Cloud Computing and SOC 2

As more businesses begin to shift their interests to Cloud Computing, there are concerns regarding security-related risks.  First, let’s discuss the “Cloud”.

Cloud computing is a new way of delivering computing resources, not a new technology.  Cloud computing providers give end users the ability to access applications via the internet.  As Cloud computing is achieving increased popularity, security concerns have become paramount with the adoption of this new computing model.  The effectiveness and efficiency of traditional protection mechanisms are being reconsidered as the characteristics of this innovative deployment model differ widely from those of traditional architectures.

The risks associated with the cloud varies because it not a single model.  The cloud caters to a broad spectrum of services ranging from onsite virtual servers to software accessed by multiple organizations over the Internet.

A recent guide published by TechTarget highlights the potential for security breaches and the task of managing Cloud security.  Most notable in the areas of:

  • Data Protection
  • Virtual Desktop Infrastructure (VDI ) Security
  • Network Security
  • Virtualization Security


The information security risks associated with cloud computing depend upon both the service model and the delivery model adopted.  In the past providers obtained a SAS 70 Type II audit.  The audit was heavily scrutinized because a selectively chosen set of standards which are determined by the auditor and the service organization can vary widely.

The AICPA established a Service Organization Controls (SOC) reporting framework identified simply as SOC 1, SOC 2 and SOC 3 to provide the public and CPAs with a definitive understanding of the reporting options for service organizations.

While SOC 1 is the report of the service auditor related to internal controls over financial reporting (ICFR), the intent of an SOC 2 report is to be conducted when ICFR is not affected by the service organization.  The AICPA” Trust Service Principles” are the foundation for SOC 2 reports and are as follows:

  • Confidentiality – Information designated as confidential is protected as committed or agreed.
  • Availability – The system is available for operation and use as committed or agreed.
  • Processing Integrity – System processing is complete, accurate, timely, and authorized.
  • Security – The system is protected against unauthorized access both physical and logical.
  • Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).

SOC 2 reports allow cloud providers to communicate information about their services and the suitability of the design and operating effectiveness of their controls to customers.

The best approach to managing risk in the cloud is one of good IT governance covering both cloud and internal IT services.  Before shifting to cloud computing, service organizations should make sure, the cloud provider has been audited with SOC 2 report.