Is your Cloud Provider SOC Compliant?

You entrust your data, your email, and your software to cloud companies. But how do you know if your cloud provider is built to operate in the right way? You can’t just up and visit every vendor to see how they build, test, and implement their services. But a SOC report can, by creating a standard of compliance in securing data.

At AZTS we have our SOC 2 reports issued by a team of 3rd party auditors. Our hosting solutions, datacenters, controls, security and operational policies are all examined to verify and assure our clients that their data is securely managed and protected.

What is SOC?

This can get pretty complicated pretty fast, so let’s just stick with the basics. SOC stands for Service Organization Control, and was developed by the American Institute of CPA’s (AICPA). There are three types of SOC:

  • SOC 1 is aimed at internal control over financial reporting, and is primarily used for banks and investment firms that store financial data.
  • SOC 2 is for companies that store or process data, but is more focused on a company’s non-financial reporting controls. This is what we’ll talk about more.
  • SOC 3 is similar to SOC 2, but the report is designed for general use. These reports are shorter and do not include the same details as a SOC 2 report.

Let’s go back to SOC 2, since that’s what we’re focusing on for cloud providers. The SOC 2 assessment is specifically focused on controls for up to five different principles – Security, Privacy, Availability, Confidentiality, and Processing Integrity. SOC 2 reports are unique to each organization.

SOC 2 compliance chart with certification qualities

SOC 2 reports are either type 1 or type 2. A type 1 report is like a snapshot at a particular point in time. It creates a starting point that establishes what kind of controls a company has in place and creates a baseline for all future reports.

A type 2 report shows that a provider is executing proper activities over a long period of time and essentially details the effectiveness of those activities.

Why is SOC Important for Cloud Providers?

Obtaining a SOC 2 certification is a rigorous process.  A third-party CPA firm will visit the vendor’s datacenter and perform the assessment to define the effectiveness of the cloud provider’s service to clients.

This report and certification is significant to clients because it verifies that a cloud provider effectively implements and practices what they say they do. Even if you don’t have compliance requirements, a SOC 2 report is a written form of assurance that your data is protected.

Transitioning from managing your own data to considering cloud hosting options can create uncertainty.  If you are assessing potential cloud providers, using a company that has a SOC 2 certification gives you transparency for what to expect of the provider.

How to Choose a Cloud Provider

Think of your cloud hosting provider like you would a long-term business partner. They’re someone you’ll work with year after year, and they will be an essential part of your organization’s success. As such, the act of selecting the appropriate vendor shouldn’t be taken lightly.

Generally speaking, if a provider has gone through the steps to have a SOC 2 report issued, they’re invested in operating a solid business.  Compliance certifications like SOC 2 are just one way cloud providers meet the highest industry standards.

At AZTS we commit ourselves to supporting our clients’ need for their sensitive information to be both secured and available for use at all times. We are happy to answer any questions you might have about SOC 2 compliance, or if you’re curious about our IT services and how they can improve your organization send us an email!