Carefully secure your cloud environment – or risk ending up on prospective customers’ No Fly Lists!
The cloud has been a boon for businesses, giving many organizations access to convenient, scalable, and cost-effective computing power – without the hassle of building and maintaining an on-site data center!
The cloud has also been a boon for attackers, giving them many more high-value internet-facing targets to steal data from. A lot of those targets are poorly secured to boot.
Want proof? How about a state secret (the TSA No Fly List) being found
on an unsecured cloud server?
(Not to mention all the
Personally Identifiable Information [PII] for Continental Airlines flight crew.)
To overlook cloud security is to leave your own business vulnerable to such a fate.
What is Cloud Security?
Cloud security involves protecting sensitive data that is stored and processed on cloud-based infrastructure.
Good cloud security practices help to mitigate risks from attackers (from outside
or inside your organization) and ensure confidentiality, integrity, and availability of data and applications stored in the cloud.
Good cloud security measures can help your organization to:
Protect your intellectual property and sensitive data.
Prevent financial loss and reputational damage due to security breaches.
Enhance business continuity and disaster recovery capabilities.
Ensure compliance with industry regulations and standards.
Build trust with customers and stakeholders.
In practice, cloud security involves implementing a range of security measures: access controls, data encryption, network security, vulnerability management, and incident response.
SOC 2 Cloud Security Requirements
Although the SOC 2 criteria doesn’t specifically call out “the cloud,” cloud security is an important part of the standard.
Well, it cares about how you protect your data, no matter where you choose to store it. If you store any data or applications in the cloud, your SOC 2 auditor will be
very interested in your cloud security practices!
There are seven distinct criteria that apply to SOC 2 cloud security.
CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives. CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
In short, SOC 2 wants auditors to ensure that organizations are keeping its information safe. The auditors will check if the org is using software and systems that only allow authorized people to access it after appropriate approvals have been granted based on their jobs and responsibilities.
Organizations also need to make sure that access is removed when users are no longer allowed to use it.
Organizations should also use tools to detect and prevent unauthorized or malicious software from getting into its systems in order to achieve SOC 2 compliance. Organizations should check its systems for unusual activities and investigate them to make sure that they don’t represent a problem. If there is a security problem, the organization should take steps to fix it.
There are a few additional controls if you want to cover more trust criteria as well.
Requirements from the SOC 2 Availability Trust Services Criteria
A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. A1.3 Backup restoration testing is performed at least annually to help ensure the recoverability of application data.
In this criteria, the organization’s ability to ensure that its systems and services are available for use as agreed upon with customers. To do this they need to prove that they are maintaining, monitoring, and evaluating their processing capacity to manage demand and allow for additional capacity to be added if and as needed. They should also test their backup restoration processes to ensure that data can be recovered if needed.
For this criteria, organizations need to implement appropriate measures in their cloud environment to protect confidential information from unauthorized disclosure. The organization needs to have a clear understanding of the types of information they are handling and how it should be protected. To meet this, the organization should have a data retention procedure that conforms to their commitments. They should also protect data from deletion or destruction during the retention period.
C1.1 Data retention procedures are in place to conform to confidentiality commitments and requirements. C1.1 (cont.) Data is protected from deletion/destruction during the defined retention periods.
How to meet SOC 2 Cloud Security Requirements?
Cloud security requirements vary depending on the type of business, the industry, data being stored, regulatory compliance standards that the organizations must meet. There is no ‘one-size-fits-all’ solution and companies must consider their unique needs and risks when it comes to implementing cloud security measures. Following are some examples for guidance.
Sydney’s SaaS Startup
Sydney runs a SaaS startup that employs 45 people. They use a lot of cloud services, but don’t host any of their servers. They have a physical office space, but all employees use laptops.
Sydney’s SaaS Startup should build a holistic cloud security program. This includes establishing policy and procedures to outline security requirements for using cloud services. They should manage access to their cloud services by implementing
role-based access controls, Identity and Access Management (IAM) tools and MFA for their cloud services. Their network and cloud environment should be segmented and monitored for usage and for vulnerabilities.
secure coding practices and conducting regular security testing they can ensure that security is built into their product and infrastructure from the beginning. They should also regularly patch their systems.
