How to achieve SOC 2 compliance when everyone is working from home

The coronavirus pandemic is affecting companies of all sizes all over the world and significantly impact on how many service companies deliver their services. The recommendation for social distancing is driving many employers to direct their employees to work from home, which may represent a material deviation from how they perform their daily tasks. But compliance activities don’t have to be put on hold during these challenging times. Below you can read about some of the tools we use to achieve and retain compliance while being a completely remote company.
Last year KernelCare has achieved SOC2 Compliant Status without a single offline meeting due to the two simple reasons:

• KernelCare is a completely remote business, so we had our compliance procedures set up long before the pandemic;
• We are using our own products to achieve and retain SOC2 Compliance. You can read about it in our latest article for InfosecurityMagazine.

Anyone working in DevOps will have come across an SLA, a Service Level Agreement. A SLA is a contract that describes the service one party provides to another. In our case, we are both supplier and consumer. SLAs are expressed in measurable terms. An example of a popular common metric is system uptime, or less formally, as a certain number of nines. A SLA is then an agreement that uses these figures as a basis on which to document how an IT department and its systems must perform – it is an objective view of performance.

Tools we use at KernelCare to keep our infrastructure compliant remotely

Here’s our own experiences with making our Linux servers compliant remotely.

Nobody knows when the next Linux kernel vulnerability report will come. If we tried to measure and monitor KPIs manually, with every new batch of vulnerability reports my staff are overwhelmed, and our continued SOC 2 compliance status is at risk.

Naturally, as system engineers, we don’t do things manually when we can automate, either by inventing tools ourselves, or by buying them in. At KernelCare, we already know that Linux kernel vulnerability detection and management can be easily automated. Here are some of the tools we use:

• Tenable Nessus is a popular vulnerability scanner. We use it to regularly inspect our system’s software inventory and tell us when any component has a patch available
• To reduce the vulnerability gap to its absolute minimum, we automate the installation process using Spacewalk
• For dealing with the problem of conflicting KPIs mentioned above, we naturally turned to our own KernelCare product to live patch the kernels on our Linux servers without stopping or interrupting them – KernelCare patches Linux kernels without rebooting.

The third reason for KernelCare being compliant our in-house team of compliance experts whom you can any questions about the best practices of SOC2 compliance for remote business right in the comments to this blog post.