How to Get SOC 2 Compliance with Appaegis Access Fabric

 

The speed with which customer applications are transitioning to a hybrid cloud-based environment has accelerated more rapidly than previously envisioned. Customer data is now stored across multiple clouds and on-premises environments. Securing this data is critical for the success of businesses.  

If that is not motivation enough, there are compliance mandates that govern data security. For example, SOC 2 compliance is increasingly being seen as a set of minimum requirements for vendors operating in this environment. SOC2 by itself is voluntary certification, but many organizations take this requirement into consideration before any purchasing decisions from SaaS providers. 

I am going to address the following questions. What exactly is SOC 2 compliance and how to think about SOC 2 compliance, regardless of the SOC 2 compliance tools used. 

 

What exactly is SOC2 (as defined by AICPA) and why is it relevant in a SaaS world? 

System and Organization Controls (SOC) are a set of compliance standards created by the American Institute of Certified Public Accountants (AICPA). They specify how service organizations should secure customer data and internal controls that need to be applied. SOC 2 is one of three SOC standards defined by the AIPCPA. The scope of each of the reports used to demonstrate compliance with those standards is summarized below. 

 

  • SOC 1: Audit of internal controls relevant to a customer’s financial systems. Report usage is “restricted,” meaning its use is limited to auditors, the service organization, and authorized users. 
  • SOC 2: Audit of the overall management of customer data. Report usage is also “restricted” the same way SOC 1 is. 
  • SOC 3: Simplified SOC 2 report for public consumption 

 

A SOC audit assesses how an organization protects the customer data it processes in hybrid cloud environments. SOC 2 compliance comes in two forms: Type 1 and Type 2. 

  • Type 1: is an evaluation of the design of the business' controls at a specific moment in time. 
  • Type 2: is an assessment of the operational effectiveness of the controls over a period typically, 6 to 12 months.

 

SOC2 Compliance report comprises five trust service criteria - Security, Availability, Processing Integrity, Confidentiality and Privacy. These “trust service criteria” are defined by AICPA. A summary of each of the criteria is included below.  

Security 

This evaluates information and systems to determine if they are protected against the following elements 

  • Unauthorized access 
  • Unauthorized disclosure of information 
  • Damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems 

Availability  

Availability evaluates information and systems to determine if they are available for operation and use to meet the entity’s objectives 

Processing Integrity  

The goal is to determine if system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. 

Confidentiality 

This determines if information designated as confidential is protected to meet the entity’s objetives. 

Privacy  

This criterion evaluates how personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives. While confidentiality applies to various types of sensitive information and privacy applies only to personal information. 

 

How to Get SOC2 Compliance: Address A Wide Array of Controls 

To achieve SOC2 compliance, an organization needs to establish controls for different risk areas and provide evidence. They may need to deploy multiple SOC2 compliance tools to gather the needed evidence. 

  • Access Security 
  • Network Security 
  • Change Management 
  • Vulnerability Management
  • Availability
  • Incident Response
  • Risk Assessment Availability
  • Organizational Management
  • Physical security
  • Confidentiality
  • Communications 

 

Compliance Adherence, Audits and Reporting 

A critical part of SOC2 compliance is the ability to generate reports and pass audits. If companies pass the audit, they receive SOC 2 compliance certification. These reports and audits verify the controls (listed above) established for the 5 trust criteria. SOC2 compliance controls need to be maintained as yearly audits are mandated to ensure continued compliance.  

Manual reporting and audits or each of each of the risk areas monitored impose operational costs on organizations. There is a need for an easy to deploy and manage solution to ensure continued SOC2 compliance. That solution needs to be automated and ensure continuous monitoring and alerting capability. The automated solution must provide 4 key outcomes.

  • Protect user data
  • Ensure access controls for users and applications
  • Reduce operational costs
  • Have granular visibility and auditing capabilities 

This simplifies the organization's ability to maintain controls for the risk areas and remain SOC2 compliant. The solution needs to be scale according to an organization’s growth and be always available. The solution that automatically monitors and generates these reports must be able to cover the areas discussed below.  

