Welcome!

Linux Containers Authors: Zakia Bouachraoui, Yeshim Deniz, Elizabeth White, Liz McMillan, Pat Romanski

Related Topics: @CloudExpo, Microservices Expo, Cloud Security

@CloudExpo: Article

SOC 2 for Cloud Computing

An introduction to the newest flavor of controls reporting

In mid-2011, the American Institute of Certified Public Accountants (AICPA) established a Service Organization Controls (SOC) reporting framework in hopes of providing the public and CPAs with a clearer understanding of the reporting options for service organizations. Additionally, the AICPA sought to reduce the risk of misuse of SSAE 16, which recently superseded SAS 70, as a mechanism for reporting on security, compliance, and operational controls.

SOC 2To achieve these goals, the AICPA released the following reporting framework:

  • SOC 1: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (also known as SSAE 16)
  • SOC 2: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
  • SOC 3: SysTrust for Service Organizations

Of the three, SOC 2 is the only new type of examination. Despite being new, customers are already expecting, if not requiring, providers to undergo SOC 2 examinations. In many cases, these expectations are on top of existing SOC 1 (SSAE 16) obligations.

To fully appreciate SOC 2, one would need to read the 150-paged professional guide on the topic. Realizing that is not feasible for most cloud providers, I have prepared the following ten points to give cloud computing providers and their customers a conversational understanding of SOC 2:

1. SOC 2 examinations are designed to provide organizations that outsource the operation, collection, processing, transmission, storage, organization, maintenance and/or disposal of their information to third parties a mechanism for assessing governance and oversight at those service providers. Unlike SOC 1 (SSAE 16), the focus is on controls related to security, compliance, and operations, rather than controls relevant to financial reporting.

2. SOC 2 reports allow cloud providers to communicate information about their services and the suitability of the design and operating effectiveness of their controls to prospective and existing customers in a well-known format that is nearly identical to an SSAE 16 report.

3. SOC 2 examinations report on controls that mitigate the risks of achieving the following "Trust Services" principles:

  • Security - The system is protected against unauthorized physical and logical access.
  • Availability - The system is available for operation and use as committed or agreed.
  • Processing Integrity - System processing is complete, accurate, timely, and authorized.
  • Confidentiality - Information designated as confidential is protected as committed or agreed.
  • Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity's privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).

4. All five Trust Services principles are not required to be assessed. Cloud providers may select the Trust Services principle(s) that best meet their reporting objectives. This decision is based on the relevance of each principle to their services, as well as the interests of their customers.

5. When selecting a Trust Services principle, the cloud provider essentially asserts compliance with the principle and its underlying "criteria". Before selecting a principle, it is absolutely critical that cloud providers review the principles and underlying criteria to confirm an ability to meet the criteria. It is worth noting that, of the five Trust Services principles, the Privacy principle is particularly involved and should be selected with due care.

6. There are two types of SOC 2 examinations known as "type 1" and "type 2". Both types of reports contain an auditor's opinion letter, management's assertion, as well as a system description prepared by management that describes the controls implemented to meet the criteria, among other topics. For a type 1 examination, the auditor opines on whether management has fairly described its system and whether its controls are suitability designed to meet the applicable Trust Services criteria as of a point in time. Type 2 examinations report on those same topics, but the auditor also tests the controls and opines on the operating effectiveness of those controls during a specified review period (normally 6 - 12 months in duration). Type 2 reports are the most prevalent of the two report types.

7. There are no bright line rules defining the specific controls that must be implemented in order to meet the criteria of selected principles. For example, criterion 3.4 of the security principle states: "Procedures exist to protect against unauthorized access to system resources." The criteria provide several illustrative controls that could be used to meet the criterion, including the use of VPNs, firewalls and intrusion detection systems. However, none of the illustrative controls are required. Cloud providers have full discretion to present their own internal controls without issue so long as those controls meet the criteria for the selected Trust Services principles.

8. The scope of a SOC 2 examination can be modified based on the services provided. For example, otherwise applicable Trust Services criterion may be omitted if they are not applicable to the service that is the subject of the engagement. Similarly, the scope of a SOC 2 examination can be expanded to report on topics not specifically covered by the SOC 2 guidance. This gives cloud providers the ability to request that the auditor also report on compliance with other frameworks, such as the security requirements of HIPAA or the Cloud Security Alliance (CSA) Cloud Controls Matrix within a single SOC 2 report.

9. SOC 2 is not a certification; however, service organizations that complete a SOC 2 examination are entitled to display the AICPA's service organization logo on their promotional material and website for 12 months following the date of the report. Unlike SOC 3 (SysTrust), there is no licensing fee to use the logo, but its use is contingent on compliance with the terms, conditions and guidelines set forth by the AICPA.

10. Although SOC 2 is very similar in form to SOC 1 (SSAE 16), the two have distinctly different purposes and one cannot be used as substitutes for the other. Furthermore, it is entirely possible that a cloud provider would have a valid need for a SOC 1 and a SOC 2 examination depending on the nature of its services.

For those seeking additional information on this topic, the AICPA has created a dedicated site for SOC reporting topics, found here. The detailed list of criteria for the security, availability, processing integrity and confidentiality principles are found here. The detailed criteria for the privacy principle are found here. The official AICPA SOC 2 guide is available for purchase here.

More Stories By Chris Schellman

Chris Schellman is the President of BrightLine, the world's only CPA firm that is accredited as a PCI QSA Company and ISO 27001 Registrar. Chris is a licensed CPA, CISSP and PCI QSA, and has contributed to nearly 1,000 SSAE 16 / SAS 70 examinations.

For more information on SOC 1 / SSAE 16 topics, visit BrightLine.com/SOC1

For more information on SOC 2 topics, visit BrightLine.com/SOC2

IoT & Smart Cities Stories
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cell networks have the advantage of long-range communications, reaching an estimated 90% of the world. But cell networks such as 2G, 3G and LTE consume lots of power and were designed for connecting people. They are not optimized for low- or battery-powered devices or for IoT applications with infrequently transmitted data. Cell IoT modules that support narrow-band IoT and 4G cell networks will enable cell connectivity, device management, and app enablement for low-power wide-area network IoT. B...
The hierarchical architecture that distributes "compute" within the network specially at the edge can enable new services by harnessing emerging technologies. But Edge-Compute comes at increased cost that needs to be managed and potentially augmented by creative architecture solutions as there will always a catching-up with the capacity demands. Processing power in smartphones has enhanced YoY and there is increasingly spare compute capacity that can be potentially pooled. Uber has successfully ...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...