminent scholars in business and executives from “big-four” accounting firms (i.e., Deloitte, Ernst & Young, PricewaterhouseCoopers, and Klynveld Peat Marwick Goerdeler). Their wealth of practical and technical experience shapes the frameworks used in the SOC reports.
Understanding the Differences Between SOC 1, SOC 2, and SOC 3 Audits
As noted above, there are three levels of SOC reports a company can generate. All have their merits, but SOC 2 tends to be the most beneficial across the full spectrum of companies, providing the most insights and preventions against the broadest range of risks. The SOC levels are:
- SOC 1 – Fully titled SOC for Service Organization: ICFR (Internal Control over Financial Reporting), SOC 1 Reports apply to financial service organizations (and departments within organizations). Their use is limited to organizations’ managers, internal users, and auditors, and they facilitate the processing and security of financial statements.
- SOC 2 – Fully titled SOC for Service Organizations: Trust Services Criteria, SOC 2 Reports apply to all service organizations and are, like SOC 1, primarily intended for an audience of other auditors or regulators. They facilitate general security oversight, vendor management, corporate governance, and regulatory oversight.
- SOC 3 – Fully titled SOC for Service Organizations: Trust Services Criteria for General Use Report, SOC 3 reports are simplified versions of SOC 2 reports that cover many of the same principles but are intended for wide publication, such as on a company’s website. They facilitate communication of a company’s security to stakeholders.
Unless your company is a financial service provider or that is a large part of your business model, you will likely find the most value in either a SOC 2 or SOC 3 report.
The former produces deeper, more significant insights that companies can make public in excerpts. The latter is purely for public consumption and often cannot fulfill industry norms or requirements—for these reasons, RSI Security recommends generating a SOC 2 report first, then supplementing it with SOC 3.
Assessing Customer Data Safety Through Short and Long Term Reports
Beyond levels, the other major determinant of how a SOC report can benefit your company is Type. There are two Types of SOC reporting for SOC 1 and SOC 2. Type 1 is a less intensive audit; it offers an overview of a company’s security controls, assessing their design and the potential impact controls can have on security outcomes, as promised by the organization to its stakeholders. However, this is not an assessment of how the controls actually operate.
Type 1 SOC Reports can provide evidence that your company has designed secure systems.
The second kind of SOC 1 and SOC 2 report, Type 2, is a much more intensive audit. It details the descriptions of controls, like Type 1. But it also measures their actual efficacy in practice and over an extended duration. Type 2 provides evidence that your company has designed and continuously implements secure systems. Note that a Type 1 Report can be generated to prepare for a Type 2 Report, both for SOC 1 and SOC 2. SOC 3 Reports are Type 2 exclusively.
So, why is SOC 2 important for protecting customer data? A SOC 2 Type 2 Report, in particular, generates robust, complex, and long-term evidence that your controls will keep customers safe.
Why is SOC 2 Compliance Important for Cloud Computing Security?
The protections assured through SOC 2 compliance are beneficial for all service organizations, but cloud providers may find them especially critical. This is because the Trust Services Criteria (TSC) framework, upon which SOC compliance is based, is fine-tuned for threats common to many cloud computing services and platforms. In particular, the TSC breaks down across five categories:
- Security – Measuring the extent to which all systems and information are safeguarded against unauthorized or inappropriate access, use, changes, deletions, additions, or disclosures. Unifying controls for all assets is critical for cloud providers, who may process or host a wide variety of data for their clients and clients’ customers.
- Availability – Measuring the extent to which all systems and information are accessible and functioning for stakeholders who need access to them. This is critical for cloud providers because any downtime across servers or platforms could impact all clients.
- Processing Integrity – Measuring the extent to which all system processing functions are operating as expected, including completeness, validity, accuracy, timeliness, and full authorization as per applicable client agreements. This is critical for cloud providers for many of the same reasons as availability; they are coextensive on the cloud.
- Confidentiality – Measuring the extent to which information that is designated as confidential (including but not limited to personal data) is safeguarded, above and beyond security parameters. This is critical for cloud providers who store or process large quantities of non-personal protected information, such as government documents.
- Privacy – Measuring the extent to which personal information (exclusively) is protected, above and beyond security parameters. This is critical for cloud providers who store or process personal or personally identifiable information, such as medical or bank records.
The TSC categories are based upon principles established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to prevent fraud through internal controls. ASEC builds upon and enhances these principles, creating a flexible matrix of criteria that adapts to changing needs as more companies undergo cloud migrations.
