What Is SOC 2?

A robust and positive security posture is vital in an era where cyberattacks proliferate. Cyberthreats, such as ransomware and phishing, continue challenging companies across all sizes and all sectors. Also, supply chain attacks have become a serious issue, with surveys by the World Economic Forum finding that 90% of respondents were concerned about the cyber resilience of third parties. Frameworks are designed to help guide companies in implementing a robust security posture. One such framework is SOC 2 (System and Organization Controls 2), which works to establish risk and improve operating effectiveness.

SOC 2 originated at the American Institute of Certified Public Accountants (AICPA) and came under the umbrella of AICPA’s Trust Services Criteria, which facilitate auditing and reporting on the controls used by a service organization to secure information. SOC 2 reports capture data security, availability, processing integrity, confidentiality, and privacy. In addition, SOC 2 reports ensure that the controls used by the service organization can meet some or all the five SOC 2 criteria.

Risk management must extend to third parties. SOC 2 offers a framework to check whether a service organization has achieved and can maintain robust information security and mitigate security incidents. SOC 2 is used to audit the security posture of third-party vendors to ensure that they meet the level of protection expected by your organization.

Akamai security solutions provide intelligence and end-to-end protection to protect data from breaches and accidental exposure, and prevent unauthorized access through robust access control policy enforcement. Akamai helps your security teams to maximize the effectiveness and ROI of your security investments by moving beyond traditional endpoint detection to provide a powerful Zero Trust solution for the protection and privacy of data. 

Akamai provides:

• A global security platform that enforces Zero Trust security with comprehensive coverage of your IT environment
• Deep visibility into assets, access, and network flows
• Granular enforcement of security policy and protection of personally identifiable information (PII)

SOC 2 audit covers five aspects of data handling that, when correctly implemented, will form a coherent and robust cybersecurity posture. The ASEC Trust Information Integrity Task Force is responsible for the technical accuracy of the Trust Services Criteria (TSC). AICPA’s Assurance Services Executive Committee is responsible for the TSC and describes the five Trust Services Criteria of SOC 2 as the following:

1. Security: data protection and system security against unauthorized access and data exposure. Security also includes protection against system damage that could result in the loss of availability, integrity, and confidentiality of data.
2. Availability: reliability of systems needed for the entity to maintain operations.
3. Processing integrity: system processing must be complete, valid, accurate, timely, and authorized.
4. Confidentiality: data classified as “confidential” must be protected to meet the entity’s objectives.
5. Privacy: information must be collected, used, retained, disclosed, and disposed of to meet the entity’s objectives on data privacy.

A service provider demonstrating compliance with some or all of the five trust service principles (as appropriate) shows commitment to information security.

SOC 2 applies to technology service providers or SaaS companies that store, process, or handle customer data. SOC 2 extends to other third-party vendors that handle/provide data and apps and is used to demonstrate the systems and safeguards in place to ensure data integrity. SOC 2 compliance can help to make purchase decisions and is a part of risks associated with vendor management.

Cloud and IT service providers

According to Thales and 451 Research, 66% of businesses store up to 60% of their sensitive data in the cloud. Also, the number of companies experiencing a data breach involving a cloud application increased from 35% in 2021 to 45% in 2022. Demonstrating compliance with SOC 2 allows a technology vendor to prove they use security controls, such as two-factor authentication. This is an essential competitive differentiator in an era when cloud and IT security are potentially high-risk service areas. Cloud security breaches that impact the entire chain are increasingly common; a cloud and IT service provider that demonstrates SOC 2 compliance will prove that information security is a core value.

Clients of cloud and IT service providers

By choosing a vendor with proven SOC 2 assurance, your organization will have a transparent audit with SOC reports defining the risks and controls used by the third-party vendor. These standards and information security measures will percolate into your organization, providing the assurance of data security needed for internal standards and regulatory requirements.

Other connected supply chain vendors

Supply chain attacks increased by more than 600% in 2021/2022. Attacks such as the zero-day MOVEit Transfer proved how impactful and broad these attacks have become. Akamai’s security research around the MOVEit attack found alarming numbers of vulnerable internet-facing servers. These sorts of vulnerabilities are targeted by cybercriminals who use supply chain vendors to access lucrative networks higher up the chain. Supply chain vendors who prove SOC 2 compliance can demonstrate their commitment to data security.

Akamai provides a comprehensive solution family that delivers Zero Trust security to help in SOC 2 compliance by providing the means to achieve SOC 2 Trust Services Criteria. Our leading security solutions are recognized as best in class by our customers, who use Akamai to protect sensitive data across the expanded modern IT environment. Akamai’s security portfolio has grown from a collection of point solutions to a comprehensive and powerful Zero Trust platform. The company’s world-class solutions provide the security controls required to meet SOC 2 requirements for data security, availability, integrity, confidentiality, and privacy. Akamai delivers deep visibility into your IT environment, critical assets, access requirements, and network flow across your expanded infrastructure, including suppliers.

The control of access and authorization to use data is a critical aspect of information security under SOC 2. Developing a Zero Trust approach to data security is a way to map all five Trust Services Criteria to robust security measures.

SOC 2 security measures that are used in the creation of a Zero Trust security approach include:

• Identity and access management of both humans and devices
• API protection across data flow and ecosystems
• Multi-factor authentication (MFA)
• Intrusion detection
• Visibility and monitoring to apply proportional authorization
• Least privilege rights to minimize data access
• Data encryption