Commvault Unveils Clumio Backtrack - Near Instant Dataset Recovery in S3
In a previous blog, I detailed how Clumio’s data protection platform for Amazon RDS was used in a SOC 2 audit led by the AICPA to demonstrate that proper backup and restoration was implemented for a critical data source. In this blog, I’ll talk about the broader aspects of data protection, information security, and compliance requirements in the 2017 Trust Services Criteria that SOC 2 is based upon.
Service Organization Control 2 (commonly referred to as SOC 2) is a report on controls for service organizations that provide services to other organizations, conducted by an independent auditor. The report details how your organization implemented the 2017 TSC (Trust Services Criteria) guidance (PDF) and how effective the controls operated during the period of time covered by the report (usually 6 months or more). SOC 2 compliance is an indicator to customers and proves with compliance reports, that they can trust that the services performed meet a standardized set of quality controls. These certifications, including SOC 2, are extremely valuable in the prevention of data breaches.
There are 5 criteria, encompassing data security and various security practices:
and along with a set of Common Criteria. Most organizations select, design, and implement controls for Security, Confidentiality, and Availability at a minimum. Common Criteria have to be addressed regardless of the additional criteria selected.
CC6.4 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
If you’re using a cloud service provider like Amazon Web Services (AWS), you’ve got the benefit of AWS’s physical and environmental controls that protect their data centers. However, your backup media storage typically would be snapshots in your AWS accounts. These reside in your account, within the same administrative domain as your online data. This can be undesirable from a security standpoint, especially if an incident like a ransomware attack allows someone control over your account. If they’ve got control of your account, they’ve got control of your backups. However, if your data is protected by Clumio, your backup media is in a separate administrative domain, using a dedicated encryption key. Adding 2-factor authentication or an external SAML-based identity provider to your Clumio account allows for additional protection.
CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
Specifically for CC6.7, I’m examining this point of focus:
Clumio’s platform has encryption built in, with options for a Clumio-managed key or bring-your-own-key. Check!
Now, we can look at some more challenging controls for many organizations:
1. CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents.
There are several points of focus in this control, but I’ll focus on these:
2. CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
Consider this point of focus, with an additional emphasis on data processing and the importance of proper data encryption:
Certainly, these controls should be front-of-mind in the current climate of constant cyberthreats.
A great feature of Clumio, which makes use of cloud computing, is the ability to do what we call “cross-account recovery”. I can attach multiple AWS accounts to my Clumio environment and protect assets like EC2 instances, EBS volumes, S3 buckets, etc. However when I recover, I can choose to restore some or all of these assets into any AWS account I’ve attached, not just the account the data sources were originally protected in. It allows companies to simulate an audit process, a feature that’s crucial in compliance audits. This means I can have an AWS account attached and ready to perform recovery from an incident. This not only can aid recovery tremendously if there is an actual incident, but it allows me to simulate that exact procedure for testing and refinement purposes. The core of approaches like SOC 2 and ISO 27001 are that procedures are tested, refined, expanded, and improved over time. Recovery of your environment 1 year ago may not be the same as recovery of your environment next week. You may have added new data or resources critical to the environment’s operation over the last year. Frequent testing and updating of your recovery procedures should be a cornerstone of a healthy operation.
Now, for more specific controls paired with elements like data encryption and data processing. In the Availability trust service criteria, consider:
A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives.
The specific points of focus to think about in in these controls are:
(in A1.2)
(in A1.3)
Clumio’s platform focuses on a policy-driven approach for data protection. You select criteria for assets to be backed up, via asset name, type, grouping, tags, etc. You then construct a policy, and optionally a time window that determines when and how frequently your assets are protected. This powerful method supplies clear design and implementation of the listed points of focus in control A1.2 above, in addition to ensuring standards for data processing and encryption.
For A1.3, the emphasis is on business continuity and its close relative, disaster recovery. This control is also closely related to the CC7.5 control above, as a security incident could easily trigger the need to engage your business continuity/disaster recovery procedures. It bears repeating that testing your procedures is critically important. There’s no “easy” button, but testing the integrity and restorability of your data protected in Clumio is easy through the UI and automatable through the API.
The last controls we’ll talk about are part of the Confidentiality criteria. Here they are:
The points of focus are:
These points can be difficult depending on how your data is stored. However, the policy-based approach to data protection can mitigate some of the difficulties. Concepts such as retention periods, Recovery Time Objective, and RPO are easy to implement via policies, and identification of the assets that require protection could be easier with tag-based policies. If your organization deals with personal data or other forms of covered information, this can be a significant aid.
In the final calculus, many organizations have significant burdens for data protection. The needs are multifold: you must ensure your data is protected securely, and you must be able to demonstrate the procedures that protect your data and make it recoverable. The controls detailed here are just a fraction of the requirements for a SOC 2 audit, but they’re critical controls that have benefits far beyond the scope of a compliance report. To learn more about how Clumio can both protect your data securely and make your audits go a bit smoother, schedule a customized demo with a cloud expert.
To hear more information on SOC 2 compliance along with expert tips to help you pass your next SOC 2 audit, sign up for the Simplifying SOC 2 Compliance webinar, an excellent resource for those in governance roles.