Welcome!

Linux Containers Authors: Liz McMillan, Elizabeth White, Pat Romanski, Yeshim Deniz, Flint Brenton

Related Topics: @CloudExpo, Microservices Expo, Cloud Security

@CloudExpo: Article

SOC 2 for Cloud Computing

An introduction to the newest flavor of controls reporting

In mid-2011, the American Institute of Certified Public Accountants (AICPA) established a Service Organization Controls (SOC) reporting framework in hopes of providing the public and CPAs with a clearer understanding of the reporting options for service organizations. Additionally, the AICPA sought to reduce the risk of misuse of SSAE 16, which recently superseded SAS 70, as a mechanism for reporting on security, compliance, and operational controls.

SOC 2To achieve these goals, the AICPA released the following reporting framework:

  • SOC 1: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (also known as SSAE 16)
  • SOC 2: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
  • SOC 3: SysTrust for Service Organizations

Of the three, SOC 2 is the only new type of examination. Despite being new, customers are already expecting, if not requiring, providers to undergo SOC 2 examinations. In many cases, these expectations are on top of existing SOC 1 (SSAE 16) obligations.

To fully appreciate SOC 2, one would need to read the 150-paged professional guide on the topic. Realizing that is not feasible for most cloud providers, I have prepared the following ten points to give cloud computing providers and their customers a conversational understanding of SOC 2:

1. SOC 2 examinations are designed to provide organizations that outsource the operation, collection, processing, transmission, storage, organization, maintenance and/or disposal of their information to third parties a mechanism for assessing governance and oversight at those service providers. Unlike SOC 1 (SSAE 16), the focus is on controls related to security, compliance, and operations, rather than controls relevant to financial reporting.

2. SOC 2 reports allow cloud providers to communicate information about their services and the suitability of the design and operating effectiveness of their controls to prospective and existing customers in a well-known format that is nearly identical to an SSAE 16 report.

3. SOC 2 examinations report on controls that mitigate the risks of achieving the following "Trust Services" principles:

  • Security - The system is protected against unauthorized physical and logical access.
  • Availability - The system is available for operation and use as committed or agreed.
  • Processing Integrity - System processing is complete, accurate, timely, and authorized.
  • Confidentiality - Information designated as confidential is protected as committed or agreed.
  • Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity's privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).

4. All five Trust Services principles are not required to be assessed. Cloud providers may select the Trust Services principle(s) that best meet their reporting objectives. This decision is based on the relevance of each principle to their services, as well as the interests of their customers.

5. When selecting a Trust Services principle, the cloud provider essentially asserts compliance with the principle and its underlying "criteria". Before selecting a principle, it is absolutely critical that cloud providers review the principles and underlying criteria to confirm an ability to meet the criteria. It is worth noting that, of the five Trust Services principles, the Privacy principle is particularly involved and should be selected with due care.

6. There are two types of SOC 2 examinations known as "type 1" and "type 2". Both types of reports contain an auditor's opinion letter, management's assertion, as well as a system description prepared by management that describes the controls implemented to meet the criteria, among other topics. For a type 1 examination, the auditor opines on whether management has fairly described its system and whether its controls are suitability designed to meet the applicable Trust Services criteria as of a point in time. Type 2 examinations report on those same topics, but the auditor also tests the controls and opines on the operating effectiveness of those controls during a specified review period (normally 6 - 12 months in duration). Type 2 reports are the most prevalent of the two report types.

7. There are no bright line rules defining the specific controls that must be implemented in order to meet the criteria of selected principles. For example, criterion 3.4 of the security principle states: "Procedures exist to protect against unauthorized access to system resources." The criteria provide several illustrative controls that could be used to meet the criterion, including the use of VPNs, firewalls and intrusion detection systems. However, none of the illustrative controls are required. Cloud providers have full discretion to present their own internal controls without issue so long as those controls meet the criteria for the selected Trust Services principles.

8. The scope of a SOC 2 examination can be modified based on the services provided. For example, otherwise applicable Trust Services criterion may be omitted if they are not applicable to the service that is the subject of the engagement. Similarly, the scope of a SOC 2 examination can be expanded to report on topics not specifically covered by the SOC 2 guidance. This gives cloud providers the ability to request that the auditor also report on compliance with other frameworks, such as the security requirements of HIPAA or the Cloud Security Alliance (CSA) Cloud Controls Matrix within a single SOC 2 report.

9. SOC 2 is not a certification; however, service organizations that complete a SOC 2 examination are entitled to display the AICPA's service organization logo on their promotional material and website for 12 months following the date of the report. Unlike SOC 3 (SysTrust), there is no licensing fee to use the logo, but its use is contingent on compliance with the terms, conditions and guidelines set forth by the AICPA.

10. Although SOC 2 is very similar in form to SOC 1 (SSAE 16), the two have distinctly different purposes and one cannot be used as substitutes for the other. Furthermore, it is entirely possible that a cloud provider would have a valid need for a SOC 1 and a SOC 2 examination depending on the nature of its services.

For those seeking additional information on this topic, the AICPA has created a dedicated site for SOC reporting topics, found here. The detailed list of criteria for the security, availability, processing integrity and confidentiality principles are found here. The detailed criteria for the privacy principle are found here. The official AICPA SOC 2 guide is available for purchase here.

More Stories By Chris Schellman

Chris Schellman is the President of BrightLine, the world's only CPA firm that is accredited as a PCI QSA Company and ISO 27001 Registrar. Chris is a licensed CPA, CISSP and PCI QSA, and has contributed to nearly 1,000 SSAE 16 / SAS 70 examinations.

For more information on SOC 1 / SSAE 16 topics, visit BrightLine.com/SOC1

For more information on SOC 2 topics, visit BrightLine.com/SOC2

@ThingsExpo Stories
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settl...
In his session at @ThingsExpo, Dr. Robert Cohen, an economist and senior fellow at the Economic Strategy Institute, presented the findings of a series of six detailed case studies of how large corporations are implementing IoT. The session explored how IoT has improved their economic performance, had major impacts on business models and resulted in impressive ROIs. The companies covered span manufacturing and services firms. He also explored servicification, how manufacturing firms shift from se...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
IoT solutions exploit operational data generated by Internet-connected smart “things” for the purpose of gaining operational insight and producing “better outcomes” (for example, create new business models, eliminate unscheduled maintenance, etc.). The explosive proliferation of IoT solutions will result in an exponential growth in the volume of IoT data, precipitating significant Information Governance issues: who owns the IoT data, what are the rights/duties of IoT solutions adopters towards t...
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...
Organizations planning enterprise data center consolidation and modernization projects are faced with a challenging, costly reality. Requirements to deploy modern, cloud-native applications simultaneously with traditional client/server applications are almost impossible to achieve with hardware-centric enterprise infrastructure. Compute and network infrastructure are fast moving down a software-defined path, but storage has been a laggard. Until now.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. All In Mobile is a mobile app development company from Poland. Since 2014, they maintain passion for developing mobile applications for enterprises and startups worldwide.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
DXWorldEXPO LLC announced today that the upcoming DXWorldEXPO | CloudEXPO New York event will feature 10 companies from Poland to participate at the "Poland Digital Transformation Pavilion" on November 12-13, 2018.
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...