Top Threats Faced by Cloud Computing Service Providers and Clients
Cloud providers and other service organizations that depend on cloud platforms can use SOC 2 reporting to defend against the biggest threats to them and their clients. According to a 2019 Cloud Security Alliance (CSA) study, the most common and severe threats to providers and clients’ cloud computing environments are the “egregious eleven”:
- General breaches, leading to direct loss of sensitive information and legal liabilities
- Change control issues, leading to an inability to guarantee information integrity
- Lacking cloud security measures, including both architecture and overall strategy
- Poor identity management, including weak credentials and lacking cryptography
- Account hijacking, including abuse of supposedly deleted or hidden users (i.e., “orphan accounts”)
- Threats from inside, such as purposeful attacks or negligence
- Unsecure interfaces, including APIs, which can lead to wide-scale credential theft
- Weak control planes, leading to network-wide or network-based cloud attacks
- Metastructure failures, which compromise connections between cloud layers
- Limited cloud visibility, hampering end users’ abilities to secure their data
- Nefarious cloud usages, including intentional abuses of public hostings
To address these and other common cloud computing vulnerabilities, service organizations should implement security controls up to or exceeding the measures stipulated by the TSC.
Significant Impacts of SOC 2 Type 1 and Type 2 Audit Reports on the Cloud
The core of the TSC document comprises criteria pertaining to the five categories detailed above. In particular, the framework specifies common criteria (CC Series) that correspond to security but apply to all five categories. The other criteria each have supplemental sets that apply only to their specific category.
All common and supplemental criteria impact cloud providers’ ability to protect client data, but two have an outsized impact:
- A Series – Corresponding to Availability, these criteria ensure consistent cloud service delivery:
- A1.1 – Requiring regular monitoring for and adjusting system capacity and use
- A1.2 – Requiring environmental protections, backups, and recovery protections
- A1.3 – Requiring regular tests of all system recovery policies and procedures
- PI Series – Corresponding to Processing Integrity, these ensure cloud services operate as expected, per service agreements between cloud provider and client:
- PI1.1 – Requiring clear communication of processing details and objectives
- PI1.2 – Requiring policies and procedures for secure processing inputs
- PI1.3 – Requiring policies and procedures for secure processing systems
- PI1.4 – Requiring policies and procedures for secure processing outputs
- PI1.5 – Requiring secure storage for processing inputs, systems, and outputs
All other criteria are also essential cloud service providers, with differences in impact depending on the kinds of data they host or process. For example, a cloud server with confidential data that isn’t all or mostly personal should focus more on Confidentiality than Privacy, and vice versa.
The Importance of SOC 2 Compliance Beyond Cloud Providers
Implementing the TSC for SOC 2 or SOC 3 compliance is beneficial for all companies, including those with little to no involvement with the cloud. ASEC positions its TSC framework as a robust bulwark against all threats, but especially those related to the following factors (per section .02):
- The overall nature and scope of an entity’s business, mission, and other operations
- The specific geographical and virtual environments an entity operates in or contacts
- The types and amount of information an entity generates, stores, processes, and uses
- The types of commitments an entity makes to its customers, clients, and third parties
- The roles and responsibilities entailed in operating and maintaining system processes
- The types and amount of technology, connections, and delivery channels the entity uses
- How an entity relates to or relies upon third parties, especially considering:
- Third parties with access to systems or accounts connected to sensitive data
- Third parties who provide raw materials or finished goods critical to the entity
- Third parties who operate controls necessary for business or other objectives
- The types and amount of changes that are likely to occur, especially to the following:
- System operations or related controls for security purposes
- Data processing volume or methods related to data processing
- Management over business, IT, or other critical personnel units
- Applicable legal or regulatory requirements the entity must follow
- The frequency of and ways in which new services and products are introduced
These factors impact all businesses—not just service organizations and certainly not just cloud service providers. Any company that does business with other companies should consider the TSC principles. A SOC 2 report, either Type 1 or Type 2, can help you trust your own company.
How to Satisfy the Service Trust Criteria for SOC 2 Compliance
Companies that provide cloud or other cloud-dependent services to other businesses need to maintain the trust of their clientele. The same is arguably true of all companies that work closely with other businesses. So, why is SOC 2 compliance important? Because it’s one of the best ways to protect customer data, especially via cloud availability and processing integrity.