SOC 2 matters. Once you get certified, you can prove to businesses that you’re able to secure sensitive customer data in the cloud. This makes them much more likely to do business with you. More and more, SOC 2 certification is a must-have for any cloud computing enterprise. (For everything you need to know about SOC 2, check out our whitepaper here.)
But: Gaining SOC 2 certification is a major undertaking. A third-party CPA firm conducts a thorough audit, over many months, at significant cost to the company. You will want to give yourself the best possible chance of passing the audit on the first go.
The Five Areas of SOC 2 Compliance
SOC 2 compliance is broken down into five areas (or “Trust Services Criteria”): Security, Availability, Processing Integrity, Confidentiality and Privacy. Depending on the unique circumstances of the organisation, companies will opt to aim for certification in one, some or all of these areas. (The auditor helps in deciding which of the TSC to aim for, and what constitutes success.)
One of the key criterion is Security. SOC 2 regulations state that, in order to obtain a Security certification, a company must operate in such a way that “information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.” Data must be protected throughout its life cycle, and the systems doing the protecting must be secure. There must be failsafe processes in place to detect and correct errors.
KernelCare and SOC 2
Here’s where KernelCare comes in. SOC 2 is deeply concerned with systems. 95% of software companies apply patch updates to their Linux kernel by rebooting their servers. Because reboots interrupt services and cause major stress for sysadmins, kernel patching is often delayed, for weeks or even months. This gap between patch issue and patch application is a key security risk. Every day that a vulnerability is discovered but not patched is another day when you are at risk.
This systems-level flaw is the sort of thing that a SOC 2 auditor will not look kindly on. The Security TSC contains the requirement that “information and systems are protected against unauthorized access” and “unauthorized disclosure of information.” Kernel vulnerabilities – such as the recent high-profile Zombieload – represent problems at the very heart of a computing system. Sometimes they allow info to be read or leaked, sometimes they can crash the system. In the worst case scenario, once an unauthorized attacker has exploited the kernel, they can get anywhere, and access everything, including the most sensitive customer data, for months or years. If you’re avoiding or delaying patching because of reboots, then you’re simply not as protected as you could be.
If you’re a cloud computing company, then getting SOC 2 certification should be at the forefront of your mind. And if you’re looking to fulfill the Security criteria, then you shouldn’t overlook your rebooting practices. Get live patching today, and make yourself instantly more secure.
To get fully up to speed on all things SOC 2, check out our whitepaper here.
To start using KernelCare today, and give yourself a better chance of securing a SOC 2 Security certification, go to kernelcare.com