Security & Compliance Blog

Question: Who Needs a SOC 2 Report?

Answer: There are literally tens of thousands of businesses – technically known as “Service Organizations” – in the world of regulatory compliance that actually have to perform an annual SOC 2 audit.

Service organizations are entities that provides essential services to another business, and because of that, these very service organizations are often asked to perform annual SOC 2 audits for purposes of examining and testing their internal controls.

What are internal controls? As defined in accounting and auditing, internal controls are a process for assuring an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.

Simply stated, internal controls are about the policies, procedures, and processes a service organization has in place for their daily operations. How do employees access information systems? What initiatives does management have in place for showcasing leadership and accountability? These are just a few of the countless number of internal controls for which service organizations should have in place, and annual SOC 2 reporting examines – and tests – these controls.

Think about it, if you’re a business outsourcing to another business, don’t you want to know about that organization’s internal controls? Don’t you want to know how their daily operations are run, what policies, procedures, and processes are in place? Sure, you do, and it’s why SOC 2 reports are being required for thousands of businesses throughout North America, and the world.

Southern California SSAE 18 SOC 1 assessments and audit reports are available from the Golden State compliance experts at NDNB. From San Diego to Sacramento – and beyond – NDNB has been offering high-quality, competitively priced regulatory compliance audits for years, so contact us today for all your SSAE 18 SOC 1 – and SOC 2 – audit needs.

With compliance mandates growing larger and larger each year, businesses are being forced to grapple with enormous costs and time-commitments for SSAE 18 SOC 1 audits, and its why businesses often turn to the California regulatory compliance leader at NDNB, providers of fixed-fee audit services for a wide range of regulatory mandates, such as SOC 1, SOC 2, PCI DSS, GDPR, HIPAA, and more.

NDNB also offers comprehensive SOC 1 and SOC 2 audits for businesses using Amazon AWS, Microsoft Azure, and Google GCP. 

Southern California SSAE 18 SOC 1 Type 1 & Type 2 Audits | Fixed Fees

What separates NDNB apart from the rest of the pack is our lock-step phased approach, one that illustrates efficiency and scalability when it comes to audits for California businesses. It means that from beginning to end, we’re all about efficiency, flexibility, competitive pricing, along with providing a superior assessment report for compliance and business development purposes. Nobody likes spending thousands of dollars and hundreds of hours on SSAE 18 SOC 1 assessments – we get it – and its why businesses turn to NDNB for today’s growing compliance mandates.

There’s quite the debate going on between SOC 1 vs. SOC 2 and which of the AICPA System and Organization Controls (SOC) options is more viable for a service organization. To help clarify, just remember that SSAE 18 SOC 1 are assessments conducted on entities that can impact their clients’ financials, while SOC 2 assessments are geared toward today’s technology driven businesses. That’s not to say there are exceptions, but these are the general rules that apply when choosing between SSAE 18 SOC 1 and SOC 2.

NDNB provides industry leading SOC 1 SSAE 18 and SOC 2 assessments for Colorado businesses located in Denver, Boulder, Fort Collins and other surrounding areas. With the incredible growth of regulatory compliance in today’s business world, companies are seeking highly competent, efficient, and trustworthy audit services, and its why businesses in Colorado turn to NDNB. From an initial SOC 1 SSAE 18 Readiness Assessment to remediation, along with performing an actual SOC 1 Type 1 and/or SOC 1 Type 2 assessment, NDNB has the expertise and knowledge for providing an efficient audit process from beginning to end.

SOC 2 for cloud computing is one of the most talked about topics in the world of regulatory compliance, and for two (2) obvious reasons: (1). Currently, there’s a massive migration underway by businesses that are moving towards cloud platforms (i.e., Amazon AWS & Microsoft Azure, and even Google GCP) (2). For many of these businesses – technically known as service organizations in the world of auditing – they’re having to perform annual SSAE 18 SOC 1 and/or SOC 2 audits.

