We live in a world where everything is an app. Employees have an unimaginable number of tools at their fingertips to help them work more efficiently, and any employee with a corporate email address can try out new applications to make their lives easier in just a few clicks. While the proliferation of SaaS tools has been a boon for worker productivity, it introduces substantial complexity when it comes to compliance certifications like SOC 2.
Tackling SOC 2 and SaaS sprawl
A key component of the SOC 2 certification involves assessing and defining which systems and applications are “in scope,” meaning that they house, process, or transmit confidential data that needs to be protected. Organizations need to perform regular SOC 2 access reviews on applications in scope for SOC 2 to determine who still has access, verify that they need continued access, and remove access from anyone who doesn’t.
Of course, the challenge of SOC 2 certification in a remote world is that you can't define which applications are in scope for SOC 2 if you don't even know what’s out there. Security and IT teams rarely have a complete picture of what workers are using or where they might be storing sensitive corporate data, and manually keeping up with changes as users sign up for new applications could be its own full-time job.
On the other hand, SaaS sprawl isn’t a problem organizations have the luxury of ignoring anymore. Recent supply chain attacks have underscored the fact that the modern attack surface is the SaaS attack surface, which means organizations preparing for SOC 2 certification need to account for their organization’s SaaS sprawl and shadow IT.
How Nudge Security can help
SaaS discovery is a beast of its own, but there are other aspects of SOC 2 access reviews that can require a significant amount of tedious, manual work. For example, once you’ve identified that an app is in use, you still need to track down which users have active accounts and figure out who at your organization owns the app in order to remove access for those who don’t need it.
In this post, we’ll dig into how you can get audit-ready faster by automating SOC 2 access reviews with Nudge Security. We’ll help you discover and review access for both the SaaS apps you already know about and the ones you don’t, all without taking on unnecessary manual work.
Want to jump straight in and see it instead? Here’s an interactive tour:
1. Discover your company’s cloud and SaaS assets, including shadow IT
Whether it takes the form of a rogue AWS account created by an experimental developer or an unsanctioned file-sharing app that a few vendors or clients insist on using, critical data often finds its way outside of corporate-managed, IT-approved applications. You could try questioning every department about the apps they use, or digging through chat logs and billing statements for clues, but none of those methods are sustainable or effective. Your organization needs a plan for discovering both managed and unmanaged SaaS applications on a regular basis, before you can think about whether they’re in scope for SOC 2.
Nudge Security uses a unique discovery method to identify all the cloud and SaaS assets in use at your organization, including apps that aren’t managed by corporate IT and security. We categorize the applications by type and track key information like the first user, who is often an administrator for others on their team and may be integral when it comes to removing unnecessary access. As users sign up for new applications, they’ll automatically appear within your Nudge Security dashboard.
2. Determine which assets are in scope for SOC 2
Nudge Security’s playbook to automate SOC 2 access reviews starts with determining which cloud and SaaS assets are in scope for your organization. The playbook uses smart app categorization to give you a headstart in identifying the applications most likely to be in scope by walking you through high-priority categories, such as infrastructure apps, devops apps, developer tools, and security apps.
Nudge Security keeps track of the apps you’ve identified as in scope, helping you streamline future access reviews. You can easily update the scope you’ve defined as your users add new apps over time.
3. Review who needs access to each application
For each of the applications you’ve determined are in scope for SOC 2, Nudge Security walks you through a review of the users at your organization who have active accounts. You can multi-select users to help you process each app efficiently. The playbook makes it easy to track and share your progress.
4. Easily remove access by enlisting technical contacts
When you discover a team at your organization using an application that isn’t managed by anyone in corporate IT or security, how do you remove access for users who no longer use it? Someone within the team is likely an administrator, but without an efficient system in place, tracking down that user can require a lot of legwork. Multiply that by every application on your list and you’d have quite a bit of work ahead of you.
Nudge Security gives you two options for removing access for users who no longer need it. If you have an existing process for managing access that works well for you, you can download a list of users and applications and handle it yourself. If you don’t, you can use nudges to enlist the owner of each app within your organization to remove access. We’ll automatically recommend a technical owner for each app so you don’t have to track one down, and you can send them a nudge with instructions and a link to verify that they’ve completed the task. You can track their responses within the SOC 2 access review playbook.
5. Generate audit-ready reports
Once you've received confirmation that the accounts you flagged have been removed, you can officially complete your access review and view a summary, which will be stored for your reference. You’ll also get the option to download a printable report summarizing the applications included in your access review and the users whose access you’ve either verified or removed.
6. Demonstrate a repeatable process for SOC 2 auditors
Running your first SOC 2 access review is just the beginning. SOC 2 certification requires regular access reviews, which also means updating your inventory of applications that are in scope. You can share your access review reports from Nudge Security with your auditors to demonstrate that you have a repeatable process in place to maintain your SOC 2 certification.
Discover what else Nudge Security can do for you
To recap, Nudge Security’s SOC 2 access review playbook can help you:
Capture and classify all of your in-scope SOC 2 assets, starting with smart app categorization to speed up your process.
Easily identify users associated with your SOC 2 assets and verify that they need continued access.
Generate a print-ready report of your SOC 2 asset review to demonstrate a repeatable process to auditors.