Improving SOC criteria with Doppler

Compliance standards for data privacy and protection can generally be split into two groups: regulation and certification. Regulations represent the national or industry standards that must be achieved to continue platform operation. This group includes regulations like the HIPAA, GDPR, or CCPA.

Certifications, on the other hand, are optional standards that companies may choose to earn for various reasons. Achieving certain certifications, like a SOC certification, signals to consumers that this is a business that takes its security seriously.

Standards for regulations and certifications may cover similar topics or share overlapping principles. For data privacy and protection, both require strict control for protected information types like Personal Health Information (PHI), Personally Identifiable Information (PII), and various forms of financial information, like Protected Card Information (PCI). Here, we’ll cover the core principles behind the SOC 1-3 certification and how Doppler can assist your team with compliance.

Reminder: Every regulation and certification has its own definitions and specific criteria, so it’s important to figure out the specifics for your business. Fines, loss of licensing, and legal penalties are steep prices to pay!

So what are these requirements, anyway?

SOC stands for System and Organization Controls. The certification was developed by the American Institute of Certified Public Accountants (AICPA) based on the Trust Services Criteria (TSC) and comes in three different forms, labeled SOC 1-3. The SOC-1 certification is completed at a single point in time, but the SOC-2 certification is performed over a much longer duration and more accurately depicts a company’s commitment to data security. The SOC-3 is conducted in a similar manner to the SOC-2 but reduces the level of reported detail so the report itself may be shared publicly.

The SOC criteria are split into five principal parts, and while all are recommended as best practice, only the Security criterion is required for certification:

• Security stipulates protecting systems and information from unauthorized access. This criterion primarily addresses the risks of external threats. How is your team protecting its platform and users from malicious actors?
• Availability is about ensuring the platform and its systems are consistently accessible. The availability criterion isn’t just about minimizing platform downtime, though. It also includes providing data to customers upon request, a platform feature mandated by regulations like California’s CCPA.
• Processing integrity concerns whether the platform is operating as intended and as advertised. To achieve processing integrity, platforms must be clear about how they use, store, and process data and only do so in the ways they claim.
• Confidentiality requires the access, storage, and use of confidential information is kept to a minimum. This means processing protected information only as necessary and removing it from storage as soon as it is no longer required.
• Privacy means safeguarding sensitive information (PHI, PII, PCI) against access from users and employees. The privacy criteria is about minimizing anyone’s access to protected information, including developers.

Doppler is here to help!

Integrating Doppler into your development pipeline allows your team to put systems in place to improve these TSC metrics. Let’s check out how some of Doppler’s features can help you on your journey.

User groups:

User groups govern permissions to every aspect of the platform. Only users belonging to the correct group can view or alter secrets on any given project. User groups help keep data breaches contained by limiting the amount of the platform that can be exposed by any single compromised account. Properly implementing user groups will help your team improve its Privacy and Confidentiality criteria by reducing internal access to sensitive information, and its Security criterion by decreasing the platform’s attack surface.

Automated Secrets Rotation:

Changing the value of secrets (rotating) has a number of security benefits. Regular rotation ensures leaked secrets are no longer security risks; having a robust procedure for rotation means security teams are ready to rotate compromised secrets in the event of a breach; rotation prevents off-boarded employees from accessing the platform.

Historically, consistent secrets rotation has proven challenging. It takes developer time, introduces platform downtime, and requires identifying and altering every secret in a complex, extended sprawl. Manually rotating secrets is difficult and error-prone, especially at scale. Doppler’s automated rotation system uses a two-secret-strategy to prevent downtime and automatically syncs the new value of secrets across your platform. Preventing downtime enhances your availability metrics, while secrets rotation allows security teams to quickly, securely, and efficiently mitigate the risks of exposed secrets, improving your Security posture.

Logging and auditing:

Logging refers to the generation of a ‘receipt’ when actions are taken within any system. For example, generating timestamps when employees log in or out of secure systems. Logs can be more specialized and oriented towards security and productivity as well. Attaching a name, account, or IP address when code is pushed into production lets DevOps keep track of who updated the platform and when they did so. Doppler offers Activity Logs and Access Logs.

• Doppler generates an activity log for every action your team makes, from adding team members to altering secrets. You can find this in the ‘activity’ section of Doppler’s services.
• Doppler generates an access log when an actor accesses a secret, which includes the actor, access method, the first time it was read, and the most recent time it was read. Viewing this access log requires the appropriate permissions.

Logs are a key component of demonstrating regulatory compliance, since they are evidence an auditor can use to identify how development systems operate. Logs have plenty of internal uses, too. DevOps can use logs to measure various productivity metrics, or to identify compromised credentials in the event of a breach. Doppler features Versioning in its logs, allowing and tracking rollbacks to previous versions.

Doppler has plenty of other features to check out, too! See how its suite of integrations can support your platform’s regulatory compliance without risk by trying out a free demo!