SOC 2, a security auditing procedure developed by the American Institute of CPAs, is one of the most trusted and widely adopted certifications in tech. But we believe SOC 2 encourages an outdated perimeter defense paradigm and lacks focus on critical controls within the organization, especially at the data layer. Working to pass the SOC 2 auditing process can strengthen an organization’s security practices, and it’s certainly better to use SOC 2 as a guide than to shortchange security efforts. However, we argue that buyers should focus on a vendor's specific data security practices rather than the simple presence of a SOC 2 certification.
SOC 2’s flexibility contributes to its limitations. The principles and points of focus that comprise SOC 2 are written in a deliberately broad manner to accommodate the plurality of company types and computing environments. This allows for widespread uptake, but also means that companies with vastly different security strengths and weaknesses can earn the same attestation. A SOC 2 badge isn’t meaningless, but it can create the illusion of objective, high-grade security while in fact representing a more subjective measure.
SOC 2 contains 1,162 points of focus. As a framework for understanding where SOC 2 places emphasis, we mapped these points of focus to the layers of Defense-in-Depth, a security model that relies on a tiered, multi-pronged security environment designed to provide redundant protection against various types of security threats. Here’s how we broke things down:
- Policies, Procedures, and Awareness: Focused on guidelines for employee behavior.
- Physical: Focused on buildings, servers, and other physical resources.
- Perimeter: Focused on firewalls, VPNs, and packet filters.
- Internal Network: Focused on firewalls and intrusion detection.
- Host: Focused on the platform OS, patches, and malware protection.
- App: Focused on SSO, authentication, and authorization.
- Data: Focused on database, content, and message security.
We found the breakdown of these tiers surprising. Most principles in SOC 2 – 852 out of 1,162, or 73% – address the outermost ring: policies, procedures, and awareness.
Humans are the weakest link in any security model, the only part of a security environment that might succumb to a phishing email or write down a critical password on a Post-it. It might seem like it makes sense to focus the bulk of a company’s security efforts on this outermost perimeter, and in the past, it has. But encryption technology has advanced to the point where we can implement technological controls that eliminate much of the human risk factor. In today’s landscape, we believe focusing on the outer perimeter represents wasted effort. By nature, these rings are the most susceptible to failure — no matter how many boxes you check, they simply cannot be made impenetrable.
In direct contrast is the innermost layer: data encryption, addressed by just 6% of SOC 2’s principles. This layer can be made impenetrable if the right security features are implemented. Unfortunately, because of its intentionally broad nature, and its inability, as a static document, to be prescriptive about specific, best-in-class tech solutions, SOC 2’s principles don’t guarantee safety at the data layer, or at any layer.
At Antimatter, we’ve built a zero-trust infrastructure service that makes it simple for SaaS companies to give their customers complete, objective, verifiable control of their data – no trust, checklist, or strong perimeter necessary. With Antimatter, even if employees make serious mistakes, physical security is breached, or firewalls are bypassed, your data will remain safe. With our provable audit log, you can verify it for yourself.
If you’re an enterprise buyer reading this, we urge you to spend less time scanning SOC 2 checklists and more time asking how the data in a SaaS product is actually being protected.
Are you interested in seeing a demo of our zero-trust, provable solution? Please get in touch!
