SOC 2 is an audit framework that gives organisations a trusted way to verify their controls for protecting, securing and utilizing data. Increasingly, cloud computing companies that want to attract business need to demonstrate SOC 2 certification. (If you’ve never heard of SOC 2 and want the full lowdown, check out our whitepaper here.)
Acquiring SOC 2 certification isn’t easy, though. An outside CPA firm has to conduct a thorough audit, which takes many months and serious investment. It’s not something you want to fail and have to try for a second time.
The Five Categories of SOC 2 Compliance
There are five categories of SOC 2 compliance (or “Trust Services Criteria”): Security, Availability, Processing Integrity, Confidentiality and Privacy. According to the nature of the organisation under review, they will opt to aim for certification in one, some, or all five of these areas.
One of the key criterion is Privacy. SOC 2 regulations state that, in order to obtain a Privacy certification, a company must operate in such a way that “personal information is collected, used, retained, disclosed, and disposed” in line with the company’s standards and goals. There is a requirement that companies communicate transparently with subjects about data usage, and don’t use data beyond what has been explicitly allowed.
Here’s where KernelCare is important. SOC 2 is deeply concerned with systems. 95% of software companies apply patch updates for their Linux kernel by rebooting their servers. But rebooting disrupts services and causes a major headache for sysadmins. Because of this, kernel patching is always delayed, for weeks if not months.
Staying Compliant with KernelCare
This gap between patch issue and patch application puts proper privacy controls at risk. If you aren’t applying kernel patches as soon as possible, then you are leaving yourself exposed to attackers who know all about new vulnerabilities, and are eager to steal personal information for malicious reasons. Personal data is exposed if your kernel isn’t patched and up to date.
What’s more, point xiii of the Privacy TSC requires that "the entity monitors compliance to meet its objectives related to privacy.” All companies will, of course, have an objective of honoring the terms of their insurance policies. In most cases, these require that patches are applied in around 30 days – which, if you’re rebooting, almost definitely isn’t happening. So, by keeping you insurance-compliant, live patching inherently fulfils the Privacy TSC for the system in focus.
If you’re a cloud computing company, then getting SOC 2 certification should be at the forefront of your mind. And if you’re looking to fulfill the Privacy criteria, then you shouldn’t overlook your rebooting practice. Get live patching today, and make your privacy controls tighter right away.
To get fully up to speed on all things SOC 2, check out our whitepaper here.
To start using KernelCare today, and give yourself a better chance of securing a SOC 2 Privacy certification, go to kernelcare.com or buy KernelCare risk-free today!