Welcome!

Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: @CloudExpo, Microservices Expo, Cloud Security

@CloudExpo: Article

SOC 2 for Cloud Computing

An introduction to the newest flavor of controls reporting

In mid-2011, the American Institute of Certified Public Accountants (AICPA) established a Service Organization Controls (SOC) reporting framework in hopes of providing the public and CPAs with a clearer understanding of the reporting options for service organizations. Additionally, the AICPA sought to reduce the risk of misuse of SSAE 16, which recently superseded SAS 70, as a mechanism for reporting on security, compliance, and operational controls.

SOC 2To achieve these goals, the AICPA released the following reporting framework:

  • SOC 1: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (also known as SSAE 16)
  • SOC 2: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
  • SOC 3: SysTrust for Service Organizations

Of the three, SOC 2 is the only new type of examination. Despite being new, customers are already expecting, if not requiring, providers to undergo SOC 2 examinations. In many cases, these expectations are on top of existing SOC 1 (SSAE 16) obligations.

To fully appreciate SOC 2, one would need to read the 150-paged professional guide on the topic. Realizing that is not feasible for most cloud providers, I have prepared the following ten points to give cloud computing providers and their customers a conversational understanding of SOC 2:

1. SOC 2 examinations are designed to provide organizations that outsource the operation, collection, processing, transmission, storage, organization, maintenance and/or disposal of their information to third parties a mechanism for assessing governance and oversight at those service providers. Unlike SOC 1 (SSAE 16), the focus is on controls related to security, compliance, and operations, rather than controls relevant to financial reporting.

2. SOC 2 reports allow cloud providers to communicate information about their services and the suitability of the design and operating effectiveness of their controls to prospective and existing customers in a well-known format that is nearly identical to an SSAE 16 report.

3. SOC 2 examinations report on controls that mitigate the risks of achieving the following "Trust Services" principles:

  • Security - The system is protected against unauthorized physical and logical access.
  • Availability - The system is available for operation and use as committed or agreed.
  • Processing Integrity - System processing is complete, accurate, timely, and authorized.
  • Confidentiality - Information designated as confidential is protected as committed or agreed.
  • Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity's privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).

4. All five Trust Services principles are not required to be assessed. Cloud providers may select the Trust Services principle(s) that best meet their reporting objectives. This decision is based on the relevance of each principle to their services, as well as the interests of their customers.

5. When selecting a Trust Services principle, the cloud provider essentially asserts compliance with the principle and its underlying "criteria". Before selecting a principle, it is absolutely critical that cloud providers review the principles and underlying criteria to confirm an ability to meet the criteria. It is worth noting that, of the five Trust Services principles, the Privacy principle is particularly involved and should be selected with due care.

6. There are two types of SOC 2 examinations known as "type 1" and "type 2". Both types of reports contain an auditor's opinion letter, management's assertion, as well as a system description prepared by management that describes the controls implemented to meet the criteria, among other topics. For a type 1 examination, the auditor opines on whether management has fairly described its system and whether its controls are suitability designed to meet the applicable Trust Services criteria as of a point in time. Type 2 examinations report on those same topics, but the auditor also tests the controls and opines on the operating effectiveness of those controls during a specified review period (normally 6 - 12 months in duration). Type 2 reports are the most prevalent of the two report types.

7. There are no bright line rules defining the specific controls that must be implemented in order to meet the criteria of selected principles. For example, criterion 3.4 of the security principle states: "Procedures exist to protect against unauthorized access to system resources." The criteria provide several illustrative controls that could be used to meet the criterion, including the use of VPNs, firewalls and intrusion detection systems. However, none of the illustrative controls are required. Cloud providers have full discretion to present their own internal controls without issue so long as those controls meet the criteria for the selected Trust Services principles.

8. The scope of a SOC 2 examination can be modified based on the services provided. For example, otherwise applicable Trust Services criterion may be omitted if they are not applicable to the service that is the subject of the engagement. Similarly, the scope of a SOC 2 examination can be expanded to report on topics not specifically covered by the SOC 2 guidance. This gives cloud providers the ability to request that the auditor also report on compliance with other frameworks, such as the security requirements of HIPAA or the Cloud Security Alliance (CSA) Cloud Controls Matrix within a single SOC 2 report.

9. SOC 2 is not a certification; however, service organizations that complete a SOC 2 examination are entitled to display the AICPA's service organization logo on their promotional material and website for 12 months following the date of the report. Unlike SOC 3 (SysTrust), there is no licensing fee to use the logo, but its use is contingent on compliance with the terms, conditions and guidelines set forth by the AICPA.

