Audits and standards everywhere, but you know what? This is excellent news for you and your repositories, and your company. Thanks to these control procedures, you can confidently assume that your company is safe and prepared for the threats resulting from ever-increasing attacks. So let’s talk about SOC 2, the big five!
What does SOC 2 have to do with Git?
SOC 2 is an updated version of SOC, i.e., System and Organizational Control. Obviously, it’s not like SOC 2 has replaced SOC because, in the modern world, both of these standards are used. With this, the SOC was established to secure the processes and financial data of a given company. SOC 2, on the other hand, is more IT-oriented and covers processes, data, security, and backups in a given company. It’s also worth remembering that SOC 2 applies to technology-based service organizations that store customer data in the cloud. In short, it applies to every single SaaS company. With this in mind, we can assume that SOC 2 protects us and our repositories and gives our clients confidence that their data is safe with us. For this reason, SOC 2 audits are often carried out in data centers and companies that care about the security of their customers. The question is, what does SOC 2 have to do with Git? And we will find the answer in this article. As I mentioned, SOC 2 also covers safety in its assumptions, but first, however, the criteria need to be further clarified. i.e., the big five and the approach to SOC 2 certification. American Institute of CPAs (AICPA), which is behind SOC 2, here are 5 main criteria:
- Privacy – This criterion checks how the data is accessed, whether we have encrypted communication, whether and how we use VPNs, and whether we use two-factor authentication. At this point, the approach to Single Sign-On in a given company and how this approach has been resolved will also be critical.
- Security – For obvious reasons, both software security will be important here, for example, what anti-virus/anti-malware software the company uses, but also hardware security, such as which firewalls we operate with what software version, etc. This criterion also includes two-factor authentication and intrusion detection.
- Availability – This criterion examines how a given company approached failover, high availability and how they were configured. The procedures and methods of monitoring the network and its performance will be essential here. Also, a strong emphasis in this criterion is on incident handling.
- Processing integrity – In this criterion, we must ensure data consistency, and sure that the data does not contain errors and is always available.
- Confidentiality – This criterion examines whether and how access to data is carried out. For example, if the IT department has a local secure WIKI website with sensitive information, whether access to such resources is limited, monitored, and updated.
Why SOC 2 Compliance criteria are so impportant?
Thanks to such a set of criteria, we can, in a sense, present SOC 2 as a flexible audit, especially now, when the security for IT companies becomes the most important point in their development strategy. Several features such as two-factor authentication, encryption, network monitoring, etc., are repeated in the criteria, which is precisely what has to do with the flexibility mentioned. The IT market is vast, and thanks to SOC 2, we can adjust the criteria and conduct audits for companies with various specializations. You probably notice that the backup wasn’t mentioned in any criteria. It was a deliberate procedure because the backup is a part of one or all criteria depending on the given company specialization. For example, for git repositories and the git server in general, the backup will appear in every criterion, which is a valid assumption. In terms of security, the backups of the repositories must be available to determine if we are dealing with an intruder and the data structures have been changed without our knowledge or not. In turn, from the point of view of availability, backups should be put away, preferably in at least 2 different locations and methods. An excellent example is the use of the GitProtect.io solution, thanks to which we will be able to create full backups, send them to AWS storage, and full and diff backups, for example, on network resources. Backups are of key importance for processing integrity because, thanks to them, we can ensure data continuity despite failure. Backups are also part of confidentiality as they should be accessed by selected people and the backups themselves should be secured and encrypted. Given that the backup stores’ sensitive data, it should always be protected GitProtect.io will also take care of it.
To sum up
SOC 2 audits primarily give us a good night’s sleep. By securing our company and our Git repositories with SOC 2 compliance in mind, we are likely to assume we’re safe. One of the most important issues that must be taken into account in SOC 2 is the backup, and this is where Xopero ONE and GitProtect.io come to our aid. Thanks to GitProtect.io, we will schedule automatic backups of our repositories that meet all SOC 2 standards. As a matter of fact, we will be able to create full, differential, and incremental backups, and we will have full logs about them. Possibilities such as an audit or preview of the status of a given backup are also critical.