SOC 2 reports: The de facto cloud provider security standard

They're not perfect, but SOC 2 reports are becoming the baseline for cloud provider security assessments. Expert Dave Shackleford discusses.

Released in 2011, the American Institute of CPA (AICPA) Service Organization Control (SOC) reports framework was...

meant to provide interested organizations with a means to assess the state of security controls within service provider organizations. Before long, those investigating cloud service providers realized the SOC framework (and the SOC 2 in particular) seemed to be a reasonable baseline for assurance.

Many security advisers and auditors felt that the SOC 2 went beyond what most service providers had previously provided with the Statement on Auditing Standards No. 70 (SAS 70) reports commonly associated with audit and controls verification. The challenge is that many cloud service providers (CSPs) have not made the effort to provide the more rigorous SOC 2 report to potential customers, opting instead to use the simpler Standards for Attestation Engagements (SSAE) SOC 1. However, this situation appears to be changing.

According to audit services firm Reckenen Inc., service providers that chose to undergo SOC 2 audits only comprised 7% of the total for data centers audited and assessed by the firm in 2012. In 2013 that number has doubled to 14%, with cloud providers obtaining SOC 2 reports primarily to meet client needs, followed by marketing and competitive advantages.

The Cloud Security Alliance (CSA) provided more momentum for the framework in February 2013 when it endorsed the AICPA model. The CSA claimed that the SOC 2 meets the requirements of many cloud consumers that need to vet the security controls and information assurance practices of potential providers. The primary reason for this comes down to its alignment with and foundation in the AICPA Trust Services Principles and Criteria, which includes security, confidentiality, privacy, availability and processing integrity.

In addition to its endorsement, the CSA published a position paper that describes when a SOC 2 report is warranted above and beyond the simpler and more common SOC 1. For one thing, a SOC 2 report is more applicable for cloud providers due to the lack of controls that focus on financial reporting and accounting. Most cloud providers do not align service offerings with customers' internal controls over financial reporting, which is what SOC 1 is geared toward. SOC 2 is also aligned with the AICPA AT 101 standard for Attest Engagements, which describes the processes and reporting standards required for any sort of controls analysis engagement.

In essence, SOC 2 audits, when properly conducted in accordance with AT 101 and based on the Trust Services Principles and the CSA Cloud Controls Matrix (CCM), meet the security needs of most cloud customers. For large, mature cloud providers, the SOC 2 (and potentially SOC 3) can help to attract larger enterprise organizations that need a more in-depth level of assurance and controls information related to security and operations not currently provided by financial controls audits such as the SSAE 16.

From the editors: More on evaluating cloud service providers

Learn how to assess the security of providers' APIs, a top threat to cloud environments according to the CSA.

Find out what considerations should be made when adopting a cloud-based disaster recovery service.

As cloud consumers increasingly demand the level of security effort and transparency required by SOC 2 certification, this type of attestation will likely become an early differentiator between mature cloud services companies and those that are not taking security quite as seriously. Several major players have already achieved SOC 2 and/or 3 certifications. Amazon Web Services announced the availability of its SOC 3 report on May 13, 2013, and offers both SOC 1 (performed annually) and SOC 2 reporting for security controls. In March 2013, Rackspace achieved both SOC 2 and SOC 3 certifications, as well as ISO 27001 compliance. Verizon Terremark is audited for SOC 1, SOC 2 and SOC 3 attestation standards as well.

Aside from major cloud hosting providers, numerous security and platform service providers also use the SOC 2. Okta, a cloud-based identity management company, has had the SOC 2 for quite some time, as has Microsoft Azure (which also maintains a SOC 3 report). Many more examples can be found, and more are appearing all the time, which supports the growth observed by Reckenen.

About the author:
Dave Shackleford is senior vice president of research and chief technology officer (CTO) at IANS, and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as chief security officer for Configuresoft; CTO for the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, and he recently co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

Dig Deeper on Evaluating Cloud Computing Providers