  1. Compliance controls related to user access and data protection for multiple risk areas. They must include Access Security, Network Security, Vulnerability Management and Change Management.
  2. Provide access security and network security controls. The controls must restrict logical access, provide authorized and remove unauthorized access to user data.
  3. Change Management controls established to control access to infrastructure, data, software changes and to prevent unauthorized changes from being made.
  4. It must have Vulnerability Management to detect and monitor the introduction of new vulnerabilities. It should also be able to detect susceptibilities to newly discovered vulnerabilities.
  5. It should monitor and manage capacity demand for infrastructure, data and software. The solution should be able to scale up based on the organization's needs related to availability. 

 

Appaegis Access Fabric: A Better Way to Automate for SOC 2 Compliance 

Appaegis access fabric securely connects users to resources based on identity and authorization in a hybrid cloud and public cloud environment. This approach ensuring data security and provides auditing and compliance controls. Deploying Appaegis Access Fabric helps organizations continuously monitor and audit user access effectively maintaining the controls created for SOC2 compliance.

 

Picture 1922417003

 

Appaegis Access Fabric provides the capability to manage risks associated with Access Security, Network Security, Change Management and Vulnerability protection. Integration with IAM allows for fine grain permission controls and policy to be applied and remediate risks associated with access. Continuous monitoring and auditing are built into the platform for organizations to automate and simplify their operations. 

Appaegis Access Fabric can help detect and close any security gaps identified and fine tune the permission controls. Organizations can maintain SOC2 compliance by managing the risks identified with permissions, application and data access by users. They will also need anomaly detection, reporting and auditing capabilities. All of which are included in Appaegis’ Access Fabric. 

Appaegis Access Fabric has built-in redundancy to eliminate down time so organizations can scale as they grow. Appaegis ensures SOC2 compliance by combining two critical elements. We simplify onboarding and off-boarding of users and ensure permission-based access controls from a centrally managed platform.  

Appaegis can help protect access for employees, contractors and third parties. We do this by applying consistent security policies that ensure SOC 2 controls are applied to every user accessing applications. Appaegis Access Fabric reduces operational costs as it is easy to deploy and manage and requires minimal user retraining. 

 

Some of the key capabilities in our solution that help organizations simplify and automate SOC 2 compliance include

Compliance Controls and User Activity Visibility  

  • Continuous user activity monitoring for Web, SSH, RDP and Kubernetes to detect and prevent data theft 
  • Session recording for SSH, RDP and Kubernetes to ensure audit compliance 
  • Detailed user and application activity reporting for visibility and control of cloud infrastructure 
  • Inbuilt decryption, enabled by default, for detailed session analysis 

Access Security and Network Security 

  • Consistent security control policies enforcement for employees and third-party User/Device access to applications 
  • Two-factor authentication for application access using SSH, RDP, and Kubernetes 
  • Preventing the use of shared and static passwords for SSH access 
  • Login control for users based on location and time of access 
  • Logging and monitoring of sessions 
  • Alerting for user activity based on behavioral anomalies 

Change Management Controls 

  • Ability to monitor and audit user access to organization’s software management systems using GIT  
  • User access permissions control applications like Jira and Confluence 

Identity Provider Integration to manage user authentication, authorization and permission management 

  • Integration with key vault services (AWS KMS, HCP Vault, Azure Key Vault) to reduce risks and key management overhead. 
  • Integration with leading identity providers (Okta, Azure AD, Google Workspace) 
  • Integration with Cloud IAM (AWS, Azure) for permission and policy controls 

Vulnerability protection  

  • Data Loss Prevention is inbuilt in the system. 

 

Conclusion 

SOC2 compliance audits and reporting can be complex.  Organizations are challenged to answer the question how to get SOC 2 compliance and stay compliant. Organizations must maintain a SOC2 compliance checklist to monitor the controls needed. Appaegis Access Fabric helps organizations reduce complexity and increase the accuracy of their SOC 2 compliance process.  

Appaegis can help with initial SOC 2 compliance. We also ensure that established controls for user access and data remain in compliance with continuous monitoring and visibility. 

 

Want to learn how Appaegis can help organizations enforce SOC2 controls and maintain SOC2 compliance certification? Click here to setup a meeting with our security and compliance experts.

Back to Blog