What is SOC 2?

If you are an organization that stores customer data in the cloud, it is essential to embrace SOC 2 compliance. The acronym, which stands for System and Organization Controls (SOC), is a framework through which organizations can communicate relevant information about the effectiveness of their cybersecurity risk management program to third parties. Following the framework is the first step, but for organizations to really reap the benefits of SOC 2 and to truly operationalize it, they need to make sure controls are improved over time and continuously monitored. 

By continually following the SOC 2 compliance framework, organizations can:

• Improve the controls and regularly monitor for malicious or abnormal activity, including documenting system configuration changes and monitoring user access levels.
• Be better prepared to recognize threats and alert appropriate stakeholders so necessary action is taken to protect data and systems from unauthorized access or use.
• Have full context surrounding security incidents, including the scope of the issue, better remediation systems and steps to restore data. 

Achieving SOC 2 compliance not only assures your current and prospective customers that you are securing and protecting their data, but it is also a best practices framework that helps improve your organization’s security in a consistent and predictable manner. Security is always a continuous process, and becoming SOC 2 compliant helps refine this process; however, it is never complete. Attackers routinely change tactics, infrastructure constantly changes, and threat models evolve at the speed of business.

Before becoming SOC 2 compliant, audits must be completed that examine the controls your organization has in place to determine if you are taking the appropriate steps to ensure that customer data is protected and secure within your operations. As organizations move more of their operations into the cloud, commonly utilizing more than one cloud provider, the SOC 2 compliance process is increasingly becoming more difficult. According to IDC, by 2022, over 90% of enterprises worldwide will be relying on a mix of on-premises/dedicated private clouds, multiple public clouds, and legacy platforms to meet their infrastructure needs. It’s not a matter of if your organization will be moving to the cloud, it’s now a matter of when. Understanding the challenges of monitoring cloud controls within these environments will better posture your organization for success.

Why is SOC 2 difficult? 

When becoming SOC 2 compliant, internal audits are completed by members of the compliance team and sometimes external auditors. Auditors and compliance specialists must work closely with the information security teams to pull data for evidence to complete audits. The challenge here is that current methods of pulling data for SOC 2 certification evidence takes months, are expensive, and can be a frustrating back-and-forth process between auditors, information security, and compliance teams. 

If your organization does not have the tools in place to easily monitor your cloud environments, the process of answering auditor’s questions becomes tedious, manual, and a time drain. Any cloud application that contains customer information will be necessary to pull data from. Typically, data is collected from each of the cloud applications by the information security team, downloaded to a CSV file or similar, then shared with the compliance team to review and extract information for evidence. As data is reviewed, gaps in cloud controls that pose security risks are uncovered and require the security team's immediate attention to fix. Having the information security team spend time locating, downloading, sharing the data with the compliance team, and continuously having to fix the gaps is not only a monotonous and time-consuming task; ultimately it pulls the focus away from the security team of actively monitoring, securing, and defending the organization.

As the COVID-19 pandemic and the shift to remote work escalated data breaches in 2020, the volume of compromised records exposed jumped 141% to 37 billion exposed records from 2019, the largest number seen since 2005. Companies that store customer information are under the obligation to complete SOC 2 audits when requested by their customers and vendors. This has become more common as data breaches are becoming part of the daily news feed, like the recent SolarWinds breach. With the increased frequency and severity of data breaches, it is understandable that companies entrusting other organizations with their data are on high alert for securing that data. 

Imagine if there was a tool that could bridge the gap between compliance and security teams, instantly give you visibility into your cloud environment, and continuously monitor your cloud controls to answer your auditor’s questions in minutes instead of months. This is why we built Fletch. 

How can Fletch help?

Our vision at Fletch is to eliminate the endless busywork that is compliance, so organizations can expedite sales, answer auditor’s questions before they are even asked, save money, and countless hours. Fletch helps companies get the compliance checkbox marked faster and leverage SOC 2 best practices to properly secure their environment, which means saving time and money. 

Fletch helps so the people who are securing your organization can focus on doing that, rather than pulling data and trying to answer the auditor's questions. Fletch has automated and simplified the complex, time-consuming, and tedious process of evaluating your cloud controls as you are preparing for a SOC 2 audit. Whether you run your business on one or all three major clouds (Amazon Web Services, Google Cloud Platform, Microsoft Azure), Fletch has you covered. By continuously asking dozens of questions of your data, Fletch will highlight the gaps that pose a security risk across your cloud infrastructure all in one place and alert you of misconfigurations.

Knowing that cloud controls are continuously monitored, this will give the organization and the leadership team peace of mind. This process will also help organizations reduce their cyber insurance costs as they can provide evidence of best practices. 

Examples of insights Fletch provides:

• All audit log stores have write permission restrictions enabled.
• All assets have received patch updates in the past 24 hours.
• No unpatched CVEs present in Azure in the past 7 days.
• Multifactor authentication is enabled for all users.
• No changes to IAM roles or users.
• No software is transferred between trusted and untrusted networks.

Fletch will instantly give you visibility to answers covering questions like: 

• What controls affecting SOC 2 compliance failed in the last week? 
• What is the exact list of failed controls?
• What is the exact list of entities (users/accounts, systems, systems accounts, credentials, groups, roles, VMs, firewalls, endpoints, etc.) failing each control?
• How many days has the entity failed that control?

Ready-to-use Analytics for Cloud Compliance 

Unlike the manual process of pulling data or using data analytics platforms that start out empty and leave it to the user to figure out all of the data plumbing, upkeep, and visualization, Fletch’s ready-to-use analytics handles a lot of the hard work for you. With ready-to-use analytics, the amount of time it takes to get started is dramatically shortened from months to minutes, eliminating the busy work so you can quickly gain visibility into your environment. 

It takes 15 minutes to connect your data, then Fletch automatically indexes, normalizes, and triangulates your logs, metrics, and metadata in hours. Within 24 hours, Fletch surfaces actionable insights vetted by top-industry experts that tell you where you stand. Fletch continuously monitors your cloud controls, giving you instant visibility into your cloud environment and: 

• Is extremely easy to set up.
• Requires virtually no heavy lifting.
• Takes 15 minutes to connect your data, and within 24 hours, you’ll gain visibility into your selected Cloud environments. 

We are currently in closed beta. If you are interested in joining the closed beta program, please sign up below or email us directly at SOC2@fletch.ai.