For the best web experience, please use IE11+, Chrome, Firefox, or Safari
OneLogin + One Identity delivering IAM together. Learn more

What is SOC 2?

Principles, Types, and Benefits Explained

Cybersecurity frameworks lay down the guiding principles and best practices that companies must follow to improve their security posture. SOC 2 is one such framework, which applies to technology companies that store and deal with customer data in the cloud.

What is SOC 2?

SOC 2, aka Service Organization Control Type 2, is a cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA). The primary purpose of SOC 2 is to ensure that third-party service providers store and process client data in a secure manner.

The framework specifies criteria to uphold high standards of data security, based on five trust service principles: security, privacy, availability, confidentiality, and processing integrity.

SOC 2 compliance

SOC 2 principles explained

Unlike other compliance frameworks, which have a predefined set of conditions for all companies, SOC 2 requirements are different for every organization. Depending on their own operating models, each organization must formulate its own security controls to become compliant with the five trust principles.

Security. Broadly speaking, the security principle enforces the protection of data and systems, against unauthorized access. To that end, you may need to implement some form of access control, e.g. using access control lists or identity management systems.

You may also have to strengthen your firewalls, by introducing stricter outbound and incoming rules, introduce intrusion detection and recovery systems, and enforce multi-factor authentication.

Confidentiality. Data qualifies as confidential if only a specific group of people should access it. This may include application source code, usernames and passwords, credit card information, or business plans, etc.

To adhere to this principle, confidential data must be encrypted, both at rest and during transit. Moreover, while providing access to confidential data, adhere to the principle of leastprivilege, i.e. grant the bare-minimum permissions/rights that people need to do their jobs.

Availability. Systems should meet availability SLAs at all times. This requires building inherently fault-tolerant systems, which do not crumble under high load. It also requires organizations to invest in network monitoring systems and have disaster recovery plans in place.

Privacy. The collection, storage, processing, and disclosure of any personally identifiable information (PII) must adhere to the organization’s data usage and privacy policy, along with the conditions defined by the AICPA, in the Generally Accepted Privacy Principles (GAPP).

PII is any information that can be used to uniquely identify an individual, e.g. name, age, phone number, credit card information, or social security number etc. An organization must enforce rigorous controls to protect PII from unauthorized access.

Processing integrity. All systems must always function as per design, devoid of any delays, vulnerabilities, errors, or bugs. Quality assurance and performance monitoring applications and procedures are crucial to achieve adherence to this principle.

What are the benefits of an SOC 2 audit?

  • SOC 2 audits help you in improving your overall security outlook.
  • Since SOC 2 compliant companies have all the right tools and procedures to safeguard sensitive information, customers feel confident in entrusting them with their data.
  • SOC 2 requirements often overlap with other frameworks, like ISO 27001 and HIPAA, which means that you may end up killing two (or more) birds with one stone.
  • You increase your brand reputation as a security-conscious company and establish a formidable competitive advantage.
  • Achieving SOC 2 compliance may help you avoid data breaches and the financial/reputation damage that comes with them.

SOC 2 Type 1 vs Type 2

There are two main types of SOC 2 compliance: Type 1 and Type 2.

Type 1 attests an organization’s use of compliant systems and processes at a specific point in time. Conversely, Type 2 is an attestation of compliance over a period (usually 12 months).

A Type 1 report describes the controls in use by an organization, and confirms that the controls are properly designed and enforced. A Type 2 report includes everything that’s part of a Type 1 report, along with the attestation that the controls are operationally effective.

SOC 1 vs SOC 2 vs SOC 3

There are three main types of SOC reports – SOC 1, SOC 2, and SOC 3. The first two are the most prevalent, with the second being most relevant to technology companies.

SOC 1 revolves around financial reporting, whereas SOC 2 focuses more on compliance and business operations. SOC 3 is an adaptation of SOC 2, which reports SOC 2 results in a format that is understandable for the general public. Let us look at the following small table to break it down further.

 

SOC 1

SOC 2

SOC 3

Purpose

Report on financial controls

Report compliance with five trust principles: security, confidentiality, availability, privacy, and processing integrity

Report the same controls as SOC 2, but in a way that makes sense to the general audience

Audience

Mainly auditors

Customers and other stakeholders

General public

Example

Most companies processing financial data will require SOC 1 compliance

A database-as-a-service company is required to achieve SOC 2 compliance, before they can host sensitive data belonging to multiple customers

An organization that achieves SOC 2 compliance may also create a SOC 3 report to let the general audience know that it takes data security and privacy seriously.

Advantages

  • Work with customers that require SOC 1 compliance
  • Increase brand reputation
  • Assure your customers that you have all the right controls in place
  • Work with customers that require SOC 2 compliance
  • Increase brand reputation
  • Assure your customers that you have all the right controls in place

Produce marketing collateral to spread the news of your compliance to a wider audience.

SOC 2 compliance and IAM

SOC 2 compliance and IAM (identity and access management) go hand in hand. It would be safe to say that you cannot achieve SOC 2 compliance, without having some form of IAM in place. IAM systems help enforce access control, which is fundamental to the security, confidentiality, and privacy principles of SOC 2.

Modern IAM applications have features like multi-factor authentication, identity federation, password auto-resets, identity lifecycle management, and granular access control, which can catalyze your journey to becoming SOC 2 compliant.

SOC 2 compliance helps establish that a technology company is serious about data security and privacy. Whenever you are in the market for a SAAS provider, remember to keep SOC 2 compliance, at the top of your checklist.

Try OneLogin for Free

Experience OneLogin’s Access Management capabilities first-hand for 30 days