CyberArk Glossary >

What is SOC 2?

SOC 2 (Service Organization Control Type 2) is a security compliance framework developed by the American Institute of Certified Public Accountants (AICPA) to securely manage customer data within the cloud. It specifies high standards of data security based on five “trust service principles”: security, availability, processing integrity, confidentiality and privacy.

Trust Service Principles What it Means
Security Systems are protected against both physical and logical unauthorized access.
Availability Information and systems are available for their intended use.
Processing Integrity Data processing is complete, accurate and timely.
Confidentiality Restricting confidential data to authorized individuals and implementing strict access controls to prevent breaches.
Privacy Personal information is collected, used, retained, disclosed and disposed of as per the privacy regulations.

SOC 2 entails more than sixty compliance requirements and extensive auditing processes for third-party systems and controls. Complying with SOC 2 audits helps maintain best-in-class security standards and unlocks significant growth opportunities.

Why SOC 2?

The modern threat landscape is ever-evolving. Increasing cloud adoption, proliferating digital identities and the rise of sophisticated attacker innovations are forcing organizations to adopt strong compliance regulations to protect consumer data from unauthorized access.

What differentiates SOC 2 from other security frameworks , such as the Nation Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the International Organization for Standardization (ISO) 27001 , is that it also requires third-party service providers to store and process customer data securely.

The five trust service principles that make SOC 2 an important security compliance standard also aid in modern identity and access management capabilities, such as multi-factor authentication (MFA) , identity federation, identity lifecycle management , granular access control and data security and privacy.

The basic SOC 2 compliance checklist covers the following security standards:

  1. Access controls: Prevent unauthorized access with logical and physical restrictions on assets.
  2. Change management: Manage changes to IT systems and prevent unauthorized changes.
  3. System operations: Control and monitor operations and detect and remediate threats.
  4. Mitigating risk: Identify and mitigate security risks.

What are the benefits of being SOC 2 compliant?

Complying with SOC 2 demonstrates that an enterprise maintains a high level of information security, data privacy, availability, confidentiality and processing integrity and enables an organization to:

  • Improve an enterprise’s overall security posture.
  • Safeguard sensitive information and ensure customer trust, using the right security tools and procedures.
  • Improve brand reputation and establish a formidable competitive advantage.
  • Avoid data breaches and consequential financial and reputational damage.

How identity security helps meet SOC 2 compliance requirements

Given that the trust service principles of SOC 2 aid in streamlining an organization’s identity and access management requirements, implementing a holistic identity security strategy can greatly boost compliance readiness.

The following table highlights the common SOC 2 compliance controls and their respective identity security requirements.

Principle Controls Identity Security Requirements
Control activities The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  • Automatic identity workflow orchestration based on user roles and integration with IT service management (ITSM) tools.
Logical and physical access controls The entity implements logical access security software, infrastructure and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
  • Centralized vaulting and rotation of credentials to prevent credential theft.
  • Privileged session isolation to prevent the spread of malware.
  • Centralized monitoring across all employee and external service provider access to corporate resources.
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
  • Just-in-time (JIT) access with zero standing privileges (ZSP) to reduce the number of accounts and credentials with always-on privileged access.
  • Adaptive MFA to validate all user access.
  • Integrated lifecycle management, access certification and authentication.
The entity authorizes, modifies, or removes access to data, software, functions and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.
  • Enable role-based access control (RBAC) and attribute-based access control (ABAC) to ensure users have access to only what they need. Besides, JIT access with ZSP can significantly reduce accounts with standing privileged access and guarded by easy-to-steal credentials.
  • Orchestrate identity workflows based on user roles and also integrate with ITSM tools.
The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
  • Centrally monitor user behavior to detect anomalous activities and use adaptive MFA to for real-time authentication of all user access.
Risk mitigation The entity assesses and manages risks associated with vendors and business partners.
  • VPN-less, biometric native access for vendors with full session recording and isolation.
  • Vendor access provided outside of traditional directories and deprovisioned when not required to prevent unauthorized access.

Consequences of failing SOC2 compliance

Failing to meet SOC 2 compliance standards can have several serious consequences, even though there are no direct fines or penalties associated with failing a SOC 2 audit. Some of the potential repercussions are as follows:

  • Reputational damage: Organizations may suffer significant reputational damage, leading to loss of customer trust and confidence.
  • Financial loss: Non-compliance can result in financial losses due to potential data breaches, which can be costly to remediate.
  • Loss of business opportunities: Companies might lose existing clients or fail to attract new ones, as SOC 2 compliance is often a requirement for doing business with many organizations.

Learn more about SOC 2:

関連用語リスト