10. Although SOC 2 is very similar in form to SOC 1 (SSAE 16), the two have distinctly different purposes and one cannot be used as substitutes for the other. Furthermore, it is entirely possible that a cloud provider would have a valid need for a SOC 1 and a SOC 2 examination depending on the nature of its services.

For those seeking additional information on this topic, the AICPA has created a dedicated site for SOC reporting topics, found here. The detailed list of criteria for the security, availability, processing integrity and confidentiality principles are found here. The detailed criteria for the privacy principle are found here. The official AICPA SOC 2 guide is available for purchase here.

More Stories By Chris Schellman

Chris Schellman is the President of BrightLine, the world's only CPA firm that is accredited as a PCI QSA Company and ISO 27001 Registrar. Chris is a licensed CPA, CISSP and PCI QSA, and has contributed to nearly 1,000 SSAE 16 / SAS 70 examinations.

For more information on SOC 1 / SSAE 16 topics, visit BrightLine.com/SOC1

For more information on SOC 2 topics, visit BrightLine.com/SOC2

@ThingsExpo Stories
As hybrid cloud becomes the de-facto standard mode of operation for most enterprises, new challenges arise on how to efficiently and economically share data across environments. In his session at 21st Cloud Expo, Dr. Allon Cohen, VP of Product at Elastifile, will explore new techniques and best practices that help enterprise IT benefit from the advantages of hybrid cloud environments by enabling data availability for both legacy enterprise and cloud-native mission critical applications. By rev...
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, will discuss how from store operations...
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, will discuss how they bu...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, will discuss some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he’ll go over some of the best practices for structured team migrat...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
SYS-CON Events announced today that Datera will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera offers a radically new approach to data management, where innovative software makes data infrastructure invisible, elastic and able to perform at the highest level. It eliminates hardware lock-in and gives IT organizations the choice to source x86 server nodes, with business model option...
Infoblox delivers Actionable Network Intelligence to enterprise, government, and service provider customers around the world. They are the industry leader in DNS, DHCP, and IP address management, the category known as DDI. We empower thousands of organizations to control and secure their networks from the core-enabling them to increase efficiency and visibility, improve customer service, and meet compliance requirements.
Digital transformation is changing the face of business. The IDC predicts that enterprises will commit to a massive new scale of digital transformation, to stake out leadership positions in the "digital transformation economy." Accordingly, attendees at the upcoming Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA, Oct 31-Nov 2, will find fresh new content in a new track called Enterprise Cloud & Digital Transformation.
SYS-CON Events announced today that NetApp has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. NetApp is the data authority for hybrid cloud. NetApp provides a full range of hybrid cloud data services that simplify management of applications and data across cloud and on-premises environments to accelerate digital transformation. Together with their partners, NetApp emp...
SYS-CON Events announced today that N3N will exhibit at SYS-CON's @ThingsExpo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. N3N’s solutions increase the effectiveness of operations and control centers, increase the value of IoT investments, and facilitate real-time operational decision making. N3N enables operations teams with a four dimensional digital “big board” that consolidates real-time live video feeds alongside IoT sensor data a...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
SYS-CON Events announced today that Avere Systems, a leading provider of hybrid cloud enablement solutions, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere Systems was created by file systems experts determined to reinvent storage by changing the way enterprises thought about and bought storage resources. With decades of experience behind the company’s founders, Avere got its ...
SYS-CON Events announced today that Avere Systems, a leading provider of enterprise storage for the hybrid cloud, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere delivers a more modern architectural approach to storage that doesn't require the overprovisioning of storage capacity to achieve performance, overspending on expensive storage media for inactive data or the overbui...
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
SYS-CON Events announced today that Ryobi Systems will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ryobi Systems Co., Ltd., as an information service company, specialized in business support for local governments and medical industry. We are challenging to achive the precision farming with AI. For more information, visit http:...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, will discuss how by using...
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
SYS-CON Events announced today that CAST Software will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CAST was founded more than 25 years ago to make the invisible visible. Built around the idea that even the best analytics on the market still leave blind spots for technical teams looking to deliver better software and prevent outages, CAST provides the software intelligence that matter ...
SYS-CON Events announced today that Daiya Industry will exhibit at the Japanese Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ruby Development Inc. builds new services in short period of time and provides a continuous support of those services based on Ruby on Rails. For more information, please visit https://github.com/RubyDevInc.