Last week we announced that Turbot has achieved SOC2 Type I compliance for Turbot Guardrails Cloud (SaaS). It was great to see the whole company come together to level up our organization’s processes to continue our investment in building the most robust cloud governance platform that our customers trust. Much of SOC2 compliance requirements are organizational policies and procedures, however there are a number of technical controls which we already satisfied using Turbot Guardrails on our own workloads. This week we will look at how we approached our SOC2 requirements using Turbot Guardrails to provide the technical control evidence to pass our SOC2 audit.
This post looks at how we approached our SOC2 requirements using Turbot Guardrails to provide the technical control evidence to pass our SOC2 audit.
Traditional Workflow
Many of us have a visceral reaction when we hear the word ‘audit’. Understandably, in many organizations it’s an intensive, manual process to review controls, collect evidence, and prove your compliance. Since audits occur infrequently, preparedness follows suit, often as a last minute fire drill. Like any manual process, this can become a huge distraction for the organization if not managed effectively.
Get it done with Turbot Guardrails
With many of us at Turbot coming from enterprise risk management, compliance, and security backgrounds, we are the crazy few that hear the word ‘audit’ and happily enjoy running towards it. This type of culture is baked into our product, as Turbot Guardrails automated governance controls are continuously auditing the environment and ensuring adherence to company controls.
There are 33 primary SOC2 controls, while many are satisfied by organizational policies & procedures, 60% are technical controls which require ongoing evidence your organization is in adherence.
Example of SOC2 CC6.7:
SOC2 Trust Criteria CC6.7 key control is to ensure data is encrypted. With Turbot Guardrails, you can use encryption at rest and encryption in transit guardrails to ensure your data is encrypted at all times. Turbot Guardrails has consistent encryption controls across AWS, Azure, and GCP services for applicable cloud services which allow for encryption configurations.
For this example, we can use the AWS S3 Buckets Encryption at Rest control to show how to comply with CC6.7. Let's do it!
After doing a quick assessment in my demo environment, I see that I have 28 buckets unencrypted:
We can create a policy setting to correct these immediately, and have Turbot Guardrails continuously manage them over time.
After setting the policies, Turbot Guardrails automated enforcements applied Encryption on all the buckets immediately. You can see all the activity from Turbot Guardrails updating the resources in my account:
With this policy set, Turbot Guardrails will always enforce encryption at all times; and the logging in the Turbot Guardrails console becomes a real-time, continuously running audit report that is always up-to-date.
Now with all my buckets successfully encrypted, my unencrypted AWS S3 Bucket report looks much cleaner.
Make it happen!
We published a full mapping of SOC2 Controls and COSO Principles to Turbot Guardrails Features in our Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!