As my counterparts know in IT and InfoSec, compliance isn’t a simple “connect-the-dots" exercise. The multi-cloud service environment has become the primary way that organizations work today.
Solutions and architectures like SD-WAN and Secure Access Service Edge (SASE) have helped infrastructure leaders in all vertical industries re-think their security-strategy to one that is more holistic and flexible for a work-from-anywhere model. When you consider how fast companies are moving to an expanding cloud, and then consider the proliferation of cloud-based security threats, building and enforcing compliance strategies for a company like DeNexus can be a bit dizzying. With this said, compliance cannot be left to the wayside in this transition, and standards such as SOC 2 are there to make sure technology providers can keep customer data secure, while taking advantage of all that cloud services offer.
Keep Customers, and their data, Secure in the Cloud
At DeNexus, we’re here to break down the complexities of compliance requirements for our customers that come with cloud adoption, starting with SOC 2. This standard is one of the more common compliance goals for technology companies. But what does SOC 2 compliance mean, and how can you go about achieving it? In this post, it’s my goal to break down the four most important things we are doing at DeNexus to make our customers’ data more secure and in a compliant manner. Here’s what you need to know.
Defining SOC 2 Compliance & Security
What is SOC 2 Compliance? SOC 2 Compliance was developed by the AICPA, and is specifically designed for service providers storing customer data in the cloud. That means SOC 2 applies to nearly every SaaS company, as well as any company that uses the cloud to store its customers’ information.
Before 2014, cloud vendors only had to meet SOC 1 compliance requirements. Now, any company storing customer data in the cloud should meet SOC 2 requirements to minimize risk and exposure to that data. As companies increasingly leverage the cloud to store customer data, SOC 2 compliance is becoming a necessity for a wide variety of organizations. And for DeNexus, SOC 2 represents the minimum level of security that we require for our activities.
SOC 2 compliance requires a technical audit, but it goes beyond that. SOC 2 requires companies to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data. SOC 2 ensures that a company’s information security measures are in line with the unique parameters of today’s cloud requirements.
Four Key Components to Achieving SOC 2 Compliance
To put this into practice, here are the four areas of security practices that are critical for any organization when meeting SOC 2 compliance requirements.
Monitoring the Known (and the Unknown)
Achieving SOC 2 compliance means that you have established a process and practices that provide multi-level oversight over your organization. Specifically, this means that you are using a process for monitoring and documenting anomalies in network activity, unauthorized configuration changes, and user access level controls. That said, as fast as things move in the cloud, you need the ability to monitor for not just known malicious activity, but the unknown, too. This can be achieved by baselining what normal activity looks like in your cloud environment so you can then determine what abnormal activity is.
Customers need to know that even when the next WannaCry, NotPetya, CloudBleed, or Spectre Next Generation threat occurs [something is missing here. This phrase needs an end]. They need to have assurances from solution providers that confidential information will be secure. By putting in place a continuous security monitoring practice, one that can detect potential threats coming from external and internal sources alike, and you can ensure that you will never be left in the dark about what’s happening within your cloud infrastructure.
When a security incident happens — and it’s very likely that one will be based on the reality of today’s threat landscape — you need to demonstrate that sufficient alerting procedures are in place. If any unauthorized access to customer data occurs, solution providers must demonstrate their ability to respond and take corrective action in time.
Often, unfortunately, the problem with alerting is that you end up with a lot of noise from false positives. To combat this, you need a process that sets the alarms off only when activity deviates from the norm that has been defined for your unique environment. Specifically, SOC 2 requires companies to set up alerts for any activities that result in unauthorized:
Exposure or modification of data, controls, or configurations
File transfer activities
Privileged filesystem, account, or login access
In short, you must determine what activities would be indicators of threats within your specific cloud environment and risk profile, so you can ensure that you’ll be alerted the moment something happens and that you can take swift action to prevent data loss or compromise.
Detailed Audit Trails
Nothing is more important than knowing the root cause of an attack when it comes to response. Without that deep contextual insight, how will you know where to begin remediating the issue, especially when you are responding to an active incident? Audit trails are the best way to get the insight you need to carry out your security operations. They provide the necessary cloud context, giving you the who, what, when, where, and how of a security incident so you can make quick and informed decisions about how to respond. Audit trails can give you deep insights into:
Modification, addition, or removal of key system components
Unauthorized modifications of data and configurations
Breadth of attack impact and the point of source
Your customers need assurance that you are not only monitoring for suspicious activity and receiving real-time alerts, but that you have the ability to take corrective action on these alerts before a system-wide situation exposing or compromising critical customer data occurs. In addition to being obsessive about driving down MTTD (Mean Time To Detect), security organizations should be equally obsessive about slashing MTTR (Mean Time To Remediate).
Since your decisions can only be as good as the intelligence you base them on, you need actionable data to make informed decisions. This comes in the form of host-based monitoring, where the source of truth lies. When you go straight to the source, you have visibility into:
Where an attack originated
Where it traveled to
What parts of the system is impacted
The nature of the impact of the attack
What lateral movement capabilities exist
Armed with these forensics, you can effectively detect threats, mitigate impact, and implement corrective measures to prevent similar events from resurfacing in the future.
SOC 2 is about implementing and enforcing well-defined policies, procedures, and practices — not just ticking all the compliance checkboxes with endpoint solutions. Doing so effectively builds trust with customers and end users by proving the secure nature and operation of your cloud infrastructure. Other compliance mandates (such as SOC 1) simply require you to pass the audit test, Type 2 SOC 2 requires long-term, ongoing internal practices that will ensure the security of customer information and, in turn, the long-term success for our customers.
The good news is that Threat Stack can give you full stack security observability and help you quickly and automatically achieve a broad range of SOC 2 compliance regulations in the cloud with each of the above requirements.
At DeNexus, we are committed to operate under SOC 2 standard and beyond, both at the corporate level and when providing our clients with cyber risk quantification services using our flagship SaaS product DeRISK.