Zero-Trust: How SOC 2 Compliance Can Help
The Cloud Security Alliance (CSA) has released the first in a series of research summaries culled from a survey about the adoption of so-called zero-trust cybersecurity principles. The results of that survey indicated that achieving and sustaining SOC 2 compliance can help ease, speed and spread adoption of zero-trust across almost any SMB or emerging enterprise.
What is Zero-Trust?
At its core, a zero-trust approach to cybersecurity can be as simple as “ABC” – assume nothing, believe no one, confirm everything. What this means in practice is that every attempt to connect to or access your business technology resources is challenged and validated. No one gets a free pass, not even the CEO or CIO.
In a zero-trust environment, user authentication is combined with authentication of each device attempting to connect, whether that device is on a corporate network or in a remote location. This is why zero-trust is sometimes referred to as “perimeterless” security.
The National Cyber Security Center (NCSC) of the United Kingdom (UK) has identified eight principles that are essential to zero-trust.
● Know your architecture, including all data, devices, services and users.
● Know your device, service and user identities.
● Assess the health of devices and services and user behaviors.
● Use policies to authorize requests consistently.
● Authenticate and authorize everything everywhere.
● Focus monitoring on devices, services, and users.
● Trust no network–including your own.
● Only choose services designed for zero-trust.
Other agencies offer similar guidelines for zero-trust. The U.S.-based non-profit National Cybersecurity Center says zero-trust networks log and inspect all traffic, control and limit network access and verify and secure network resources. And the U.S. National Institute of Standards and Technology (NIST) says zero-trust assumes no implicit trust is granted to any asset or user, regardless of physical or network location.
SOC 2 compliance has a rigorous focus on addressing cybersecurity risks. For example, specific SOC 2 Common Criteria (CC) address risks associated with unencrypted data on disk (CC 6.1) or active access credentials for terminated users (CC 6.2). Achieving and sustaining SOC 2 compliance can also provide support for your zero trust efforts.
Zero-Trust: A Snapshot of Reality
The survey garnered responses from 823 IT and cybersecurity professionals, including 219 C-level executives. Some 70% of those respondents are from companies with 2,000 or fewer employees, with half of those from companies that employ 500 or fewer people. Here are some top-line findings.
● 80% of C-level executives said zero-trust is a medium (41%) or high (39%) priority for their organizations.
● 94% are currently implementing one or more zero-trust strategies.
● 77% plan to increase their investments in zero-trust during the next 12 months.
Respondents were also asked about the reasons they are pursuing zero-trust. Among C-level executives, the top four reasons are attack surface reduction (35%), user experience simplification (34%), risk posture and resilience improvement (33%) and improved governance and accountability (32%). These goals also align closely with those of the requirements for SOC 2 compliance, in cybersecurity and beyond.
Achieving and sustaining SOC 2 compliance can help improve your cybersecurity and contribute to the progress of your journey toward full implementation of zero-trust. And a compliance automation solution that helps keep your business compliant can also help increase the resilience of your zero-trust IT environment. The monitoring and reporting features of such a solution can help ease and speed the identification and remediation of cybersecurity measures that fall out of compliance and increase business risk. SOC 2 compliance can also improve awareness, consistency, and enforcement of the HR and IT rules governing user and device access to your environment.
Zero-Trust: Next Steps
There are multiple paths to zero-trust, and multiple guides available. The most popular among survey respondents (35% of C-level executives and 33% of all respondents) is published by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA). Others are available from the Institute of Electrical and Electronics Engineers (IEEE), NIST, the CSA itself and market analyst firms Forrester and Gartner.
If you are already pursuing SOC 2 compliance, discuss zero-trust with your auditor and either follow the guidelines they prefer or select and agree upon a set of guidelines with them. If you have not yet chosen an auditor, make sure a discussion of interconnections between SOC 2 and zero-trust requirements is part of your selection process. Do the same with every compliance automation solution vendor on your shortlist.
For more on SOC2 and cybersecurity, read “SOC 2 Compliance: Trends to Watch” and “SOC 2 Controls: Encryption of Data at Rest” and see the “Everything Compliance” video interview with cybersecurity expert Richard Stiennon.
