The Value of SOC 2 Reports for Cloud Service and Hosting Providers

Three reasons why users of cloud services should expect their cloud service provider to have a SOC 2 report.

As organizations increasingly rely on third-party service providers for data hosting and processing functions, these organizations are demanding more detailed understanding of how their service providers are handling and protecting their data.

The American Institute of Certified Public Accountants (AICPA) has developed the Service and Organization Control (SOC) framework for reporting on internal control at a service organization. These reports are designed to give clients, partners, and other stakeholders assurance around the protection and use of key systems, processes, and data. The SOC 2 framework, specifically, is a way for cloud service providers and data processing providers to provide assurance of effective control in five critical categories:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

It is important to distinguish a SOC report from a certification or compliance report. The SOC 2 framework outlines key criteria that must be considered as part of each of the above categories, and organizations describe their operational and technical controls to meet those criteria. The service provider provides a description of its unique service offering and control environment, and the service auditor performs an examination of that description.

1. Independent, Third-Party Opinion Users of cloud services expect that their cloud service providers are taking appropriate measures to secure confidential data and associated systems. We often find that IT and security personnel put tremendous effort into security processes, but the lack of an objective assessment can result in a gap or vulnerabilities that would otherwise go unnoticed. Having a third-party assessment performed, conducted by IT security and compliance professionals with cloud service provider experience, can be extremely valuable in assessing control implementation. Unlike many certifications or frameworks for cloud security, a SOC 2 report can only be performed by an independent third-party service auditor. As a result, a SOC report cannot be completed as a self-assessment. A service auditor produces the SOC 2 report which includes an opinion on the control environment documented by the service provider.
2. Assurance Over a Period of Time – Not Just a Point in Time SOC 2 reports are broken into two report types. A Type I report is an examination of the design of controls relative to security, availability, processing integrity, confidentiality and/or privacy; while a Type II report includes an examination of the effectiveness of controls designed to meet those requirements, over a specified period of time. The SOC 2 Type II report is designed to give the user of the cloud service comfort that, not only has the service provider developed controls that will help meet critical requirements, but also that those controls are implemented and operating effectively. Assurance that controls are working as intended should be of critical importance to a user of cloud services. For further transparency, the SOC 2 framework documents the control environment in place, as well as the specific tests performed by the service auditor to validate the effectiveness.
3. Integration of the Cloud Security Alliance's Cloud Controls Matrix The Cloud Security Alliance, a not-profit entity focused on developing and promoting processes for security assurance in cloud services, has published a set of controls called the Cloud Controls Matrix (CCM) that targets key controls within cloud-based services. This set of controls can be integrated into a SOC 2 report through a formal attestation framework called STAR (Security Trust and Assurance Registry). When the CCMintegrated SOC 2 report is completed, the cloud service provider can be published in the Cloud Security Alliance (CSA)'s STAR registry. There is additional cost required by CSA for this designation, and this SOC 2 can only be provided by a CSA-certified individual within a CPA firm, however the assurance it provides customers can be a differentiator within the cloud services industry. For additional information on the STAR Framework, please visit: https://cloudsecurityalliance.org/star/attestation/#_overview

How to Get the SOC Reporting Process Started

If an organization has not completed a SOC examination in the past, we recommend a Readiness Assessment to prepare the cloud service providers for the requirements of the SOC reporting process and identify critical gaps or issues that could impact the opinion in the SOC report.

Following remediation of any identified issues, DHG works with our clients to understand their timeline requirements and define the SOC examination period. We have developed a streamlined approach for planning and performing SOC report engagements designed to bring clarity to the SOC reporting process and ease the examination.

Cloud service providers have become a key link in the chain of data security for most companies. By completing a SOC 2 report, and potentially integrating CSA STAR attestation, cloud providers can give their clients and customers comfort that their data is being secured.