SOC 2 audits & reports for Dallas, TX businesses are offered by NDNB, Texas’ leading provider of regulatory compliance assessments and consulting services, such as SOC 1 SSAE 18, SOC 2, PCI DSS, HIPAA assessments, and more. With today’s growing compliance mandates, it’s time to choose a proven provider of professional, fixed-fee services, a firm with a deep record of integrity and value in the Lone Star State, and that’s NDNB!

Dallas’ Leading Provider of SOC 2 Compliance Audits

Businesses in the Dallas Fort Worth (DFW) Metroplex have been turning to NDNB for years when it comes to proven services, fixed-fees, high-quality audits, and a household name they can trust. What makes us different from “the other guys” is our ability to truly understand every conceivable industry for which SOC 2 reporting is impacting. That’s right, from agriculture to information technology, there’s literally dozens of industries being affected by the SOC 2 compliance reporting requirements.

SOC 2 reports and assessments for Southern California businesses – including San Diego, Orange County, Los Angeles, and other select regions – are available from NDNB, one of California’s leading providers of regulatory compliance audits. NDNB offers competitively priced, fixed fee assessments for businesses needing to comply with today’s growing compliance mandates, such as SSAE 18 SOC 1, SOC 2, PCI DSS, HIPAA and many other federally and/or industry specific regulations.

With years of experience working with California businesses, NDNB possesses the manpower and knowledge when it comes to the alphabet soup of regulations, so contact Christopher G. Nickell, CPA, today at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it..

If you’re a California business just entering the world of regulatory compliance, here’s what you need to know about SSAE 18 SOC 1 compliance, courtesy of NDNB, the Golden State’s leading provider of fixed-fee regulatory services and solutions:

1. Begin with a SSAE 18 SOC 1 Scoping & Readiness Assessment. Want to gain a true understanding and working knowledge of SSAE 18 audits, then perform an upfront SOC 1 scoping & readiness assessment – a pre-audit exercise that effectively identifies audit scope boundaries, areas of remediation, personnel needs, and other relevant factors. One of the biggest challenges that California businesses face with regulatory compliance is “scope creep”; an audit that’s simply grown too large, too complex, and costly.

SOC 2 compliance audits for Atlanta, Georgia service organizations are often a necessity in today’s world of growing regulatory compliance, so turn to the auditing professionals today at NDNB. We’ve issued hundreds of SOC 2 reports since the launch of the new AICPA System and Organization Controls (SOC) framework in 2011, so call and speak with Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more today.

We’re Georgia’s Compliance Leaders – Let’s Talk

It’s no secret that regulatory compliance is alive and well all throughout North America, and definitely in Atlanta, Georgia due to the tremendous growth of information technology in the Southeast. Georgia is without question one of the leading centers for commerce in the United States, and what’s not to love about our business climate – a diverse mixture of companies, great access to transportation and resources, and so much more.

Looking for a SOC 2 consultant, somebody with expertise, knowledge, and years of audit experience in helping you plan and prepare for a successful audit? Then talk to the experts at NDNB, one of North America’s leading providers of SOC 2 audits. Not only do we offer SOC 2 assessments – both SOC 2 Type 1 and SOC 2 Type 2 assessments – for fixed fees, we also offer SOC 2 scoping & readiness assessments for service organizations all throughout North America. In simpler terms, we become your much-needed SOC 2 consultant for helping with all aspects of annual SOC 2 compliance.

Businesses all throughout North America are being hit hard with SOC compliance reporting, so if you’re asking yourself how to become SOC 2 compliant, NDNB – a leading provider of SOC 2 audit services – offers the following SOC 2 roadmap to compliance for helping ensure an efficient, thorough, and cost-effective process is put in place.

Here’s what you need to know regarding how to become SOC 2 compliant, courtesy of NDNB, North America’s leading provider of SOC 2 audits & assessments.

NDNB is Orange County’s leading provider of SSAE 18 SOC 1 compliance audits, offering high-quality, competitively priced fixed fees. With an ever-increasing list of regulatory compliance mandates being imposed on today’s businesses, Orange County service organizations need a proven and trusted firm for providing guidance and clarity with SOC 1 compliance, and that’s NDNB.

