SOC 2 and Data Access Controls: What You Need to Know


Guest post by Schuyler Brown, co-founder strongDM

As a part of our Blissfully SOC 2 compliance series, we invited strongDM to write a guest blog post about the challenges of data access controls, and why database management is important in the scheme of completing a SOC 2 audit. Blissfully used strongDM in our SOC 2 technology stack, mapped to the audit requirement of logical and physical access controls. Read more in our recently published SOC 2 Compliance Playbook.

To successfully complete SOC 2, you will need to implement strict access controls to your data and demonstrate evidence proving they’re in place. It may sound like a straightforward process, but it’s harder in practice.

The Challenges of SOC 2 Data Access Controls

That’s because data is stored in many places. Some are easier to manage and monitor than others. Applications like Salesforce or Dropbox offer intuitive permissions and reporting. But the databases and servers on which your engineering teams rely don’t offer the same convenience.

The problem becomes even more complex because you don’t just have one database. You likely have dozens, if not hundreds, spread out across multiple environments. They’re probably a mix of several different database types (i.e. MySQL, MongoDB, Hadoop). Because each database type manages permissions and monitoring differently, it creates an enormous amount of work for your engineering team to implement and maintain.

That does not even begin to take into account the complexity of managing different permissions depending on the seniority and role of each staff member who requires access.

The math quickly becomes a rat’s nest of logistical complexity: A databases * B database types * C environments * D staff specific seniority * E staff = total number of credentials to manage.

That represents months of tedious work, so expect pushback from your team. To reduce the number of credentials to lock down, they might eliminate which databases are in scope for SOC 2. That may be okay, but a good litmus test is to ask yourself the following question: If the data stored in this database were leaked to hackers, would you care? The answer might be:

Nope, it’s all good: Congrats, you have fewer credentials to keep track of.

Somebody’s gonna get fired: Time to button up permissions and ensure monitoring is in place.

We’re going out of business: Why are you just reading this now?! Stop reading and start hiring dedicated infosec staff!

How to Assess Existing Controls

Once you’ve identified which databases and servers require protection, the next question is whether your existing controls are sufficient.

The answer includes two dimensions:

1. Coverage: Do you enforce these access controls across every database and server that is in scope?

2. Completeness: Is every staff member’s access managed by this formal onboarding and offboarding process? No exceptions.

If not, you will need to design and implement access controls that fulfill both dimensions.

Even if you answered “yes” to both questions, auditors won’t just take your word for it. They expect evidence proving these claims. That means you must monitor every staff member’s access to every application, database, and server. For example, could you answer a question like, “When were database credentials revoked for all former staff?”

How long would it take to gather that data? All the evidence in the world isn’t helpful if it requires weeks to dig up. These logs need to be easily accessible whenever an auditor asks.

Finally, have you verified the logs are producing the evidence you expected? It’s not uncommon for engineers to turn off logs on databases because they are impacting performance. You don’t want to suddenly discover that was the case in the aftermath of a data breach or audit. Regularly test these logs to confirm they’re still in place.

SOC 2 it To ‘Em

To summarize, SOC 2 requires you to define, enforce, and monitor access to sensitive data wherever it is stored. This can be a big challenge, but with the guidelines above and the recommendations included in the Blissfully SOC 2 Compliance Playbook, you should be on your way.