When it comes to your data, and your customers’ data, you can never be too careful or too secure. According to the Accenture 2019 Cost of Cybercrime report, the average cost of cybercrime to a U.S. company was $27.4 million in 2018, a 29% jump over the previous year, while the 2018 Cost of a Data Breach Study from Ponemon and IBM found the average cost of a single data breach to be $3.86 million. And CIOs don’t expect the situation to get any better any time soon. A 2019 Ponemon study found that “80 percent of IT business leaders anticipate a critical breach or successful cyberattack over the coming year.”
These are staggering numbers that underscore the importance of backup and disaster recovery to fight against ransomware, malware and other advanced persistent threats. When choosing a solution to fit your business, it’s critical to ask questions and do your research, both before you sign with a cloud service provider and on a consistent basis afterward.
In fact, some of the most common questions we get from customers revolve around security.
- How do you protect my company’s data from potential threats?
- What critical security controls have you implemented to ensure the security of my company’s data?
- What types of testing are performed to ensure the effectiveness of the security controls that you have implemented?
- How can you be sure a service provider has really prepared for all the potential issues?
One major security framework that we hear a lot is SOC 2 (Service Organization Control 2). By going through a detailed, thorough audit, service providers can be designated as SOC 2 compliant. We went through this process; ClearSky Data is 100 percent SOC 2 compliant. It’s important to us and to our customers, because if a company completes this process, you know it adheres to a strict set of principles around securely managing your data.
So let’s look at what exactly being SOC 2 compliant means, why it’s important for a service provider like ClearSky and how it addresses customer security concerns.
What is SOC 2 compliance?
The Service Organization Control reporting platform was developed by the American Institute of CPAs (AICPA) to help companies get a handle on the complex, diverse security issues out there, and provide a framework for service providers to measure against. SOC 2 compliance covers companies that provide services like data hosting, colocation, data processing and software-as-a-service (SaaS), and is based on five “trust services principles,” that reflect different criteria for managing customer data: security, privacy, availability, processing integrity and confidentiality.
The five SOC 2 principles
The SOC 2 principles double as a great way for customers to organize their requirements and concerns – if you think about managing data, most of the aspects fall into one of these categories. To be compliant, service providers must have clear, well-documented, proven strategies around all five of these topics.
- Security means system resources are protected against all types of unauthorized access, including network and application firewalls, two-factor authentication and intrusion detection.
- Privacy addresses how the system collects, uses, retains, discloses and disposes of personal information, and how that process aligns with the organization’s privacy notice and with the AICPA’s generally accepted privacy principles (GAPP). It includes access control, two-factor authentication and encryption.
- Availability looks at how accessible a company’s services, products and systems are, based on the contracts and service level agreements (SLA) it has. It includes performance monitoring, disaster recovery and security incident handling.
- Processing integrity, at its base, asks if a system achieves what it’s meant to do – does it process data the way it promises, in a timely manner, with authorization, and with the performance and price agreed upon. It involves quality assurance and process monitoring.
- Confidentiality relates to data that has access and/or disclosure limited to specific groups. It involves encryption, access controls, and network and application firewalls.
Why does SOC 2 matter?
It’s important to note that no vendor is required to be SOC 2 compliant; it’s a voluntary process, but compliance with it is increasingly becoming a recognized symbol of how serious a company is about data protection.
Any company that chooses to go down this path has security at the forefront of its operations. After all, the certification process is a months-long endeavor, conducted by impartial outside auditors.
SOC 2 compliance is well worth the effort. It’s a very tangible way for ClearSky to ensure that your data, and your customers’ data, is handled using the strict guidelines mentioned above. It’s more than checking a box; it’s a commitment that goes to the very heart our relationship as a service provider to our customers.
To learn more about securing your data in the cloud, read the white paper, “Securing the New Model for Enterprise Storage.”