We’ve been involved with regulatory compliance for years, starting with the historical SAS 70 auditing standard in 1992, and continuing on with the new AICPA Service Organization Control (SOC) reporting framework, which consists of SSAE 16 (now SSAE 18) SOC 1, SOC 2, and SOC 3 reporting.

SSAE 18 SOC 1 Compliance Auditors - Orange County, CA - Fixed Fees

One of the biggest questions Orange County service organizations always have is, “which audit should I do, an SSAE 18 SOC 1 or a SOC 2 audit”, and it’s a good question indeed. While the SSAE 18 standard, which is the professional standard used for issuing SOC 1 reports, officially replaced the one-size fits all SAS 70 and SSAE 16 standard, the SOC 2 standard was completely new.

It’s also important to note that SOC 1 audits are for service organizations that typically display a credible relationship to impacting their clients’ financial reporting, more commonly known as Internal Controls over Financial Reporting (ICFR). Specifically, if you’re performing functions for your clients – and such functions can impact their financial reporting – then SSAE 18 SOC 1 is the preferred choice for assessing internal controls.

NDNB provides SSAE 18 SOC 1 remediation services – along with SOC 1, SOC 2, and SOC 3 audits – to businesses all throughout the Atlanta, Georgia metropolitan area. With the continued growth of regulatory compliance, companies all throughout the Atlanta area are being required to undertake annual SSAE 18 SOC 1 audits, however, getting prepared for such an assessment is often the most difficult, challenging, and time-consuming aspect of the entire audit itself.

Providers of Comprehensive SSAE 18 SOC 1 Solutions at Fixed Fees

But before any service organization can undertake remediation activities, they’ll need to identify what exactly requires remediation, such as policies and procedures, system configuration changes, and other notable mandates. It’s why performing an SSAE 18 SOC 1 readiness assessment is vital for purposes of identifying gaps, weaknesses, and other internal control failures. NDNB provides comprehensive SSAE 18 SOC 1 readiness assessments, along with the following remediation services for SOC audits:

Policy and Procedure Writing: A big – and growing part – of regulatory compliance is documentation, and it’s why NDNB offers comprehensive policy writing services for our clients. The time and effort needed for developing high-quality, comprehensive, SSAE 18 SOC 1 minimum required policies and procedures can be incredibly time-consuming and operationally challenging. The best advice we can give our clients – if you don’t have documentation in place – is allowing NDNB to provide you with our in-depth and easy-to-use information security policy and procedures writing services.

Per the AICPA Publication, Trust Services Principles and Criteria, “A risk assessment process is used to establish a risk baseline and to, at least annually, identify new or changed risks to personal information and to develop and update responses to such risks.” So, does it mean that service organizations undertaking annual SOC 2 compliance assessments need to perform an annual risk assessment? Absolutely. In fact, a number of the “Common Criteria” listed within the overall Trust Services Principles and Criteria require that a documented, formalized risk assessment process be in place.

What’s the Scope for A SOC 2 Risk Assessment?

The challenge, however, for service organizations, is determining what the scope of a risk assessment should be, what documentation should be used for such an exercise, and are their standards and guidelines to use. Let’s take a look at all of these issues and clarify the risk assessment process once and for all for SOC 2 reporting. NDNB provides a complimentary risk assessment program to all of our valued SOC 2 audit clients.

There are many different categories of risk than you can choose to assess on, such as market risk, credit risk, security risk, country risk, etc.

The key to determining which of these risks you should assess during a SOC 2 engagement depends primarily on your business process and other essential scoping parameters. Yet even with that said, most – if not all – service organizations will assess information security risks, and other applicable operational risks, two key areas relevant to the SOC 2 auditing process.

NDNB provides industry leading, fixed-fee PCI DSS consulting and assessment services for Atlanta, Georgia businesses seeking to comply with the Payment Card Industry Data Security Standards (PCI DSS) mandates. With proven cybersecurity auditors that have years of real-world experience, NDNB is Georgia’s preferred choice for PCI DSS compliance.

