Perimeter security is about preventing unauthorised access, by securing the boundaries of the system. We previously looked at the importance of clearly establishing where those boundaries are, and ensuring broad, good-practice, secure behaviours are employed to protect against security risks within the boundaries.
Perimeter security is what everyone thinks of when they hear of security. Protecting against hackers and external security breaches. SOC 2 takes a high-level and broad operational view of security, so this "technical security" is only a subset of the control activities.
Perimeter security starts with secure network design; using firewalls at external connectivity points, applying and maintaining stringent firewall settings, enforcing VPN for remote access, encryption-in-transit and for data at rest, and authenticating all users access to the network and underlying systems. These functions come as default components of modern infrastructure as a service (IaaS) providers like AWS, Google Cloud, and Microsoft Azure.
In addition to the secure network design, there should be some form of network monitoring. That might include suspicious network activity, failed logon attempts, usage trends, or other indicators that may flag inappropriate activity on the network. Good practice monitoring tools that generate alerts for investigation are generally offered as an upgrade or part of the package for modern IaaS providers.
At this point, you have secured who can access the network and systems. It's time to shift focus onto securing the devices used for that access. If those devices are compromised, the security of the network and systems may be compromised. Securing devices may include anti-virus software and updates, disk-encryption, policies and processes to ensure operating systems are updated, restrictions are applied on software installation, internet sites, and removable media. Security is only as effective as the weakest link in the chain, so it's important to; (a) limit the number of devices, and (b) apply good security practices across all devices that do have access. Those risks can be harder to manage with modern BYO device policies.
There's endless components to perimeter security. Those covered so far address the majority of control practices we see in SOC 2 reports to demonstrate compliance. The final area that's always included in SOC 2 is vulnerability management. Vulnerabilities refer to a system weakness, in the network or software systems, that may be exploited by external attackers if they had the right tool or technique. These are typically identified and addressed through the combination of independent penetration tests, usually annually, and vulnerability scanning, usually more frequently like weekly, daily or as part of each code change. Vulnerabilities identified from this combination of scanning tools and expert security professionals assessment, should be logged, prioritised and resolved.
The SOC 2 Perspective
Despite the broad security practices covered, and the usual expectation that a security standard is all about technical security practices, this area covers a relatively small number (5 of 33) of the SOC 2 criteria, listed below.
CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
AssuranceLab's Best Practices Series
AssuranceLab's best practices series, is about highlighting the "real operational benefits" that comes from effective control practices. At best, they support your company culture, provide structure and clarity, and enable scalable growth. At worst, they tick the box of what your customers expect, reduce the reactive "firefighting" and time-wasting, and help you demonstrate your compliance with leading standards like SOC 1, SOC 2 and ISO 27001.