May 20, 2022

Demystifying SOC 2 Data Protection Requirements

Glenn Mulvaney
Demystifying SOC 2 Data Protection Requirements

In a previous blog, I detailed how Clumio’s data protection platform for Amazon RDS was used in a SOC 2 audit led by the AICPA to demonstrate that proper backup and restoration was implemented for a critical data source.  In this blog, I’ll talk about the broader aspects of data protection, information security, and compliance requirements in the 2017 Trust Services Criteria that SOC 2 is based upon.

What does it mean to be SOC 2 compliant?

Service Organization Control 2 (commonly referred to as SOC 2) is a report on controls for service organizations that provide services to other organizations, conducted by an independent auditor. The report details how your organization implemented the 2017 TSC (Trust Services Criteria) guidance (PDF) and how effective the controls operated during the period of time covered by the report (usually 6 months or more). SOC 2 compliance is an indicator to customers and proves with compliance reports, that they can trust that the services performed meet a standardized set of quality controls. These certifications, including SOC 2, are extremely valuable in the prevention of data breaches.

There are 5 criteria, encompassing data security and various security practices:

  • Security
  • Confidentiality
  • Availability
  • Processing Integrity
  • Privacy

and along with a set of Common Criteria. Most organizations select, design, and implement controls for Security, Confidentiality, and Availability at a minimum. Common Criteria have to be addressed regardless of the additional criteria selected.

Common Criteria as they relate to data protection obligations

CC6.4 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.

If you’re using a cloud service provider like Amazon Web Services (AWS), you’ve got the benefit of AWS’s physical and environmental controls that protect their data centers. However, your backup media storage typically would be snapshots in your AWS accounts. These reside in your account, within the same administrative domain as your online data. This can be undesirable from a security standpoint, especially if an incident like a ransomware attack allows someone control over your account. If they’ve got control of your account, they’ve got control of your backups.  However, if your data is protected by Clumio, your backup media is in a separate administrative domain, using a dedicated encryption key. Adding 2-factor authentication or an external SAML-based identity provider to your Clumio account allows for additional protection.

CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Specifically for CC6.7, I’m examining this point of focus:

  • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropriate.

Clumio’s platform has encryption built in, with options for a Clumio-managed key or bring-your-own-key. Check!

Now, we can look at some more challenging controls for many organizations:

1. CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents.

There are several points of focus in this control, but I’ll focus on these:

  • Restores the Affected Environment — The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed.
  • Improves Response and Recovery Procedures — Lessons learned are analyzed and the incident-response plan and recovery procedures are improved.
  • Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis.

2. CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

Consider this point of focus, with an additional emphasis on data processing and the importance of proper data encryption:

  • Considers Mitigation of Risks of Business Disruption — Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes, information, and communications to meet the entity’s objectives during response, mitigation, and recovery efforts.

Certainly, these controls should be front-of-mind in the current climate of constant cyberthreats.

A great feature of Clumio, which makes use of cloud computing, is the ability to do what we call “cross-account recovery”.   I can attach multiple AWS accounts to my Clumio environment and protect assets like EC2 instances, EBS volumes, S3 buckets, etc.  However when I recover, I can choose to restore some or all of these assets into any AWS account I’ve attached, not just the account the data sources were originally protected in. It allows companies to simulate an audit process, a feature that’s crucial in compliance audits. This means I can have an AWS account attached and ready to perform recovery from an incident.  This not only can aid recovery tremendously if there is an actual incident, but it allows me to simulate that exact procedure for testing and refinement purposes. The core of approaches like SOC 2 and ISO 27001 are that procedures are tested, refined, expanded, and improved over time. Recovery of your environment 1 year ago may not be the same as recovery of your environment next week. You may have added new data or resources critical to the environment’s operation over the last year. Frequent testing and updating of your recovery procedures should be a cornerstone of a healthy operation.

Availability trust service criteria

Now, for more specific controls paired with elements like data encryption and data processing. In the Availability trust service criteria, consider:

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.

A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives.

The specific points of focus to think about in in these controls are:

(in A1.2)

  • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required.
  • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur.
  • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.

(in A1.3)

  • Implements Business Continuity Plan Testing — Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results.
  • Tests Integrity and Completeness of Backup Data — The integrity and completeness of backup information is tested on a periodic basis

Clumio’s platform focuses on a policy-driven approach for data protection. You select criteria for assets to be backed up, via asset name, type, grouping, tags, etc. You then construct a policy, and optionally a time window that determines when and how frequently your assets are protected. This powerful method supplies clear design and implementation of the listed points of focus in control A1.2 above, in addition to ensuring standards for data processing and encryption.

For A1.3, the emphasis is on business continuity and its close relative, disaster recovery. This control is also closely related to the CC7.5 control above, as a security incident could easily trigger the need to engage your business continuity/disaster recovery procedures. It bears repeating that testing your procedures is critically important. There’s no “easy” button, but testing the integrity and restorability of your data protected in Clumio is easy through the UI and automatable through the API.


The last controls we’ll talk about are part of the Confidentiality criteria.  Here they are:

  1. C1.1 The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
  2. C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.

The points of focus are:

  • Identifies Confidential information — Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.
  • Protects Confidential Information From Destruction — Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information.
  • Identifies Confidential Information for Destruction — Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached.
  • Destroys Confidential Information — Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction.

These points can be difficult depending on how your data is stored. However, the policy-based approach to data protection can mitigate some of the difficulties. Concepts such as retention periods, RTO, and RPO are easy to implement via policies, and identification of the assets that require protection could be easier with tag-based policies. If your organization deals with personal data or other forms of covered information, this can be a significant aid.


In the final calculus, many organizations have significant burdens for data protection. The needs are multifold: you must ensure your data is protected securely, and you must be able to demonstrate the procedures that protect your data and make it recoverable. The controls detailed here are just a fraction of the requirements for a SOC 2 audit, but they’re critical controls that have benefits far beyond the scope of a compliance report. To learn more about how Clumio can both protect your data securely and make your audits go a bit smoother, schedule a customized demo with a cloud expert.

To hear more information on SOC 2 compliance along with expert tips to help you pass your next SOC 2 audit, sign up for the Simplifying SOC 2 Compliance webinar, an excellent resource for those in governance roles.