Professional Documents
Culture Documents
How Strongdm Helps With Soc2 Compliance
How Strongdm Helps With Soc2 Compliance
For organizations evaluating SaaS or cloud services providers, compliance with SOC 2 is a minimum
requirement as it confirms to the customer that the provider has implemented certain security policies
strongDM itself is SOC 2 Type 2-certified, and below are the specific requirements where strongDM can
The entity implements logical access security software, inf rastructure, and architectures over protected information assets
CC6.1
to protect them f rom security events to meet the entity's objectives.
hardware, data (at-rest, during processing, or in Support for Role-Based Access Control
components is restricted through the use of access time access, with least-privilege by default.
inf rastructure.
Requirement Detail s o g MF
tr n D eature s
Identification and authentication requirements are Federate with your identity provider or use
Manages Identification established, documented, and managed for strongDM's native authentication, which
and Authentication individuals and systems accessing entity information, allows administrators to set minimum
Manages Credentials for prior to being granted access credentials and Store credentials in a hardened AWS vault or
Infrastructure and implemented on the network or access point. configure your own secret store to work with
assessed risk.
vault.
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and
CC6.2 external users whose access is administered by the entity. For those users whose access is administered by the entity, user
Controls Access Information asset access credentials are created resource in the last hop using stored
Credentials to Protected based on an authorization f rom the system's asset credentials, which are stored securely with
manager ( H ashiCorp V
ault, AWS Secrets
Manager, G
CP Secret Manager).
j
Protected Assets When Processes are in place to remove credential access ust-in-time access to resources through the
U
Appropriate when an individual no longer requires such access. strongDM admin
provider.
I or through your identity
Reviews Appropriateness The appropriateness of access credentials is reviewed Admins can define and enforce the
available.
To learn m o
re a bo ut s o g Mo osg
tr n D r t i p fo
n u r a d
em o, v s www.strongdm.com
i it
Requirement Detail strongDM Features
6.3
The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets
’ j
CC based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege
’
to Protected Information protected information assets based on authorization
The strongDM AccessBot can also be used to
Assets f rom the asset s owner.
grant temporary access within applications
Removes Access to Processes are in place to remove access to protected strongDM enables admins to revoke access
Protected Information information assets when an individual no longer instantly or on a time-bound basis (i.e.,
Uses Role-Based Access Role-based access control is utilized to support strongDM admins grant access based on
The appropriateness of access roles and access rules Administrators can use the strongDM CLI to
is reviewed on a periodic basis for unnecessary and view users, roles, and access at any time over
Reviews Access Roles and
inappropriate individuals with access and access the past 13 months, providing both current
Rules
rules are modified as appropriate. and historical "point in time" access details.
CC 6.6 The entity implements logical access security measures to protect against threats f rom sources outside its system
boundaries.
The types of activities that can occur through a driver restricts the communication over that
Restricts Access communication channel (for example, FTP site, connection to that specific driver protocol.
router port) are restricted. SSH cannot be tunneled through a port set
Requires Additional Additional authentication information or credentials As an additional layer of security, strongDM
Authentication or are required when accessing the system f rom supports MFA through an organization's
CC6.7 ’ j
The entity restricts the transmission, movement, and removal of information to authorized internal and external users and
processes, and protects it during transmission, movement, or removal to meet the entity s ob ectives.
CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that
result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
The entity monitors system components and the operation of those components for anomalies that are indicative of
CC7.2 malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives ; anomalies are analyzed to
Implements Detection in the operation or unusual activity on systems. strongDM captures every action, including
Policies , Procedures , and Procedures may include (1) a defined governance every user, authentication, q H
uery, SS , and
T ools
process for security event detection and RDP command as well as administrator
management that includes provision of resources ; (2) actions such as permissions changes.
; (3)
g
actions of authorized personnel use of strongDM's audit logs can be automatically
Desi ns Detection
compromised identification and authentication streamed to a SIEM of your choice to
; (4)
Measures
credentials unauthorized access f rom outside the facilitate anomaly detection.
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its
CC7.3 objectives ( security incidents ) and, if so, takes actions to prevent or address such failures.
-
CC7.4
The entity responds to identified security incidents by executing a defined incident response program to understand,
/
Procedures are in place to contain security incidents
Contains Security Incidents revoke access to systems data sources for
that actively threaten entity objectives.
accounts that may be compromised.
g O g g
strongDM enables admins to immediately
/
Miti ates n oin Security Procedures are in place to contain security incidents
revoke access to systems data sources for
Incidents that actively threaten entity objectives.
accounts that may be compromised.
x
An understanding of the nature (for e ample, the
method by which the incident occurred and the
Obtains Understanding of affected system resources) and severity of the security strongDM provides comprehensive audit
Nature of Incident and incident is obtained to determine the appropriate logs for all access to configured data
Determines Containment 1
containment strategy, including ( ) a determination of sources, which are critical in security
Strategy 2
the appropriate response time f rame, and ( ) the incident investigations.
x
determination and e ecution of the containment
approach.
CC7.5 The entity identifies, develops, and implements activities to recover f rom identified security incidents.
Improves Response and Lessons learned are analyzed and the incident-response Use audit logs to analyze incidents and to
Recovery Procedures plan and recovery procedures are improved. develop appropriate responses.
Change Management
The entity authorizes, designs, develops or ac quires, configures, documents, tests, approves, and implements changes to
81
CC .
inf rastructure, data, software, and procedures to meet its objectives.