[Turbot On] Automated SOC2 Compliance

How we used Turbot Cloud to achieve our SOC2 Certification.

Last week we announced that Turbot has achieved SOC2 Type I compliance for Turbot Cloud (SaaS).  It was great to see the whole company come together to level up our organization’s processes to continue our investment in building the most robust cloud governance platform that our customers trust.  Much of SOC2 compliance requirements are organizational policies and procedures, however there are a number of technical controls which we already satisfied using Turbot on our own workloads. This week we will look at how we approached our SOC2 requirements using Turbot to provide the technical control evidence to pass our SOC2 audit.

Traditional Workflow

Many of us have a visceral reaction when we hear the word ‘audit’.  Understandably, in many organizations it’s an intensive, manual process to review controls, collect evidence, and prove your compliance.  Since audits occur infrequently, preparedness follows suit, often as a last minute fire drill.  Like any manual process, this can become a huge distraction for the organization if not managed effectively.

Get it done with Turbot

With many of us at Turbot coming from enterprise risk management, compliance, and security backgrounds, we are the crazy few that hear the word ‘audit’ and happily enjoy running towards it. This type of culture is baked into our product, as Turbot’s automated governance controls are continuously auditing the environment and ensuring adherence to company controls.

There are 33 primary SOC2 controls, while many are satisfied by organizational policies & procedures, 60% are technical controls which require ongoing evidence your organization is in adherence.  

Example of SOC2 CC6.7:

SOC2 Trust Criteria CC6.7 key control is to ensure data is encrypted.  With Turbot, you can use encryption at rest and encryption in transit guardrails to ensure your data is encrypted at all times.  Turbot has consistent encryption controls across AWS, Azure, and GCP services for applicable cloud services which allow for encryption configurations.  

For this example, we can use the AWS S3 Buckets Encryption at Rest control to show how to comply with CC6.7.  Let's do it!  

After doing a quick assessment in my demo environment, I see that I have 28 buckets unencrypted:

We can create a policy setting to correct these immediately, and have Turbot continuously manage them over time.

After setting the policies, Turbot’s automated enforcements applied Encryption on all the buckets immediately.  You can see all the activity from Turbot updating the resources in my account:

With this policy set, Turbot will always enforce encryption at all times; and the logging in the Turbot console becomes a real-time, continuously running audit report that is always up-to-date. 

Now with all my buckets successfully encrypted, my unencrypted AWS S3 Bucket report looks much cleaner :)

Make it happen

We published a full mapping of SOC2 Controls and COSO Principles to Turbot Features in our Turbot Development Kit (TDK). If you need any assistance getting this configured in your environment please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!