Atlanta is one of the largest centers of commerce in North America, with companies moving to the metro area almost daily, creating immense opportunities for jobs seekers and for companies looking to call the Peach State home. What also comes along with huge growth are massive regulatory compliance requirements – specifically, the PCI DSS standards – so turn to the experts today at NDNB for proven services and fixed-fee pricing.

NDNB is Atlanta’s premier compliance firm when it comes to the almost endless list of regulations and industry mandates businesses have to comply with. Call and speak directly with a PCI-QSA today at 1-800-277-5415, ext. 705.

What We Offer Atlanta Businesses for PCI DSS Compliance

1. Scoping & Readiness Assessments: A PCI DSS scoping & readiness assessment is essential for Atlanta, Georgia businesses new to the PCI DSS compliance mandates, as critical initiatives – such as scoping, assessing internal controls, developing a roadmap & plan of action for remediation, and more – must be performed prior to any type of certification process even beginning.

The compliance mandates put forth by the Payment Card Industry Data Security Standards (PCI DSS) can be incredibly challenging, complex, and time-consuming, thus it’s important to perform an upfront scoping & readiness assessment prior to your PCI certification efforts.

It doesn’t have to be done annually, but it’s highly recommended to perform this activity for any business new to the PCI DSS reporting mandates. Having a clear plan of action and knowing what the roadmap ahead is in terms of PCI DSS compliance are the true benefits of a scoping & readiness assessment, so call and speak directly with a PCI-QSA today at 1-800-277-5415, ext. 705.

2. Remediation Services: The vast majority of Atlanta merchants and service providers who are seeking to become compliant with the Payment Card Industry Data Security Standards (PCI DSS) will ultimately require some form of remediation. From missing policies and procedures to incorrectly configured system settings, remediation is an essential component of PCI compliance.

NDNB provides comprehensive remediation assistance, from providing policy templates to policy writing services, technical implementation solutions, and much more. There’s simply no reason to “go it alone” when it comes to correcting internal control deficiencies related to PCI compliance – talk to the experts at NDNB today.

3. Policies and Procedures Writing: High on the list of remediation is often policies and procedures, which can become an incredibly time-consuming and arduous process, but thanks to our industry leading security policy templates, we’ve got you covered with two great options. First, you can simply obtain our policy and procedure templates – which have been written by our very own PCI-QSA – and customize them yourself, ultimately saving thousands of dollars and hundreds of hours.

Second, you can hire NDNB to author the policies for you – a service we’ve been providing since 2009 to our clients all throughout North America – also a great option that saves a tremendous amount of time.

4. Technical Remediation: Remember that the Payment Card Industry Data Security Standards (PCI DSS) are a rather technical certification process, one that includes numerous I.T. mandates. Because of this, both merchants and service providers will often find themselves implementing a number of technical remediation activities, ranging from changing firewall configuration files to implementing File Integrity Monitoring, and much more.

NDNB is a leading provider of SSAE 18 SOC 1 assessments for Washington DC, Maryland, and Northern Virginia service organizations. With fixed-fee pricing and years of experience in regulatory compliance, we offer highly efficient audit services that save businesses both time and money. The DC metro area is arguably now the biggest I.T. region in North America – surpassing even coveted Silicon Valley in various metrics – which ultimately means big and looming regulatory compliance mandates are just around the corner for thousands of businesses.

From Northern Virginia to Annapolis, we’re a Household Name

Looking for a firm with true roots in the DC Metro region, then look no further than the professionals at NDNB, as many of our founding partners not only call the area home, they have also spent decades raising their families and starting their careers here. The Washington, D.C. metropolitan area is a fascinating, complex and lively region, offering incredible opportunities for all walks of life, and its one reason the region is still experiencing massive growth.

As such, NDNB has positioned itself as a hometown service provider of regulatory compliance services, offering fixed-fee assessments for many of today’s challenging and demanding rulings and regulations. Getting ready, prepared, and successfully executing on today’s complex and time-consuming compliance mandates requires expert knowledge and audit “know-how” – traits that NDNB exhibits with each of our clients.

