The challenge of SOC 2 certification in a remote world

As the landscape of modern work changes, with its distributed teams and quickly evolving cloud-based technologies, maintaining access controls is an increasingly sisyphean task. The process of SOC 2 certification is the perfect microcosm of this challenge: The work involved in identifying and designating systems as "in scope" for SOC 2 compliance has become drastically more complex with the rapid adoption of cloud services and SaaS applications, as well as a prevalence of remote employees. If you’ve ever been tasked with preparing and gathering evidence for a SOC 2 audit, you know just how daunting the project can feel.

‍

What is SOC 2 and why should you care?

For those unfamiliar with what SOC 2 certification is, I'll start with a quick primer. SOC 2 (Service Organization Control) is a set of standards that ensure the security, availability, and confidentiality of a service organization’s systems and data. The review for the certification is performed by an independent auditor, and your SOC 2 audit is a success when your organization’s results demonstrate the appropriate controls in place to protect the security, availability, processing integrity, confidentiality, and privacy of its systems and data. The result of the audit will be a SOC 2 report that attests to the effectiveness of your controls.

‍

One of the biggest drivers for SOC 2 certification is being able to show your customers, and potential customers, that your organization can readily demonstrate that its approach to data handling is secure and trustworthy. So much so that you are willing to conform to a stringent set of standards, as well as enlist an external auditor to verify this by doing a deep dive into your policies, systems, and operational data. More and more companies expect their vendors and partners to have SOC 2 certification, and most large enterprises will require SOC 2, at a minimum, for new vendors.

‍

So, your SOC 2 scope has exploded. How can you possibly keep up?

An essential part of a SOC 2 audit is understanding and defining what systems and applications are "in scope." This determination of scope can be subtle, but generally, any application used to process, store, or transmit sensitive or confidential information should be in scope—which means that many of the SaaS applications adopted and used by your employees will need to be included.

‍

Your eyes are probably starting to widen as you think about the level of effort required to carefully review all of your organization’s SaaS applications. Now, even more troublesome: think about the applications in use that you don’t even know about. Imagine that your remote workforce is signing up for new SaaS services at a breakneck pace (believe me, they are). How will you ever keep up with what employees are signing up for to get their jobs done, what data they might be storing in these applications, AND making sure they get scoped correctly for SOC 2? Keeping up with this deluge and managing it in an ongoing manner that encourages your employees to participate in the process is one of the most important reasons we built Nudge Security.

‍

How can you review access and authorization for what you can’t see?

If you want to maintain SOC 2 compliance, you’ll need to conduct periodic reviews of employees' access to in-scope systems, including third-party SaaS applications. You’ll also need to review authorization scope within those systems—and of course, you should be tracking the onboarding and offboarding activities of employees for each and every system.

‍

In many ways, the era of remote work has spelled the end of the corporate network. An organization has very little  control over the level of physical and digital security at someone's home, and the risk of breaches and direct attacks is increased due to the use of unsecured networks. Even with strict use of corporate VPN technology, employees are likely to circumvent security in order to use systems and applications that help them get their jobs done most efficiently. (Read our research report for more on this.)

Even before we all started working from home, the sheer pace at which third-party SaaS applications were being adopted directly by employees without IT involvement was staggering. Our research shows that at an enterprise with 1,000 employees, a new SaaS account was created roughly every 20 minutes. At that same 1,000-person company, we estimate that somewhere in the ballpark of 882 apps and 10,321 accounts are currently in use. Trying to keep track of every in-scope SaaS application on a spreadsheet just won’t cut it.

‍

Given all this, the challenge for SOC 2 certification is threefold: knowing that these systems exist, determining whether they're in scope, and if so, including them in a continual process for review.

‍

How can Nudge Security help?

As you’ve probably gathered, SOC 2 is…a lot. There are plenty of companies that will help you get to SOC 2 certification and maintain a periodic review process. Regardless of what tools you use, you’ll face a heavy (but important) internal lift in discovering all of your organization’s existing SaaS and cloud assets.

‍

Here’s how Nudge Security can help automate and streamline your SOC 2 compliance process:

• In a matter of minutes, Nudge Security will find all of the SaaS applications in use at your company, including the ones you don’t know about.
• Nudge Security will categorize all of your SaaS applications, streamlining the SOC 2 scoping process. Not only can you mark applications that are in scope, you can also keep track of your organization's approved applications and automatically nudge employees to adopt them rather than duplicate them.
• Nudge Security offers a set of powerful playbooks to automate and streamline common workflows. Our SOC 2 playbook allows you to quickly review the SOC 2 scope status of all your applications and easily record updates to the access and authorization state of all employees utilizing those applications.

Need help getting started with your SOC 2 certification? Start your 14-day free trial of Nudge Security.