We recently went through the SOC2 process and are happy to report that we successfully passed our audit! Generating a SOC 2 Type 1 Report generally takes up to six months. In our case, the entire process took only 6 weeks, and we wanted to share how we did it.
TLDR: We used Apono’s cloud-native privileged access management solution to streamline our access review process and make SOC2 audit much easier for us (and our auditor)
Our SOC2 journey
If you serve customers in regulated industries such as healthcare, finance, or the public sector, you will likely need to obtain SOC2 certification at some point.
For those who don’t know, SOC2 is the gold standard for security certifications. It is becoming increasingly common for SaaS companies to get SOC2 certified to reassure customers that all the necessary controls are in place to protect their data.
SOC2 reports measure a company’s security through the lens of AICPA’s Trust Services Criteria across five major categories:
- Security – How effectively do you protect critical systems against unauthorized access?
- Availability – How do you facilitate customer access to systems, including business continuity measures during and after an attack?
- Processing Integrity – How do you upkeep all promised services’ functionality, including timeliness, accuracy, completeness, and integrity of authorization protocols?
- Confidentiality – How do you safeguard all information classified as protected?
- Privacy – How do you safeguard all personal information and personally identifiable information (PII)?
The SOC2 compliance report is a public attestation that your systems and controls have been assessed by an independent auditing firm and that they meet or exceed the standards for security, availability, processing integrity, confidentiality, and privacy.
The SOC2 certification process is notoriously long and arduous, but we are happy to report that we obtained our SOC2 certification in just six weeks from start to finish.
Apono helped us in two ways:
- Generate access review in a matter of seconds
- Provide auditors with a live view of access to our production environment
Meeting SOC2 security requirement
SOC2 compliance covers a lot of ground and involves solidifying company policies, including access to sensitive resources covering both physical and digital access control.
We are cloud-native, so physical protections around the data centers don’t apply to us. Access to digital resources is another matter. The problem with cloud resources is you don’t hack; you log into it. That’s why access control is such an important part of SOC2.
SOC2 Access Control Requirements
SOC has several controls for access. Auditors will want to see that you have strong controls around:
- Who has access to what
- What can they do with that access
- How you monitor and restrict access
- How do you uphold the Least Privilege principle
- How do you enforce the Separation of duties and roles
- How do you handle employee onboarding and offboarding
To meet these requirements, you’ll need to generate an access review report that includes:
- A list of all users and their roles
- A list of all systems and applications that each user has access to
- What each user can do with that access (e.g., read-only, write, execute, etc.)
- Procedures for granting and revoking access
The access review report is one of the most time-consuming and tedious parts of the SOC2 process. It involves manually reviewing Access Control Lists (ACLs) and then comparing them to lists of employees and their job descriptions to see if there are any discrepancies.
Sifting through all of that data is a huge pain, but we were able to generate an access review report in just a few seconds. Apono’s platform automatically and continuously maps out user roles and permissions across all systems and applications. So it was effortless to generate a report that includes all of the information required by SOC2.
Not only did this save us a ton of time, but it also ensured that our access review report was 100% accurate.
Moreover, we could automatically generate an access review report anytime we needed it during the certification process. This was incredibly useful because it meant we could easily re-run the report to reflect any changes in personnel or systems.
This huge time-saver allowed us to focus on other aspects of SOC2 compliance. Going forward, we can easily run the report anytime on demand if there are concerns about potential unauthorized access.
Our auditor was impressed with how quickly we could supply the access information they needed.
Access to production environment: live view
It’s not enough to have controls in place – you also need to be able to monitor and audit access on an ongoing basis.
Auditors will want evidence that you’re regularly reviewing and revoking access.
This is important for two reasons:
- To make sure that the controls are being followed
- To be able to detect and investigate misuse of data or systems
Auditors will want to access logs to see who did what when they did it, and from where. We could provide them with something better – a live view of access to our production environment that they could monitor in real time.
This gave them visibility into our entire system and allowed them to see exactly who had access to what resources and what they were doing with that access. We were able to give our auditor a real-time view of who was logged in, what they were doing, and from where. This provided valuable insights and evidence that our access controls were working as intended. This was a huge selling point for our auditor.
Overall, Apono was an invaluable tool for streamlining our SOC2 compliance process.
But it’s not just about passing the SOC2 compliance certification in record time (although that is a huge plus!). It’s about handling your cloud access in a way that’s secure, efficient, and scalable for the long haul. So if you’re looking for a platform for managing access control and compliance in the cloud, book a demo with Apono today. We’d be happy to show you how our platform can help you become secure and compliant while maintaining your productivity and agility.
