SOC 2 for cloud computing is one of the most talked about topics in the world of regulatory compliance, and for two (2) obvious reasons: (1). Currently, there’s a massive migration underway by businesses that are moving towards cloud platforms (i.e., Amazon AWS & Microsoft Azure, and even Google GCP) (2). For many of these businesses – technically known as service organizations in the world of auditing – they’re having to perform annual SSAE 18 SOC 1 and/or SOC 2 audits.
SOC 2 Reporting for Amazon AWS & Microsoft Azure
The challenge with SOC 2 for cloud computing for thousands of service organizations is getting their organization ready for the actual audit, understanding scope in terms of systems and services assessed, remediating gaps and deficiencies, and much more. You need a playbook for SOC 2 for cloud computing – a proven process for understanding the entire SOC framework and its relationship to cloud computing – so here’s what you need to know:
Amazon AWS SOC 2 Reporting Essentials You Need to Know
Understand the Shared Responsibility Model
It’s important to gain a strong understanding of what Amazon calls the “Shared Responsibility Model”, a key element when it comes to your SOC 2 audit. Simply stated, YOU – the customer using AWS’ services – have a customer responsibility for “Security in the Cloud”, and Amazon has a direct responsibility for “Security of the Cloud”. Let’s take a deeper dive into each of these areas.
First, “Security in the Cloud” means that customers are going to be responsible for the management of the guest operating systems (and this includes updates and security patches), other associated software, firewalls and other related network devices, and possibly more (depending on which AWS service a customer actually chooses to use).
Regarding “Security of the Cloud”, Amazon is essentially responsible for protecting the infrastructure that runs all of the services offered by the cloud computing giant. This “infrastructure” consists of hardware, software, networking systems, data centers/facilities that run the entire AWS cloud services for customers, and more.
And with “Security in the Cloud” and “Security of the Cloud” now more clearly understood, keep in mind that there are also “Inherited controls” – controls in which a customer fully inherits from AWS – and there are also “Shared Controls” and “Customer Specific Controls”. Let’s take a look at each of these three (3) control types.
As for “Inherited Controls”, these will be physical security and environmental security controls inherited from AWS. That’s a good thing, as these are controls that AWS is responsible for, thus a customer naturally “inherits” them.
Hosting in Amazon AWS and Need a SOC 1 or SOC 2? Let's Talk.
As for “Shared Controls”, these are controls that apply to both AWS and the customer – and depending on the actual AWS service that a customer is using, this can vary. Nonetheless, some examples of “Shared
Controls” would include the following:
- Patch Management: AWS is responsible for security updates and patching within the actual AWS infrastructure, but customers are responsible for patching their guest OS and applications.
- Configuration Management: AWS maintains the configuration of its infrastructure devices, but customers are ultimately responsible for configuring their own guest operating systems, databases, applications and any other systems.
- Security Awareness & Training: While AWS is responsible for security awareness & training for their employees, customers must still put in place such training for their own employees.
Source: https://aws.amazon.com/compliance/shared-responsibility-model/
Choosing the Right Tools and Solutions
Amazon AWS has a laundry list of tools and solutions for helping manage and secure your environment, with many of these products highly beneficial when it comes to SOC 2 audits. Here’s just a small sample of the tools and solutions available from AWS:
- AWS Identity and Access Management (IAM)
- Amazon GuardDuty
- AWS Shield
- AWS WAF
- AWS CloudTrail & AWS CloudWatch
These tools are incredibly helpful when it comes to SOC 2 compliance, so get to know them. NDNB offers technical implementation services for many of these tools, so contact us today if you need assistance.
The Importance of AWS Security Policies and Documentation
If you’re a service organization utilizing AWS’ cloud services, having your own set of information security policies and procedures is still a necessity. Sure, you can rely on various aspects of the AWS infrastructure, but as discussed earlier, a number of core domains are your responsibility, meaning auditors will want to see your policies and procedures.
Developing documentation can be an incredibly taxing and time-consuming proposition – no question about it – and it’s why NDNB offers complimentary InfoSec policies and procedures to all of our valued clients. You need information security policies and procedures for SOC 2 compliance – that’s not up for debate – so talk to the SOC 2 experts at NDNB and how we can assist with this important requirement.
Here's just a small sample of InfoSec “domains” that you’ll be required to provide security policies and procedures on:
- Access Control
- Change Management
- Data Backup/Storage Management
- Incident Response
- Security & Patch Management
Additionally, you’ll want to ensure that you have the following three (3) core operational measures in place also for SOC 2 compliance:
- Perform an Annual Risk Assessment: A strict requirement for SOC 2 compliance is performing an annual risk assessment on your in-scope environment. What strengths, weaknesses and other concerns do you have? Have you documented your findings in a way that senior management can effectively make informed decisions on remediating issues? These concerns, and more, are the prime reasons for performing a risk assessment. NDNB offers a complimentary risk assessment program that’s easy-to-use and implement, so contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 to learn more.
- Undertake Annual Security Awareness Training: Want to do all you can for keeping your systems and assets safe and secure from growing cybersecurity threats, while also sufficing for SOC 2 compliance testing? Then performing annual security awareness training for your in-scope employees is absolutely essential. Threats are on the rise, and employees need to be educated, and ready to respond when necessary. NDNB offers a complimentary security awareness training program that’s easy-to-use, and implement also.
- Have a Documented Disaster Recovery/Contingency Plan in Place: While you may very well be using a long-term storage solution such as Amazon Glacier (https://aws.amazon.com/glacier/), you’ll still need to document how your organization responds to major operational disruptions that could impact your business. You need a documented disaster recovery/contingency plan. NDNB offers a comprehensive Amazon AWS BCDRP/CP plan as part of our SOC 2 policy templates.