Since they heavily rely on cloud services, they need
robust vendor management. They should also create an incident response and business continuity plan to ensure preparedness for any disruptions to their services.
Carl’s Consulting Company
Employs 15 people and is an entirely remote business. It is a Bring Your Own Device (BYOD) company, so all employees use their own computers to work. They use AWS and Google Workspace.
Carl’s consulting company would have a more comprehensive set of documentation, including a
BYOD policy and a remote work policy. They should also manage access to their resources like Sydney’s startup does but additionally, they should require MFA for all AWS and Google Workspace accounts.
By using a
Virtual Private Network (VPN) they create secure communication between remote employees and company resources. The company’s network and resources should be monitored for unusual login activity, data access, and network traffic. Carl’s should patch their systems and infrastructure regularly.
They should also have an
incident response and contingency plan for security events or natural disasters.
Employs approximately 750 employees who use company-issued desktops and laptops. They work in three office spaces in three cities: Boston, Austin, and San Francisco. Ernie’s Enterprise also has its own physical data center in Austin.
Ernie’s data center is effectively the gateway to their data in the cloud, so the
physical security of the data center is of utmost importance. Only people who need access to the data center and/or all other systems should be granted it. Additionally, employees should be onboarded and offboarded in a consistent manner and regular audits should be done on employee access and privileges. Access to the data center and all other systems should be carefully managed and security logs should be monitored to identify suspicious activities and respond promptly to incidents using intrusion detection systems.
networks should be segmented to isolate different offices, departments and services. To ensure data confidentiality and integrity, all their communications should be encrypted. Additionally, they should manage their endpoints by using anti-virus and disk encryption at the minimum. An MDM (Mobile Device Management) software or MDR (Managed Detection and Response) can take it one step further by elevating security and ensuring consistency.
And lastly, all these companies should:
Train their employees on the company’s policies and best practices for secure cloud usage.
Enforce use of strong, complex passwords. Better yet, use a password manager.
Conduct regular security assessments and audits to identify potential weaknesses and vulnerabilities in the infrastructure.
Manage their endpoints by using anti-virus and disk encryption at the minimum. An MDM (Mobile Device Management) software or MDR (Managed Detection and Response) can take it one step further by elevating security and ensuring consistency.
SOC 2 Cloud Security Best Practices
As you can see, all of them need to do a similar thing, styles may be different. Luckily cloud providers make it fairly easy to implement basic security measures.
Manage access to your cloud resources.
To effectively manage their access to cloud resources, they should consider the level of access granted to employees for their cloud infrastructure. Regular reviews of cloud services can help to ensure that access controls remain up-to-date and effective. Strong onboarding and offboarding processes should also be implemented to reduce the risk of unauthorized access. Regular monitoring and auditing of access controls is essential to detect and prevent any unauthorized access attempts, while maintaining a comprehensive record of users and their permissions. Additionally, good password practices and MFA can help prevent unauthorized access to cloud resources by adding an extra layer of security to the authentication process, which can significantly reduce the risk of a data breach or security incident.
Maintain solid Secure-SDLC and change management practices.
Strong and secure software development lifecycle and change management practices are crucial in order to maintain a secure and reliable cloud and IT environment. As part of this process, a vulnerability management program should be put in place to identify and address any potential security weaknesses. Applying patches and updates is also critical to address any known vulnerabilities. Conduct annual pen-tests.
Monitor cloud services.
By continuously monitoring the availability and potential outages of their cloud systems and services, these companies can maintain optimal performance and operational health. Alerting is another critical aspect of cloud service monitoring, as it will enable them to quickly notify relevant individuals about any issue or incident so they can promptly take appropriate actions to resolve it.
Manage incidents and recovery.
A comprehensive incident response plan must be in place to minimize the impact of security incidents. Business continuity practices that will ensure that critical operations continue during disruptions, and a disaster recovery process will ensure that systems can be restored in case of a catastrophic event.
All these companies also rely heavily on their cloud vendors to provide critical services and support to their customers.
Additionally, all these companies should train their employees ensuring they understand the risks best practices for secure cloud usage.
Conclusion on SOC 2 Cloud Security Requirements
If your business operates in the cloud, then a secure cloud environment is required for your security and compliance programs to take off.
An unsecure cloud environment will not fly with security-conscious customers, or your SOC 2 auditor!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.