business

SOC 2 Compliance and Certification: What SaaS Businesses Need to Know

If your organization stores customer data in the cloud, SOC 2 compliance is table stakes.

In the last two years alone, cloud-based cyberattacks more than doubled — even though SaaS spending grew just 18%.

While these numbers are merely a correlation from a statistical standpoint, it does indicate that if your business stores customer data in the cloud, it’s more important than ever for your business to take measures to secure that data. Especially given SaaS spending is expected to increase an additional 36% between 2020 and 2022.

A SOC 2 certification from the AICPA is a foundational step that will help every service provider reduce security risks. Below is a guide to SOC 2 compliance requirements and certification.

What Is SOC 2?

SOC 2 is an independent audit report that evaluates the security controls a tech service business uses to protect the data they process in the cloud. Possession of a SOC 2 report is considered table stakes in the SaaS industry, as the answers to most security questions a customer may have about their business’s security posture can usually be pulled from this report.

SOC 1 vs. SOC 2 vs. SOC 3

“SOC” stands for “System and Organization Controls” and was created by the American Institute of Certified Public Accountants (AICPA). SOC 2 is one of three SOC reports, each with different purposes and/or levels of transparency:

  1. SOC 1. Used to audit internal controls relevant to a customer’s financial systems. Report usage is “restricted,” meaning its use is limited to auditors, the service organization, and authorized users.
  2. SOC 2. Used to audit the overall management of customer data. Report usage is also “restricted” the same way SOC 1 is.
  3. SOC 3. The same as SOC 2, but the report is simplified and publicly available to increase transparency.

What Is SOC 2

Why SOC 2 Compliance Matters

SOC 2 compliance isn’t a legal requirement for a tech business. However, having a SOC 2 report is a common compliance objective for service providers that store their customers’ data in the cloud because it’s a necessity from an assurance (and therefore competitive) perspective.

For many small to medium-sized operations that store marginally-sensitive data (for example, information that’s already publicly available), a SOC 2 report usually provides enough assurance of their controls and procedures to their customers.

However, for businesses whose data is considered sensitive (health data, for example), a SOC 2 report is the minimum a business should have in order to assure their customers they’ve taken steps to protect their data.

Why SOC 2 Compliance Matters

The SOC 2 Certification Process

SOC 2 certification is completed by a third-party auditor who assesses the extent in which service provider’s controls comply with one or more of SOC’s five Trust Services Criteria (TSC): Security, Privacy, Confidentiality, Processing Integrity, and Availability.

SOC 2 is different from other security certifications because it lets each business decide how best to implement the SOC 2 framework. The auditor evaluates how well the business has implemented controls relative to each of the TSC and its operations and gives their opinion of overall effectiveness.

The auditor then compiles their opinion and findings into a report (the SOC 2 Report) you can then use to assure your customers of the steps you’ve taken to manage their data.

The SOC 2 Report comes in two different types (Type 1 and Type 2), and each has an impact on how the certification process proceeds. However, since each requires an evaluation of your practices against the five Trust Services Criteria (TSC), we’ll address those first and explain how each of the report types affects certification in more detail afterward.

SOC 2 Trust Services Criteria

Tech service businesses can choose to certify in as many or as few of the TSC as they like. Most businesses choose to earn a certification for one to three of the criteria. However, businesses that process sensitive data will benefit from earning certification in all five.

Below is what earning certification in each of the SOC 2 Trust Services Criteria entails:

  1. Security. An evaluation of both the electronic and physical controls a business uses to protect the customer data they process. Auditors will examine security measures, like, network security, vulnerability management, and security monitoring, as well as the steps you’ve taken to secure any access to the physical devices and locations your customers’ data, is stored on in order to prevent unauthorized access.
  2. Privacy. An evaluation of how a service business collects and uses customer data. Auditors will compare a company’s privacy policy(ies) to the actual operational procedure(s) to ensure they’re in alignment with the AICPA’s Privacy Management Framework (PMF).
  3. Confidentiality. An evaluation of how data is stored, accessed and shared. Auditors will examine the procedures and access controls you have in place to restrict who has access to customer data, as well as any technical measures, like encryption, you’ve implemented to keep data safe.
  4. Processing Integrity. An evaluation of your quality assurance and processing-monitoring practices. Auditors will examine whether data is called from your servers in the same state it was stored — and that it’s only called for the people who are authorized to access it.
  5. Availability. An evaluation of whether your customers have access to your system as outlined in their contractual agreement(s). Auditors will examine controls and procedures-performance monitoring, business continuity, disaster recovery, and incident management to ensure they match what was promised.

SOC 2 Certification Process

The SOC 2 Report

Once an auditor completes their evaluation of the security measures you’ve implemented, you’ll receive either a SOC 2 Type 1 Report or a SOC 2 Type 2 Report (depending on which you chose to certify for). Both reports contain an explanation of everything you’ve done to keep your customers’ data safe:

  1. The controls you’ve implemented
  2. How they align with the Trust Services Criteria
  3. An explanation of your company’s operations
  4. How the auditing process was conducted
  5. How you’ve implemented controls to secure the user environment

However, the differences between each report type mean that obtaining a SOC 2 Report can create a substantial increase in the effort and work required to comply.

SOC 2 Type 1 Report

A SOC 2 Type 1 Report is an evaluation of the design of your controls at a specific moment in time. This means the certification process required for a Type 1 Report can occur relatively quickly (in the time it takes for an auditor to evaluate your systems and procedures).

SOC 2 Type 2 Report

A SOC 2 Type 2 Report is an assessment of the operational effectiveness of your controls. The evaluation is done over a period of time to observe how effective those controls are in practice instead of just at one specific moment, as in a Type I Report.

A SOC 2 Type 2 Report typically requires months of auditing to obtain. But the increase in assurance it provides is often worth it for service organizations that process sensitive data. Traditionally a SOC-2 Type 2 covers a 6-12 month period.

Additional Security Certifications That Are Worth Pursuing

Additional Security Certifications That Are Worth Pursuing

A SOC 2 Report helps you demonstrate a baseline of security to your customers, and the more Trust Service Criteria you certify for, the more assurance you can provide (it’s why Auth0 meets all 5).

But given the rate at which cloud-based cyberattacks are increasing in the wake of the pandemic (and the average cost of a data breach across most industries), doing more than the minimum to secure your customers’ data is in your best interest.

Auth0 has earned certifications in several additional information security frameworks for this reason. We’ve created guides to earning certification with the ones we’re experienced with via the links below:

  • ISO/IEC 27001. The International Organization for Standardization’s framework for building an information security management system (ISMS).
  • ISO/IEC 27018. The International Organization for Standardization’s cloud-specific controls that cloud-based businesses should follow when certifying for ISO 27001.
  • CSA STAR. The Cloud Security Alliance (CSA) offers some of the most relevant and cutting-edge controls for cloud security in the industry.

Learn more about how Auth0’s IDaaS platform can help you better secure and scale your authentication process here.