SOC 2 Clinic #5 - Securing Your Infrastructure

Securing your infrastructure is like securing your code—it’s multifaceted and essential. While a comprehensive guide to every best practice would be overwhelming (and, frankly, unnecessary here), let’s cut through the noise. This is about the essentials: how to control changes, log everything, and establish a solid foundation for security without overcomplicating things.

Let’s focus on the bare minimum you need to get started effectively.

Access Control

• Who and how do people access the cloud console and hosts?
  Implement role-based access control (RBAC) to grant access based on job responsibilities. For example, administrators might need full access, while developers only require limited access to specific resources.

• How do company roles map to permissions?
  Use IAM (Identity and Access Management) policies to define and enforce permissions. Align these with roles such as developer, admin, or auditor. Regularly audit these permissions to ensure they align with current responsibilities.

• How do you review and update this over time? MFA?
  Set up quarterly access reviews to verify that permissions are up-to-date. Require Multi-Factor Authentication (MFA) for all critical accounts and systems.

Backups

• Are you capturing backups in a way that meets your customers’ expectations?
  Ensure backups are encrypted, stored securely (e.g., AWS S3 with versioning and lifecycle policies), and compliant with customer agreements (e.g., retaining data for a specified duration).

• Do you test these routinely?
  Perform regular backup restore tests (e.g., monthly or quarterly) to confirm they work as intended and meet RTO/RPO (Recovery Time Objective/Recovery Point Objective) targets.

Change Management

• How do people make changes to the infrastructure, and how is this peer-reviewed?
  Use version-controlled repositories (e.g., GitHub, GitLab) and implement pull request workflows for peer reviews. Example: Before merging changes, require approval from at least two reviewers with sufficient knowledge of the infrastructure.

Configuration Scanning

• How do you monitor your infrastructure for misconfigurations? (e.g., unencrypted disks).
  Employ tools like AWS Config, HashiCorp Terraform, or open-source scanners such as Cloud Custodian to identify and remediate misconfigurations. For instance, scan for unencrypted storage volumes or overly permissive security group rules.

Data Handling

• How do you ensure your customer’s data is appropriately handled and protected from theft, modification, or inappropriate usage or viewing?
  Use data classification to label sensitive information and restrict access accordingly. Implement encryption both at-rest (e.g., using AWS KMS or Azure Key Vault) and in-transit (e.g., TLS 1.2+). Add audit logs to track who accessed what data and when.

Encryption

• How do you perform encryption at-rest/in-flight?
  For at-rest encryption, use cloud-native services such as AWS KMS or Azure Storage encryption. For in-transit encryption, enforce TLS 1.2 or higher for all communications.

• How do you manage these keys?
  Use a centralized Key Management Service (KMS) to create, store, and rotate encryption keys automatically. Follow least-privilege access for key usage.

Endpoint Management

• How do you know laptops are configured properly?
  Use endpoint management tools like Microsoft Intune or Jamf to enforce configurations (e.g., disk encryption, firewall settings). Regularly run compliance checks to ensure configurations are up-to-date.

• How would you detect malicious code?
  Deploy endpoint detection and response (EDR) tools such as CrowdStrike or SentinelOne to monitor and alert on suspicious activity.

Telemetry: Availability

• Are you centrally gathering the logs and metrics needed to detect availability incidents in your product?
  Use centralized logging and monitoring tools like Datadog, Splunk, or AWS CloudWatch. Define proactive alerts (e.g., high latency, resource exhaustion) to prevent downtime.

Telemetry: Security

• Are you centrally gathering logs across your cloud, hosts, and applications?
  Use Security Information and Event Management (SIEM) tools like Splunk, AWS GuardDuty, or Azure Sentinel to collect and analyze logs for suspicious activity.

• Do you have detection methods for bad actors?
  Implement automated anomaly detection for unusual logins, privilege escalations, or data transfers.

Vendor Management

• Do you have any vendors who could theoretically affect the availability, integrity, or confidentiality of your customer’s data?
  Maintain an up-to-date vendor inventory and classify vendors based on risk levels.

• How do you evaluate which vendors are safe to depend on?
  Perform risk assessments and review vendor certifications such as SOC 2 or ISO 27001. Ensure vendors sign agreements with clear security and compliance expectations.

Vulnerability Management

• How do you scan and remediate vulnerabilities in the hosts and containers?
  Use tools like Qualys, Nessus, or cloud-native vulnerability scanners (e.g., AWS Inspector or Azure Defender). Set up automated scanning pipelines and implement SLAs for remediating high/critical vulnerabilities within a specified time frame (e.g., 30 days for critical issues).

If you can confidently say you have a solid approach for each category above, you're likely in a strong position to pass a SOC 2 audit. While it’s possible to have a plan for a category that’s so weak it doesn’t meet the standard, this is generally the exception, not the rule. If you’re unsure about any gaps or need guidance, feel free to reach out to me via email—I’d be happy to help.

Best,

Adam

Check the previous issue about Software Development Life Cycle