Cloud Security 101: All the Basics You Need to Know
Prophix
Feb 22, 2022, 8:25:00 AM
It’s easy to be intimidated by the sheer volume of acronyms that exist in the security and compliance space.
These acronyms make it hard to know what to look for when choosing a software-as-a-service (SaaS) Cloud provider.
At the end of the day, you want to have peace of mind that your data is secure and protected.
That’s why we’d like to demystify the evaluation process and explain what to look for when comparing and evaluating SaaS Cloud vendors.
In this blog, we’ll outline compliance standards and how they impact Cloud security.
What Are Compliance Standards?
Some of the most common acronyms you may come across are Security Operations Center (SOC) and Trust Service Principles (TSPs). A Security Operations Center’s (SOC’s) responsibility is to monitor and analyze an organization’s security posture on an ongoing basis. SOC reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. There are multiple reports that prove an organization is in good standing. Namely, SOC 1 and SOC 2 compliances – it’s important that both Type 1 and Type 2 reports are complete for these SOCs.- Type 1 Report - Demonstrates a company’s internal controls are properly designed to meet relevant Trust Principles. This report does not confirm the efficacy of controls over a period.
- Type 2 Report - Further demonstrates that your controls operate effectively over a period.
Differences Between SOC 1 & SOC 2 Compliances
So, now that we’ve outlined what the most common compliance standards are (SOCs), let’s look at the differences between SOC 1 and SOC 2. SOC 1 – A SOC 1 report gives assurance that your financial information is being handled safely and securely. The international version of the SOC 1 report is commonly referred to as ISAE 3402. Typically, when a vendor says they are SOC 1 compliant, the implication is that they have completed both Type 1 and Type 2 reports. SOC 2 – This report gives assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. Here is where Trust Service Principles (TSPs) come into play. SOC 2 reports evaluate an organization’s compliance against five criteria, which are commonly referred to as Trust Service Principles (TSPs). The five Trust Service Principles are:- Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.
- Availability – Information and systems are available for operation and use.
- Processing Integrity – System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality – Information designated as confidential is protected.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of.