By Charles on Wednesday, 12 December 2018
Category: SOC Reports

SOC 2 for Cloud Computing Introduction and Overview - AWS and Azure

SOC 2 for cloud computing is one of the most talked about topics in the world of regulatory compliance, and for two (2) obvious reasons: (1). Currently, there’s a massive migration underway by businesses that are moving towards cloud platforms (i.e., Amazon AWS & Microsoft Azure, and even Google GCP) (2). For many of these businesses – technically known as service organizations in the world of auditing – they’re having to perform annual SSAE 18 SOC 1 and/or SOC 2 audits.

SOC 2 Reporting for Amazon AWS & Microsoft Azure

The challenge with SOC 2 for cloud computing for thousands of service organizations is getting their organization ready for the actual audit, understanding scope in terms of systems and services assessed, remediating gaps and deficiencies, and much more. You need a playbook for SOC 2 for cloud computing – a proven process for understanding the entire SOC framework and its relationship to cloud computing – so here’s what you need to know:

Amazon AWS SOC 2 Reporting Essentials You Need to Know

Understand the Shared Responsibility Model

It’s important to gain a strong understanding of what Amazon calls the “Shared Responsibility Model”, a key element when it comes to your SOC 2 audit. Simply stated, YOU – the customer using AWS’ services – have a customer responsibility for “Security in the Cloud”, and Amazon has a direct responsibility for “Security of the Cloud”. Let’s take a deeper dive into each of these areas.

First, “Security in the Cloud” means that customers are going to be responsible for the management of the guest operating systems (and this includes updates and security patches), other associated software, firewalls and other related network devices, and possibly more (depending on which AWS service a customer actually chooses to use).

Regarding “Security of the Cloud”, Amazon is essentially responsible for protecting the infrastructure that runs all of the services offered by the cloud computing giant. This “infrastructure” consists of hardware, software, networking systems, data centers/facilities that run the entire AWS cloud services for customers, and more.

And with “Security in the Cloud” and “Security of the Cloud” now more clearly understood, keep in mind that there are also “Inherited controls” – controls in which a customer fully inherits from AWS – and there are also “Shared Controls” and “Customer Specific Controls”. Let’s take a look at each of these three (3) control types.

As for “Inherited Controls”, these will be physical security and environmental security controls inherited from AWS. That’s a good thing, as these are controls that AWS is responsible for, thus a customer naturally “inherits” them.

Hosting in Amazon AWS and Need a SOC 1 or SOC 2? Let's Talk.

As for “Shared Controls”, these are controls that apply to both AWS and the customer – and depending on the actual AWS service that a customer is using, this can vary. Nonetheless, some examples of “Shared

Controls” would include the following:

Choosing the Right Tools and Solutions

Amazon AWS has a laundry list of tools and solutions for helping manage and secure your environment, with many of these products highly beneficial when it comes to SOC 2 audits. Here’s just a small sample of the tools and solutions available from AWS:

These tools are incredibly helpful when it comes to SOC 2 compliance, so get to know them. NDNB offers technical implementation services for many of these tools, so contact us today if you need assistance.

The Importance of AWS Security Policies and Documentation

If you’re a service organization utilizing AWS’ cloud services, having your own set of information security policies and procedures is still a necessity. Sure, you can rely on various aspects of the AWS infrastructure, but as discussed earlier, a number of core domains are your responsibility, meaning auditors will want to see your policies and procedures.

Developing documentation can be an incredibly taxing and time-consuming proposition – no question about it – and it’s why NDNB offers complimentary InfoSec policies and procedures to all of our valued clients. You need information security policies and procedures for SOC 2 compliance – that’s not up for debate – so talk to the SOC 2 experts at NDNB and how we can assist with this important requirement.

Here's just a small sample of InfoSec “domains” that you’ll be required to provide security policies and procedures on:

Additionally, you’ll want to ensure that you have the following three (3) core operational measures in place also for SOC 2 compliance:

Learn about the SOC Inclusive vs. Carve-Out Method

Auditors conducting a SOC 2 report for your organization have two (2) options when reporting on controls at subservice organizations. What’s a subservice organization? It’s an organization that’s used by another organization to perform some element of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting. Well, that’s the “technical definition”, so let’s simplify it with a basic example.

If you’re a providing a Software as a Service (SaaS) platform that offer quotes for automobile insurance and you use a Managed Security Services (MSS) provider to perform patching on your in-scope servers, then the MSS would be a subservice organization. You then have two (2) options for reporting on the MSS’s controls – the inclusive or the carve-out. With the inclusive method, the control activities of the MSS would be included in the scope of your report. With the carve-out method, the control activities of the MSS would be excluded from the scope of your report.

Obviously, the carve-out method is an easier process as you don’t have to assess and potentially test the controls of the MSS. And if, the MSS has their own SOC audit report, you can review the report for determining what controls were assessed for ultimately determining if the carve-out method is acceptable.

Microsoft Azure SOC 2 Reporting Essentials You Need to Know

There are a number of critical issues that you’ll fully need to understand when it comes to your Azure environment and its effect on your annual SOC 2 audit. Much like Amazon AWS, Microsoft Azure adheres to the shared roles played between the cloud provider and the customer. Thus, Microsoft’s Shared Responsibilities for Cloud Computing clearly define roles in regards to the following areas:

As such, for purposes of SOC 2 auditing, please note the following for Microsoft Azure:

Choosing the Right Tools and Solutions

Microsoft Azure has a laundry list of tools and solutions, so please visit https://servicetrust.microsoft.com/ComplianceManager to learn more about their helpful tools.

The Importance of Microsoft Azure Security Policies and Documentation

If you’re a service organization utilizing Microsoft Azure’s cloud services, having your own set of InfoSec documents is absolutely critical for compliance. Even with Azure being responsible for various cloud security, governance, and compliance initiatives, your organization still has specific responsibilities also, which means security policies and procedures are required. For example, you’ll need comprehensive InfoSec policies and procedures covering the following core I.T. domains:

Developing information security policies and procedures can be exhausting in terms of time and money, and it’s why NDNB offers a complimentary set of InfoSec policy templates to all of our valued Microsoft Azure SOC 2 clients. Using our templates saves you dozens of hours and thousands of dollars on much-needed security documentation.

Remember, that the following three (3) operational initiatives which must also be implemented for SOC 2 compliance:

7 Reasons to Choose NDNB as Your SOC 2 Auditor for AWS and Azure

  1. Proprietary SOC 2 Auditing Program Developed Exclusively for Azure, AWS, and Google GCP cloud environments.
  2. Complimentary set of Information Security Policy Templates.
  3. Easy-to-Use Risk Assessment Template. (A SOC 2 Requirement)
  4. Industry Leading Security Awareness Training Manual. (A SOC 2 Requirement)
  5. Auditors that Hold Multiple Azure, AWS, and Google GCP Cloud Certifications.
  6. Easy-to-Use Online Audit Portal for Document Collaboration.
  7. Fixed-Fee SOC 2 Audits with Absolutely NO Hidden Charges.