What Is SOC 2?

A robust and positive security posture is vital in an era where cyberattacks proliferate. Cyberthreats, such as ransomware and phishing, continue challenging companies across all sizes and all sectors. Also, supply chain attacks have become a serious issue, with surveys by the World Economic Forum finding that 90% of respondents were concerned about the cyber resilience of third parties. Frameworks are designed to help guide companies in implementing a robust security posture. One such framework is SOC 2 (System and Organization Controls 2), which works to establish risk and improve operating effectiveness.

What is SOC 2 compliance?

SOC 2 originated at the American Institute of Certified Public Accountants (AICPA) and came under the umbrella of AICPA’s Trust Services Criteria, which facilitate auditing and reporting on the controls used by a service organization to secure information. SOC 2 reports capture data security, availability, processing integrity, confidentiality, and privacy. In addition, SOC 2 reports ensure that the controls used by the service organization can meet some or all the five SOC 2 criteria.

Risk management must extend to third parties. SOC 2 offers a framework to check whether a service organization has achieved and can maintain robust information security and mitigate security incidents. SOC 2 is used to audit the security posture of third-party vendors to ensure that they meet the level of protection expected by your organization.

How Akamai helps organizations meet SOC 2 compliance

Akamai security solutions provide intelligence and end-to-end protection to protect data from breaches and accidental exposure, and prevent unauthorized access through robust access control policy enforcement. Akamai helps your security teams to maximize the effectiveness and ROI of your security investments by moving beyond traditional endpoint detection to provide a powerful Zero Trust solution for the protection and privacy of data.

Akamai provides:

A global security platform that enforces Zero Trust security with comprehensive coverage of your IT environment
Deep visibility into assets, access, and network flows
Granular enforcement of security policy and protection of personally identifiable information (PII)

What are the five Trust Services Criteria of SOC 2?

Diagram displaying the words in a circle describing the five Trust Services Criteria of SOC 2 certification: security, availability, processing integrity, confidentiality, and privacy.

SOC 2 audit covers five aspects of data handling that, when correctly implemented, will form a coherent and robust cybersecurity posture. The ASEC Trust Information Integrity Task Force is responsible for the technical accuracy of the Trust Services Criteria (TSC). AICPA’s Assurance Services Executive Committee is responsible for the TSC and describes the five Trust Services Criteria of SOC 2 as the following:

Security: data protection and system security against unauthorized access and data exposure. Security also includes protection against system damage that could result in the loss of availability, integrity, and confidentiality of data.
Availability: reliability of systems needed for the entity to maintain operations.
Processing integrity: system processing must be complete, valid, accurate, timely, and authorized.
Confidentiality: data classified as “confidential” must be protected to meet the entity’s objectives.
Privacy: information must be collected, used, retained, disclosed, and disposed of to meet the entity’s objectives on data privacy.

A service provider demonstrating compliance with some or all of the five trust service principles (as appropriate) shows commitment to information security.

How important is SOC 2 to your organization?

SOC 2 applies to technology service providers or SaaS companies that store, process, or handle customer data. SOC 2 extends to other third-party vendors that handle/provide data and apps and is used to demonstrate the systems and safeguards in place to ensure data integrity. SOC 2 compliance can help to make purchase decisions and is a part of risks associated with vendor management.

Cloud and IT service providers

According to Thales and 451 Research, 66% of businesses store up to 60% of their sensitive data in the cloud. Also, the number of companies experiencing a data breach involving a cloud application increased from 35% in 2021 to 45% in 2022. Demonstrating compliance with SOC 2 allows a technology vendor to prove they use security controls, such as two-factor authentication. This is an essential competitive differentiator in an era when cloud and IT security are potentially high-risk service areas. Cloud security breaches that impact the entire chain are increasingly common; a cloud and IT service provider that demonstrates SOC 2 compliance will prove that information security is a core value.

Clients of cloud and IT service providers

By choosing a vendor with proven SOC 2 assurance, your organization will have a transparent audit with SOC reports defining the risks and controls used by the third-party vendor. These standards and information security measures will percolate into your organization, providing the assurance of data security needed for internal standards and regulatory requirements.

Other connected supply chain vendors

Supply chain attacks increased by more than 600% in 2021/2022. Attacks such as the zero-day MOVEit Transfer proved how impactful and broad these attacks have become. Akamai’s security research around the MOVEit attack found alarming numbers of vulnerable internet-facing servers. These sorts of vulnerabilities are targeted by cybercriminals who use supply chain vendors to access lucrative networks higher up the chain. Supply chain vendors who prove SOC 2 compliance can demonstrate their commitment to data security.

Akamai solutions for SOC 2 compliance

Akamai provides a comprehensive solution family that delivers Zero Trust security to help in SOC 2 compliance by providing the means to achieve SOC 2 Trust Services Criteria. Our leading security solutions are recognized as best in class by our customers, who use Akamai to protect sensitive data across the expanded modern IT environment. Akamai’s security portfolio has grown from a collection of point solutions to a comprehensive and powerful Zero Trust platform. The company’s world-class solutions provide the security controls required to meet SOC 2 requirements for data security, availability, integrity, confidentiality, and privacy. Akamai delivers deep visibility into your IT environment, critical assets, access requirements, and network flow across your expanded infrastructure, including suppliers.

Zero Trust security and SOC 2 compliance

The control of access and authorization to use data is a critical aspect of information security under SOC 2. Developing a Zero Trust approach to data security is a way to map all five Trust Services Criteria to robust security measures.

SOC 2 security measures that are used in the creation of a Zero Trust security approach include:

Identity and access management of both humans and devices
API protection across data flow and ecosystems
Multi-factor authentication (MFA)
Intrusion detection
Visibility and monitoring to apply proportional authorization
Least privilege rights to minimize data access
Data encryption

Frequently Asked Questions (FAQ)

SOC 2 is an audit report that attests to the effectiveness of a service organization’s controls related to security, availability, processing integrity, confidentiality, and privacy.

SOC1 and SOC 2 differ in the fundamentals of purpose and scope. SOC 1 focuses on the integrity of customer financial controls and the accuracy of financial data. Whereas SOC 2 focuses on internal controls that protect data using the five Trust Services Criteria, SOC 2 has a broader scope, covering all service providers, including cloud services.

Service providers storing customer data in the cloud need a SOC 2 report. It’s crucial for technology and cloud computing companies. SOC 2 certification is carried out by a certified SOC 2 auditor, an independent AICPA-affiliated CPA (certified public accountant). The audit is carried out on some or all the Trust Services Criteria (TSC). Which TSC are audited depends on the type of company. For example, a SaaS vendor would likely audit the security, availability, and confidentiality criteria.

The scope of the audit also depends on the type of organization. Large companies may choose to audit specific sections of the company or products. The auditor will require complete documentation and policies that demonstrate your security models. Having a documented Zero Trust model in place will help with the process.

SOC 2 compliance requires annual audits to adhere to the five Trust Services Criteria.

Why customers choose Akamai

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away.

Additional Resources

Simplify Compliance with Zero Trust

Learn how a Zero Trust security architecture makes it easier to comply with a wide range of compliance requirements.

Watch the video

Digital Operational Resilience Act Brief

Digital Operational Resilience Act - Preparing financial entities for DORA compliance with Akamai

Learn how Akamai is helping financial entities effectively manage compliance challenges.

Learn more

Accelerate PCI Compliance and Ensure Ongoing Validation with Akamai Guardicore Segmentation

Akamai Guardicore Segmentation addresses several PCI DSS requirements with one tool, providing visibility to auditors and helping incident response teams detect breaches.

Learn more