Controls are the foundations of your SOC 2 compliance efforts. They define how your business executes its policies, drive operations and meet SOC 2 compliance requirements. When policies and controls are tightly aligned and enforced consistently, they help to mitigate risk and increase trustworthiness and agility for your business. This post is part of a continuing series of posts focused on specific SOC 2 controls.
What This Control Is For: This control addresses encryption of your stored data. Other controls handle data in transit, such as across networks.
Who Is Responsible for This Control: Engineering, IT, and everyone involved in managing or operating your IT infrastructure or stored data.
What this Control Does: Understanding Controls is often difficult, but this one should be relatively easy. This control just requires that your stored data is all encrypted, which is fairly common these days so you may already be in compliance. The key step is just to show that you’re already doing this!
The Encryption of Data at Rest control also addresses elements of the SOC 2 Common Criteria 6.x series. Specifically, this control addresses Common Controls 6.1 (Logical Access Security), 6.6 (Mitigate Outside Threats), and 6.7 (Data Transmission).
Why It Matters: Encryption is an important element of cybersecurity and the protection of proprietary and personal information. Encryption is a well-respected last line of defense for your data. Even if your other Controls fail and someone manages to get access to your data storage, they still won’t be able to read what they’ve got.
Most public cloud solutions allow you to “flip a switch” and encrypt data at rest. On-premise storage arrays can be configured to encrypt specific drives. Modern databases can even be configured to encrypt specific data fields, such as those that contain proprietary or personally identifiable information (PII). You can therefore encrypt everything where performance is not slowed and make choices that combine encryption with minimal performance degradation if necessary.
To optimize the effectiveness of your encryption efforts, you need to answer two questions.
This Control relates to Data Classification, which is where you decide what types of sensitive data you have and how you want to treat each one. For example, customer data is different from your unreleased marketing materials or your app’s source code. You’ll need to break down your data into a few classes, which is not so hard when you start with an easy system and match it to the data you work with most. Then your encryption control will only have to cover specific types of data already defined via your Data Classification Policy (or equivalent document).
Once you’ve identified and located your most sensitive data at rest, you need to ensure your encryption methods are adequate for your organization’s data objectives and SOC 2 compliance. The Advanced Encryption Standard (AES) is a widely adopted industry benchmark. The two dominant “flavors” of the standard are AES-128 and AES-256. The numbers refer to the size of the encryption/decryption keys in bits. AES-128 is faster, while AES-256 may be more resistant to some cyberattacks. Your chosen encryption solutions should comply with the AES. Fortunately, most cloud providers and modern system providers support AES “out of the box.”
You will also need clear, documented, and enforced policies for data classification, data management, and encryption. Both the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) can be valuable sources of information for classifying your data and getting your encryption right.
For contemporary companies working mostly with the cloud, this SOC 2 control should be a cinch. Encryption is important, your providers already handle it, and that is one reason you chose to trust them with your data. Show your work and keep moving.
Trustero Compliance as a Service (CaaS) includes multiple features to help you implement the Encryption of Data at Rest control, and to demonstrate compliance with its requirements to your auditor credibly and on demand. The solution’s user interface consolidates the description of the Control, information about it and its status, and the ability to test compliance with it on a single screen, in plain, clear language.
If you’re new to SOC 2, download a copy of our free ebook, “SOC 2 Compliance: Why it Matters and How to Get There.” If you’re already familiar with SOC 2 controls, click here to learn more about Trustero CaaS or to schedule a demo.
MJ Raber is Head of Governance, Risk and Compliance (GRC) at Trustero.
NOTE: This article is an update to an earlier Trustero post, “SOC 2 Controls: Encryption of Data at Rest,” originally published June 7, 2022.