Companies seeking to boost their information security stance often complete a Service Organization Control 2 (SOC 2) audit, with a growing focus on meeting SOC 2 password requirements. The SOC 2 certification process includes demonstrating the use of adequate system access controls to ensure that sensitive data remains protected and secured at all times. Many companies seeking SOC 2 compliance might leverage solutions such as a SOC 2-compliant password manager to help meet requirements.
The American Institute of Certified Public Accountants (AICPA) introduced the Service Organization Control or SOC 2 report to help evaluate service companies and their ability to maintain strong controls “ … relevant to security, availability, and processing integrity of the systems … to process users’ data and the confidentiality and privacy of the information processed by these systems.”
SOC 2 includes two types of reports:
Type 1: reports on a company’s system description and the suitability of the design of its controls
Type 2: reports on a company’s system description and the suitability and operational effectiveness of its controls
Both SOC 2 report types detail how companies process data, but SOC 2 Type 2 more deeply describes data security controls in place, including credential management. Both report types are restricted to certain entities (e.g., customers or auditors). However, companies may also produce a publicly available SOC 3 report, which summarizes some of the data security criteria found in the SOC 2 report.
Companies seeking SOC 2 certification have to pass an audit conducted by an accredited AICPA representative. Five “Principles” form the foundation of the audit or “examination engagement” and provide the SOC 2 security criteria:
Security - System protections against unauthorized access, both physical and logical
Availability - System availability for operation and use as committed or agreed
Processing Integrity - Complete, accurate, timely, and authorized system processing
Confidentiality - Information designated as confidential is protected as committed or agreed
Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity's privacy notice and with the criteria outlined in Generally Accepted Privacy Principles (GAPP)
Companies only have to comply with the principles that apply to them. For example, the ‘Availability Principle’ typically applies to companies providing colocation, data center, SaaS-based services, or hosting services to customers.
The ‘Security Principle’ applies to most companies seeking SOC 2 compliance. The bulk of the ‘Security Principle’ requirements exist under section CC6 of the Trust Services Criteria, which also details SOC 2 password requirements. The following sections demonstrate how a password manager can support key requirements.
CC6.1 (Pg. 28-29):
“The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.”
Companies must demonstrate how they manage credentials for infrastructure and software, including removing access once it’s no longer needed or required. With a password manager, administrators can easily automate access, assign roles, and restrict users to read-only access for system credentials. Granular access control allows administrators to completely hide passwords to prevent copying passwords, TOTP seeds, or custom fields.
Companies must encrypt their data and protect encryption keys at all times. With a 100% end-to-end encrypted password manager using AES 256-bit encryption, companies benefit from true zero knowledge, protecting their credentials and other sensitive data that can be shared amongst employees such as company financial documents. Additionally, PBKDF2 SHA-256 strengthens encryption key protection by limiting key retrieval to only the user logging in with their master password.
CC6.2 (Pg. 30):
“Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.”
Companies must show how they register and authenticate new users, including levels of access. With a password manager, administrators can link their directory service (LDAP) to streamline user provisioning and deprovisioning. Users and groups in your company LDAP sync with your password manager’s Organization, replicating the same structure. Better yet, whenever a new user is added to the LDAP, they are also created in the password manager; and vice versa, are removed when deprovisioned from the LDAP.
Companies must authorize access to protected assets. A password manager with Single Sign On allows your existing Identity Provider to provide authentication for password manager users. Administrators can set password policies requiring users to log in through the Single Sign On method to access credentials.
CC6.3 (pg. 30):
“The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.”
Companies must demonstrate role-based access controls or RBAC. With a password manager, administrators can set user types and create custom roles to assign granular control and user permissions for components of the password manager. RBAC can be configured for functions such as who can manage users, access event logs, or import/export data.
Adding a password manager, such as Bitwarden, can demonstrate your commitment to data security to SOC 2 auditors. Bitwarden offers enterprise-grade security, conducting regular third-party security audits and complies with major privacy and security standards, including SOC 2. Take advantage of an all-access free Enterprise trial to see how Bitwarden can help you prepare for a SOC 2 security audit and meet SOC 2 password requirements.
Editor's Note: This blog was originally published on Tuesday, September 21st 2021 and was updated on Friday, May 20th 2022.