What DC Metro Businesses Need to Know for SSAE 18 SOC 1

We’ve put together the following detailed and comprehensive SSAE 18 SOC 1 introduction and overview for Washington DC, Maryland, and Northern Virginia businesses for helping gain a greater understanding of one of today’s most demanding compliance mandates. SOC 1 compliance is here to stay, so it’s important to gain a strong technical understanding of all the relevant aspects of the AICPA Service Organization Control (SOC) framework.

NDNB offers a wide variety of SOC 2 compliance services for California businesses, including notable SOC 2 remediation services ranging from policy and procedure writing to technical implementation and correction of internal controls. NDNB has been California’s leading compliance provider for years, so turn to the experts who offer the following SOC 2 remediation services.

SOC 2 Remediation Services for California Businesses

1. InfoSec Policy Documentation: Information security policies and procedures form a large element of SOC 2 compliance as each of the respective “Common Criteria” provisions within the Trust Services Criteria (TSC) essentially advocate documentation. It can be an incredibly time-consuming and challenging endeavor in developing all necessary policies and procedures, and it’s why NDNB offers such services. We also provide all of our California clients with a complimentary documentation if they would like to develop the policies themselves. It’s just another example of what separates NDNB from the “other guys”.

The AICPA Trust Services Principles and Criteria (TSP) are essentially control criteria established by the Assurance Services Executive Committee (ASEC), and consist of Security, Availability, Processing Integrity, Confidentiality, and Privacy. Furthermore, such control criteria are used for attestation or consulting engagements for evaluating and reporting on controls over the security, availability, processing integrity, confidentiality, or privacy over information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity's operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity.

There are Five Trust Services Criteria (TSP)

As to the actual Trust Services Principles and Criteria (TSP), they comprise of the following:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

As a healthcare organization – or provider of services to the broader healthcare arena – you’ve probably come across the SOC 2 HITRUST topic. After all, in today’s world of ever-growing regulatory compliance mandates, SOC 2 HITRUST is now front and center for thousands of businesses throughout North America. NDNB, one of the country’s leading provider of security and compliance audits, offers a comprehensive introduction and overview to the SOC 2 HITRUST topic.

And with HITRUST certification comes along one of the biggest questions that healthcare organizations are asking themselves: “Should we become HITRUST CSF compliant, or should I have a CPA firm perform a SOC 2 HITRUST assessment on my organization, and what’s the difference?”

Let’s examine this question – and others – in more detail.

• What is HITRUST?
• What is SOC 2?
• What are the Differences Between SOC 2 and HITRUST?
• When Combined, what is a SOC 2 HITRUST Report?
• Tips in Preparing for SOC 2 HITRUSTTips in Preparing for SOC 2 HITRUST
• The Importance of Policies and Procedures for SOC 2 HITRUST

What is HITRUST?

According to https://hitrustalliance.net/, HITRUST, in conjunction with private sector, government, technology and information privacy and security leaders, has developed the HITRUST CSF, a certifiable framework that can be used by any organization that creates, accesses, stores or exchanges sensitive information.

Furthermore, the HITRUST CSF harmonizes multiple frameworks, standards, state, federal and International regulations and leading practices into a single framework. The HITRUST CSF addresses industry- specific challenges by leveraging and enhancing existing frameworks, standards and regulations to provide organizations of varying sizes, geographic operation and risk profiles with prescriptive implementation requirements and guidelines.

Lastly, the HITRUST CSF is a scalable, prescriptive and certifiable framework that harmonizes numerous standards, regulations, control frameworks and leading practices.

A large number of healthcare organizations undertake annual HITRUST compliance by having an independent, third-party auditor assess them against the prescriptive HITRUST CSF framework. Specifically, HITRUST CSF Certification requires the services of a HITRUST approved CSF Assessor organization. The result is a report with findings that can be given to customers, prospects, local/state/federal agencies, and other applicable entities.

Let’s not forget that a much-talked about press release in 2015 (http://bit.ly/2w6sS0p) for which HITRUST gained the attention of the broader healthcare industry as the HITRUST CSF framework was anticipating heavy adoption and implementation, for which this has happened. Bottom line, HITRUST CSF is the unrivaled industry leader in terms of healthcare compliance frameworks, and it’s here to stay.

