A presentation at RSA Conference 2017 included a survey that reported 48% of respondents found that a SOC 2 report...
was the most effective way to assess cloud provider risk. How can enterprises use SOC 2 to evaluate cloud providers, and is it really the most effective method?
There are a few tools that can be used when assessing a cloud service provider, and a SOC 2 report is one of them. If a cloud provider or vendor has a SOC 2 report available, it can be extremely useful to understand the company's controls when it comes to security, availability, processing, integrity, confidentiality and privacy. If the third party cannot provide a SOC 2 report, it's possible that they haven't had an assessment performed, or that they're not willing to disclose this data.
It's always best to receive a Type 2 SOC 2, but many vendors might send over a SOC 3 to prove that work has been completed. The Type 2 SOC 2 report will not only review the controls in question, but will go into detail on the effectiveness of the controls. If possible, try to get a Type 2 SOC 2 from the vendor as a first step.
That being said, you shouldn't stop there. SOC 2 reporting, in many cases, will get you about 80% of the way when it comes to a full security cloud assessment, and it's always the last 20% of a project that takes some additional work.
It's here where the Cloud Security Alliance (CSA) becomes your friend. If you have any responsibility for performing cloud security reviews, it's may be a good idea to get to know CSA's documentation and standards. By supplementing their Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire, an assessor can take the experience and established format of the CSA's documentation to the vendor for additional insight.
If the vendor in question is a large cloud provider, it's also possible that it has filled this documentation out already, and that it's being publically hosted on the CSA's Security, Trust & Assurance Registry. Take a look and see if it's available on the CSA's site before asking the cloud vendor to fill it out.
There are some SOC 2 reports that add the CCM into the report to integrate the findings and map the results back to the CSA's guidance. If this is the case, it can help the client greatly by combining the efforts of both these frameworks.
Lastly, there might be dedicated questions from an organizational standpoint -- even though the CSA breaks down the findings per compliance regulation -- that aren't found on either of the other two assessment reports. If a client has particular questions for a vendor, they can use a custom questionnaire to help gain the information in writing from the vendor as to how they perform a particular task or enforce a particular policy.
So, yes, a SOC 2 is very useful to receive from a vendor, but it's sometimes difficult to attain, and doesn't always provide everything an organization needs. This report still might not answer all your questions, and additional frameworks and questionnaires may be needed to completely satisfy your requirements when dealing with the security of cloud vendors.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Find out if organizations can use a SOC 2 report to help with HIPAA compliance
Learn how to navigate the public cloud service provider selection process
Discover more about the services provided by cloud vendors
Dig Deeper on Evaluating Cloud Computing Providers
Related Q&A from Matthew Pascucci
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading
Container security continues to be a pressing issue as containers and hosts are being used more frequently. Learn how to keep your enterprise safe ... Continue Reading