Why SOC 2 Compliance Is a Matter of (Zero) Trust
SaaS solutions are now so entwined in business users’ daily routines that they seem to meld into one experience — or simply put, “the way I work.” Yet the reality is there are many disparate cloud applications in play across a typical enterprise — 364 on average – which means a lot of complexity and risk. That’s why, as organizations expand and accelerate business in the cloud, they’re not just looking at how SaaS solutions can enable them; they’re increasingly focused on potential security impact. And it’s become clear that unprotected or misconfigured data in the hands of an application provider — one link in the interconnected software supply chain — is all it takes to open the door to cyber attacks.
Enter SOC 2. It’s an industry certification that gives SaaS solution providers a verifiable way to demonstrate the security and reliability of their software products, services and practices. Though it’s not mandatory for SaaS providers to be certified, many enterprise customers have added SOC 2 compliance to their must-have list when evaluating potential vendors. If this is the case for your organization, especially if you are one of the many embracing SaaS-delivered security solutions to protect corporate assets and distributed workforces, such accreditations are crucial.
Mapping SOC 2’s Five Principles to Zero Trust
As defined by the American Institute of Certified Public Accountants (AICPA), SOC 2 is a framework used by service providers to audit and report how they manage sensitive customer data. The SOC 2 report focuses on internal controls across five “trust service principles.” Since service providers’ offerings vary, organizations are not required to certify all five areas, considering they may not all be relevant. The security principle is mandatory for a SOC 2 audit — the others are optional. However, some customers may require all five areas to be certified before entering a business relationship.
Here’s a look at how SOC 2’s various technical controls work in support of a broader Zero Trust approach to cybersecurity that encompasses people, processes and technology.
Principle 1: Security
In a Zero Trust model, every identity — human or machine — must be authenticated and authorized with zero exceptions. The SOC 2 security principle evaluates application security design (for both off-the-shelf and custom applications) and specifically, how access to sensitive information — such as personally identifiable information (PII), financial data and intellectual property — is controlled and protected. SOC 2 looks for foundational access controls such as multi-factor authentication (MFA) and intrusion detection, which work together to let users in and keep threats out.
Principle 2: Availability
Customers expect their cloud services to be on and ready to use — any time, every time. This principle evaluates the provider’s ability to keep things up and running by examining performance monitoring capabilities, along with processes in place to respond to security-related incidents, among others. Zero Trust security calls for comprehensive monitoring capabilities so organizations have the complete situational awareness they need to identify threats quickly and respond swiftly and with confidence to minimize exposure.
Principle 3: Processing Integrity
This principle focuses on how data is processed. With the requisite quality assurance and process monitoring controls in place, application providers can verify that their data storage, delivery, modification and retention processes adhere to stringent security standards to protect customer data. Implementing controls to help ensure customer data is protected requires organizational preparedness. Preparedness is a core premise of Zero Trust: it’s no longer realistic for any organization to think they can stop every attack, every time. Instead, it’s about how they’re prepared to identify and respond to threats before they can gain enough escalated privileges to do harm. When organizations have documented plans, metrics and security processes in place to protect customer data, they make further progress towards adopting — and evolving — a Zero Trust security model.
Principle 4: Confidentiality
Confidentiality is critical — and even more so in the case of multi-tenant SaaS applications. Organizations need assurance that the environment housing their confidential data is secure from unintended access from both the service provider and third-party tenants. SOC 2 requires access controls — along with data encryption and firewalls — to help protect data from falling into the wrong hands. Foundational to a Zero Trust approach, Identity Security solutions provide a holistic approach by securing individual identities throughout the cycle of accessing critical assets. This means authenticating that identity accurately, authorizing that identity with the proper permissions and providing privileged access for that identity to access sensitive assets in a structured manner — all in a way that can be audited (or accounted for) to ensure the entire process is sound.
Principle 5: Privacy
The SOC 2 privacy principle evaluates how the application processes PII based on the company’s specified data policies, as well as the AICPA’s Generally Accepted Privacy Principles (GAPP). The U.S. Department of Homeland Security defines PII as “any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual.” Similarly, the confidentiality principle, proper access controls must be in place to protect PII data from unauthorized access. This means verifying every user, validating every device and intelligently limiting privileged access based on least privilege and Zero Trust policies.
Demonstrating our Cybersecurity Commitment with SOC 2 Compliance
At CyberArk, Zero Trust isn’t a buzzword, it’s a philosophy that’s deeply embodied in each of our solutions and services, as well as our own personnel, software and infrastructure security practices.
Today, we’re the only Identity Security provider offering SOC 2 Type 2-certified SaaS solutions for Privileged Access Management (PAM), endpoint privilege management, remote vendor access, Identity and Access Management, and cloud infrastructure entitlements management.
Our SOC 2 accreditation is just one of many ways we demonstrate our commitment to our customers who depend on CyberArk to improve the security of their IT environments and software supply chains. To learn more about our company’s security, reliability, privacy and compliance policies, please visit the CyberArk Trust Center.