Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management

Published 11/22/2024

Home
Industry Insights
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management

Written by Adam Cheriki, Co-Founder & CTO, Entro Security.


As cloud-native architectures transform business operations, they bring unique security challenges. The rapid expansion of microservices, containers, and serverless functions has increased the number of secrets, making their protection a pressing concern.


Why SOC2 Matters for Security

SOC2 (Service Organization Control Type 2) is a crucial framework that helps organizations show their dedication to high security standards, building trust with clients and partners.


Understanding SOC2 Compliance*

SOC2, created by the AICPA, is a cybersecurity standard that helps service organizations safeguard customer data. It provides assurance to customers that their providers follow strict security policies and procedures.

At the core of SOC2 are five trust criteria used to evaluate organizations:

  • Security: Protects resources against unauthorized access
  • Availability: Ensures systems are operational as promised
  • Processing Integrity: Verifies completeness, accuracy, and authorization of data processing
  • Confidentiality: Protects agreed-upon confidential information
  • Privacy: Ensures personal data is handled according to the organization’s privacy policy

Of these, security is mandatory in every SOC2 assessment, while the others are optional based on the organization’s operations and customer agreements.


Types of SOC

SOC1 vs. SOC2: What’s the Difference?

While SOC1 focuses on a provider’s internal financial controls, SOC2 has a broader scope, addressing the five trust criteria. SOC2 is valuable to compliance officers, IT executives, and regulators who need assurance over an organization's data protection.


SOC2 Types: Type 1 vs. Type 2 Audits

  • SOC2 Type 1 assesses security controls at a single point, reviewing the design of protections in place.
  • SOC2 Type 2 reviews security over time, testing real-time effectiveness, and demonstrating how controls function.


SOC2 vs. ISO 27001

Both SOC2 and ISO 27001 provide security standards but differ in focus. ISO 27001 details a framework for creating an Information Security Management System (ISMS) with an ongoing improvement process, while SOC2 evaluates an organization's controls for a specific time period (Type 1) or over a duration (Type 2).


Why SOC2 Compliance Matters in the Age of Non-Human Identities

With the rise of cloud services and automation, non-human identities—such as service accounts, API keys, and access tokens—are proliferating. These identities drive seamless machine-to-machine communication but also introduce security risks that SOC2 compliance helps address.


Securing Secrets and Non-Human Identities

Secrets often have privileged access, making them attractive for attacks. Without visibility or monitoring, detecting and responding to incidents is difficult. SOC2 compliance provides organizations with the frameworks needed to secure these high-risk assets effectively.


SOC2 Compliance Challenges and Best Practices

SOC2 compliance in cloud environments can be complex due to the rapid changes in resources. Real-time visibility and automated monitoring are essential to maintain continuous compliance.

Best practices include:

  1. Eliminate hard-coded secrets in code repositories and messaging systems.
  2. Maintain an inventory of non-human identities and classify by criticality and risk.
  3. Implement zero-trust principles for non-human identities, using continuous authentication based on real-time assessments.
  4. Document clear policies for managing the lifecycle of secrets.
  5. Integrate secrets management with incident response processes to proactively address security vulnerabilities.


SOC2 Controls and Cloud Environments

SOC2 controls vary between environments. Here’s a look at some key SOC2 controls for Kubernetes and AWS:

  • Kubernetes Controls: Controls such as detecting unauthorized access attempts (CC6) and using security benchmarks for container configurations (CC7) enhance compliance.
  • AWS Controls: AWS tools like Identity and Access Management (IAM), encryption with Key Management Service (KMS), and logging via CloudTrail support SOC2 compliance by securing data and tracking activity across environments.


Conclusion

SOC2 compliance requires ongoing monitoring and improvement. By prioritizing identity and secrets management, organizations can establish a secure foundation for their Kubernetes and AWS environments, enhancing both security and trust.

ComplianceEnhancing cloud security strategyStandards

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Mark Your Calendar for Cyber Monday!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
It’s Time to Split the CISO Role if We Are to Save It

Published: 11/22/2024

Establishing an Always-Ready State with Continuous Controls Monitoring

Published: 11/21/2024

The Lost Art of Visibility, in the World of Clouds

Published: 11/20/2024

5 Big Cybersecurity Laws You Need to Know About Ahead of 2025

Published: 11/20/2024