Achieving SOC 2 compliance with Lacework
March 23, 2022
As a growing number of companies shift to the cloud, SOC 2 compliance has become more important than ever. SOC 2 is a set of compliance standards for system and organization control (SOC) developed by the American Institute of Certified Public Accountants (AICPA). During a SOC 2 compliance audit, independent auditing firms examine the controls and processes by which an organization stores, handles, and transmits data. A successful audit confirms that an organization has minimized risk and data exposure. Since SOC 2 standards are designed for businesses that leverage the cloud to store customer data, demonstrating compliance is a critical component of gaining customer trust. For more details on the core tenets of SOC 2, please see our previous blog on the topic.
Proving SOC 2 compliance can be time-consuming and expensive for businesses of all sizes. While its flexible framework gives organizations leeway on how they meet the guidelines, the process of gathering evidence can eat up precious time. Moreover, businesses new to achieving SOC 2 compliance often find the process to be costly and risky. Sometimes, they spend extra resources to ensure a successful final audit by conducting a pre-audit.
For small and medium-sized businesses (SMBs), meeting compliance can put further strain on teams already stretched thin. Many SMBs, for example, rely on 2-3 engineers or analysts to keep up with security needs as their organization grows. Fortunately, as Forrester Consulting found in a recent study of Lacework, our platform has helped customers avoid the need for hiring a full-time employee to review compliance configurations within their cloud environment. Without Lacework, a participant in this study said, “We would need to have a full-time employee review and maintain knowledge around benchmarks, and they would need to review the current configurations and flag any noncompliance issues.” Using Lacework allowed the organization to achieve compliance without any additional expertise, while also cutting down on expenses.
Lacework simplifies and automates the compliance process to help SMBs – and all organizations – reach their goals. We make SOC 2 audits easier by providing a comprehensive view of your cloud environment and mapping SOC 2 controls to the required security cloud controls. You can run Lacework reports at any time to review compliance against your environment, whether it’s single cloud or multicloud. Lacework also facilitates the auditing process by enabling you to run a report that shows exactly how your cloud environment implements SOC 2 controls. Once you have these reports, you can easily provide them to an auditor.
Essentially, Lacework acts as a flight recorder for your environment. It collects and organizes SOC 2-relevant data to easily meet auditors’ requests for evidence, which drastically reduces your security team’s workload. Plus, we track this data over time so you can review changes whenever you need, ensuring better control of your audited requirement.
The Lacework Polygraph® Data Platform helps with many SOC 2 requirements, including:
- Vulnerability scanning for host and containers
- Cloud compliance for multicloud
- User behavior analysis
- Host-intrusion detection system (HIDS) for host, containers, and Kubernetes
- File integrity monitoring (FIM) for host, containers, and Kubernetes
- Anti-malware for host, containers, and Kubernetes
SMB customers like Sift, a leader in the digital trust and safety industry, have benefited from these capabilities. To support an upcoming SOC 2 certification, the Sift team needed to add file integrity monitoring, vulnerability detection, intrusion detection, and additional compliance reporting capabilities to their technology stack. Lacework improved these capabilities seamlessly. “Using the Lacework platform, we were able to reduce our security budget by 50%,” explained Scott Kleven, Sift’s Security Program Leader. “It’s allowed us to use our small security team to cover a much broader breadth. It’s all done in a complete package, with a single pane of glass, with the click of a button.”
Whatever the size and structure of your organization, Lacework is ready to help with your SOC 2 compliance needs. For more information on how you can use Lacework to simplify your SOC 2 journey, check out our SOC 2 solution brief or our Tevora whitepaper on simplifying continuous security and SOC 2. And for small businesses using AWS, we have an ebook that offers guidance on topics including achieving compliance through automation.