Learn about the SOC Inclusive vs. Carve-Out Method
Auditors conducting a SOC 2 report for your organization have two (2) options when reporting on controls at subservice organizations. What’s a subservice organization? It’s an organization that’s used by another organization to perform some element of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting. Well, that’s the “technical definition”, so let’s simplify it with a basic example.
If you’re a providing a Software as a Service (SaaS) platform that offer quotes for automobile insurance and you use a Managed Security Services (MSS) provider to perform patching on your in-scope servers, then the MSS would be a subservice organization. You then have two (2) options for reporting on the MSS’s controls – the inclusive or the carve-out. With the inclusive method, the control activities of the MSS would be included in the scope of your report. With the carve-out method, the control activities of the MSS would be excluded from the scope of your report.
Obviously, the carve-out method is an easier process as you don’t have to assess and potentially test the controls of the MSS. And if, the MSS has their own SOC audit report, you can review the report for determining what controls were assessed for ultimately determining if the carve-out method is acceptable.
Microsoft Azure SOC 2 Reporting Essentials You Need to Know
There are a number of critical issues that you’ll fully need to understand when it comes to your Azure environment and its effect on your annual SOC 2 audit. Much like Amazon AWS, Microsoft Azure adheres to the shared roles played between the cloud provider and the customer. Thus, Microsoft’s Shared Responsibilities for Cloud Computing clearly define roles in regards to the following areas:
- Compliance Obligation, Data Classification & Accountability
- Client & End-Point Protection
- Identity & Access Management:
- Application Level Control:
- Network Control
- Host Infrastructure
- Physical Security
As such, for purposes of SOC 2 auditing, please note the following for Microsoft Azure:
- There are clear lines of responsibility, but often, yet also shared roles when it comes to responsibility regarding security in the cloud.
- Auditors need to identify and confirm their actual auditing responsibilities, as this helps determine tests of controls for SOC 2. NDNB has years of experience in performing this very task for customers using the Azure cloud environment.
- Supporting physical infrastructure is primarily the responsibility of Azure, yet host infrastructure (such as configuring and deploying virtual hosts) is the responsibility of the Azure customer.
- Different models of cloud offerings ultimately result in different responsibilities and high-quality, experienced auditors – such as NDNB – can quickly identify and determine audit scope, effectively saving you both time and money.
Choosing the Right Tools and Solutions
Microsoft Azure has a laundry list of tools and solutions, so please visit https://servicetrust.microsoft.com/ComplianceManager to learn more about their helpful tools.
The Importance of Microsoft Azure Security Policies and Documentation
If you’re a service organization utilizing Microsoft Azure’s cloud services, having your own set of InfoSec documents is absolutely critical for compliance. Even with Azure being responsible for various cloud security, governance, and compliance initiatives, your organization still has specific responsibilities also, which means security policies and procedures are required. For example, you’ll need comprehensive InfoSec policies and procedures covering the following core I.T. domains:
- Access Control
- Change Management
- Data Backup/Storage Management
- Incident Response
- Security & Patch Management
Developing information security policies and procedures can be exhausting in terms of time and money, and it’s why NDNB offers a complimentary set of InfoSec policy templates to all of our valued Microsoft Azure SOC 2 clients. Using our templates saves you dozens of hours and thousands of dollars on much-needed security documentation.
Remember, that the following three (3) operational initiatives which must also be implemented for SOC 2 compliance:
- Performing an Annual Risk Assessment: SOC 2 requires service organizations to perform an annual risk assessment, a process which is relatively easy and straightforward with NDNB’s complimentary risk assessment template for users of the Azure environment. And regardless of the requirements for risk reporting for SOC 2 compliance, performing a risk assessment just makes sense from an organizational best practice perspective. After all, don’t you want to know about risks and threats that could impact your business? Speak with Christopher Nickell, CPA, today at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDNB’s tools and solutions for helping your business achieve SOC 2 compliance.
- Conducting Security Awareness Training: Are your employees up to speed on the most current and pressing information security issues, risks, threats, and best practices? If not, now’s the time to put in place comprehensive security awareness training measures, and for two (2) good reasons. First, most auditors (we do) will include within the scope of a SOC 2 audit various assessment measures for ensuring security awareness training is undertaken each year for existing employees, and is also performed on new employees. Second, it’s a best practice that every business should be doing, regardless of whatever regulatory compliance mandate is being pushed on to you.
- Establishing a Disaster Recovery/Contingency Plan: Do you have a documented disaster recovery/contingency plan in place for your Azure cloud environment. While Azure provides fail-over solutions, you’ll need to have a plan in place regarding various organizational and personnel needs when a disaster happens. You need a documented disaster recovery/contingency plan. NDNB offers a comprehensive Microsoft Azure BCDRP/CP plan as part of our SOC 2 policy templates.
7 Reasons to Choose NDNB as Your SOC 2 Auditor for AWS and Azure
- Proprietary SOC 2 Auditing Program Developed Exclusively for Azure, AWS, and Google GCP cloud environments.
- Complimentary set of Information Security Policy Templates.
- Easy-to-Use Risk Assessment Template. (A SOC 2 Requirement)
- Industry Leading Security Awareness Training Manual. (A SOC 2 Requirement)
- Auditors that Hold Multiple Azure, AWS, and Google GCP Cloud Certifications.
- Easy-to-Use Online Audit Portal for Document Collaboration.
- Fixed-Fee SOC 2 Audits with Absolutely NO Hidden Charges.