Cloud security is an ongoing requirement for all organizations born and built in the cloud. As organizations build and develop new features and expand their presence in the cloud, they must not only contend with the ability to continually grow their security coverage, but likewise align with any changes to compliance and regulatory requirements. Additionally, and importantly to SaaS companies, security programs must also demonstrate verifiable proof of a robust security program. One way to probably demonstrate security controls is with a SOC 2 report.
What is SOC 2?
The American Institute of Certified Public Accounts (AICPA) SOC 2 is a report that evaluates the security controls a services organization uses and provides detailed information and assurance about those controls relevant to AICPA Trust Service Criteria (TSC). These TSCs include security, availability, processing integrity, confidentiality, and privacy and play an important role in overall information and cyber security practices, regulatory oversight, vendor risk management and insight into an organization’s security program and posture.
To comply with SOC 2, organizations must be able to demonstrate that they adhere to the following rules:
- Security: They implement reasonable security safeguards within applications, networks, and infrastructure.
- Availability: Using techniques and practices like disaster recovery, they maintain systems availability.
- Processing integrity: They monitor data processing to ensure accuracy and deal with data quality problems.
- Confidentiality: They keep sensitive data secure (meaning it is protected from misuse, manipulation, or abuse) using methods like access control and encryption.
- Privacy: They keep data private (meaning that only users who should be authorized to access it can access it) using authentication and access controls and encryption.
Are SaaS companies required to be SOC2 compliant?
It is important to note that AICPA is an independent organization and pursuing a SOC 2 report is not a regulatory nor legal requirement. SOC 2 reports drafted by certified auditors can map controls into other regulatory frameworks such as the United States’ Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy and/or Disclosure Rules. However, a SOC 2 report will attest to technical, process and people related controls and provide verifiable assurance of the strength and quality of your security controls for potential customers.
At this point, possession of a SOC 2 report is considered table stakes in the SaaS industry, as the answers to most security questions an enterprise customer may have about the business’s security posture can usually be pulled from this report. Likewise, it is recommended that businesses go for SOC 2 Type 2 attestation rather than Type 1 because the Type 2 report is a long-term analysis of the target company’s overall security program, including the design and execution of all security safeguards over an extended period. A SOC2 report can provide current and future clients with the assurance that their data is safe with your business and not just in the short term, checking the box of security.
Not only does SOC2 compliance provide additional assurances to customers that you are doing your due diligence to keep them safe, but it likewise increases data protection, your organization’s vulnerability awareness, and provides increased security, availability, processing integrity, confidentiality, and privacy.
What is the current process to attain a SOC2 report?
Current SOC 2 processes from traditional auditors are suboptimal.
The process to attain a SOC2 report can be:
- Expensive, with no cost transparency.
- Slow. We’re talking months not weeks (the process will typically take at least six months and will often last an entire year or longer).
- Extremely light on the reporting side. Most solutions are doing “just enough” to cover baseline items.
- Difficult to scale. As companies grow and diversify their offerings, they need the ability to scale their compliance too.
What sections of the SOC 2 does Lightspin cover?
There are 9 core sections and 3 “Additional Criteria” sections to the SOC 2 Type II coverage per the AICPA’s official guidance. It is important to know that not every single TSC nor every single control needs to be included within a SOC 2 report and this should be planned out between you and your auditor. However, Lightspin capabilities across our Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Cloud Infrastructure and Entitlement Management (CIEM), Kubernetes Security Posture Management (KSPM), and Threat & Vulnerability Management (TVM) offerings can help to prove coverage of these controls.
Lightspin customers have leveraged the platform for expansive coverage of nearly all their technical cloud security focused requirements. Auditors have accepted Lightspin platform data as evidence of SOC 2 requirements dozens of times. Lightspin’s Discovery Graph feature allows for easy communication with auditors through a common visual language. Companies which require account and environment isolation can easily do so, and visually verify to auditors that complete isolation of environments is met.
“Lightspin provides operational efficiency through its intuitive platform. As I invest in solutions for my team, I want to be able to see the ROI quickly. Lightspin has been able to provide the code to cloud security coverage we needed and actionable insights missing from other tools we had used in the past, all at a great value.”
-- Ray Espinoza, CISO at Inspectiv
Information security is an essential component of doing business in our digital world, and your customers want to know that they can trust you to do due diligence and partner with vendors who will ensure that their data is safely stored and maintained.
Attaining and maintaining a SOC2 report should be high priority for your organization. It is recommended that your organization maintain SOC2 compliance on an annual basis. Lightspin can help improve your ability to do so with out of the box SOC2 attestation for all the cloud security requirements you need.
For more information, contact us.