Many businesses in California – and around the nation – are being required to undertake annual SSAE 18 SOC 1 assessments & audits, but are unfortunately not clear on many of the facets regarding Statement on Standards for Attestation Engagements (SSAE) No. 18. As such, NDNB, California’s leading provider of high-quality, fixed fee audits, has provided the following introduction and overview regarding SSAE 18 SOC 1 reports.

California’s Leading Provider of SSAE 18 SOC 1 Compliance

NDNB has been performing a wide variety of regulatory compliance audits and assessments all throughout California, and along the way we’re often asked what the important points a business really needs to know for ensuring an efficient audit process from day. We understand compliance can be complex, costly, and incredibly time-consuming, so we’ve assembled our team of auditing experts and put together the following list for California businesses.

What California Businesses Need to Know About SSAE 18 SOC 1 Reporting

Learn About the SOC Framework: SOC stands for System and Organization Controls (SOC) reports, a comprehensive reporting platform put forth by the American Institute of Certified Public Accountants (AICPA) which offers the following three (3) reporting options: SOC 1, SOC 2, and SOC 3. Additionally, SSAE 18 is the professional standard for issuing SOC 1 assessments, while SOC 2 and SOC 3 – which are geared towards technology companies – utilize the AT 101 standard. This represents a radical departure – and much needed – from the aging, and antiquated SAS 70 auditing standard that was released in April, 1992.

Understand the ICFR Concept: There’s a concept in the world of auditing known as “Internal Controls over Financial Reporting”, which essentially states that any service organization undertaking financial related activities for their customers – for which such activities can impact financial reporting for customers – should be assessing against the SOC 1 reporting option, which uses the SSAE 18 standard. Thus, for example, if you’re an actuarial entity, and the reporting provided to clients impacts their financial reporting, SOC 1 reporting is to be utilized. SOC 2 audits have no ICFR concept, and are thus geared towards technology driven service organizations.

Be Aware of Critical Scope Considerations and Control Objectives: Want to have a successful, efficient, and cost-effective audit – not a costly, nightmarish scenario with the dreaded “scope creep” – then undertake an NDNB SSAE 18 SOC 1 readiness assessment. When performed correctly for California and Orange County service organizations, an SSAE 18 SOC 1 readiness assessment helps assess scope, determine gaps and deficiencies within one’s internal control environment, thereby preparing an organization for long-term audit success.

Additionally, NDNB provides a complimentary information security policies and procedures to all of our clients for helping bridge the gap with critical audit documents needed for compliance. It’s just one of many reasons why Southern California businesses choose NDNB. Call and speak with Christopher Nickell today at 1-800-277-5415, ext. 705 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it..

Businesses operating in the Amazon AWS cloud infrastructure often have to undergo their own annual SOC 2 Type 2 audit assessment. Fortunately, Amazon undergoes an annual SOC 2 audit report for their “Amazon Web Services System”, which, from a scope perspective, includes almost every imaginable cloud service offering. This ultimately brings us to the much-talked about topic of Amazon AWS’ “Shared Responsibility Model”, which is the following, per AWS:

Moving IT infrastructure to AWS builds a shared responsibility model between customers and AWS. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, customers assume responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS-provided security group firewall.

AWS Shared Responsibility Matrix – Who is Responsible for What and Why

In its most-simplest terms, you, as a customer using AWS’ services, have certain responsibilities for ensuring the security of your environment in the cloud. Yet AWS also has certain responsibilities for ensuring security measures are in place. Therefore, the phrases you’ll often hear for AWS compliance are the following:

AWS responsibility for “Security of the Cloud”: AWS is essentially responsible for protecting the infrastructure that runs all of the services offered within the actual AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

Customer responsibility “Security in the Cloud”: The customer responsibility will ultimately be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. As such, services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS), ultimately requiring that the customer perform all of the necessary security configuration and management tasks.

Here's an Example of a Typical Customer Deployment: More specifically, let’s say a customer deploys an Amazon EC2 instance, they are then effectively responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.