We all understand the importance of maintaining strong security protocols and controls. That’s why Rezonate decided to invest in the SOC 2 Type 2 compliance early on, and after only one month since our out of stealth announcement, we successfully achieved attestation.
What exactly is SOC 2 Type 2 certification, and why is it important to you?
SOC 2, or System and Organization Controls (SOC) 2 type 2 is a widely recognized set of standards that ensure a company’s controls have been independently examined and tested. The “Type 2” designation refers to the fact that the audit covers a period of time, meaning that a company has not only implemented proper controls, but also demonstrated their continuous effective operation over a period of time.
Which is the key point I want to highlight here: a point-in-time validation vs. continuous readiness.
Rezonate protects Rezonate
Following any compliance requirements can be quite challenging. For starters, you need to fully understand the specific framework by analyzing and interpreting the right categories and controls. Then, using different assessment tools and manual efforts, you compile a list of all requirements, identifying what has been completed and what needs to be done, ensuring that the process is properly documented, logged, and monitored.
So, how can you take steps to remove manual time-consuming actions, excel at all delicate tasks, ensure an error-prone process and achieve zero exception compliance?
At Rezonate, we, the Security & DevOps team, use the Rezonate Cloud Identity Protection Platform (CIPP) on a daily basis for several use cases. As part of our ongoing protection of – our own human and compute resources’ IdP-IaaS identities and every access attempt to and from our cloud-native stack – we ensure continuous compliance readiness across key identity-first trust principles defined by the SOC 2 audit:
- Security – Enforce the protection of data and systems, against unauthorized access, enforce MFA, and strengthen access controls. Strict inbound and outbound rules.
- Availability – Maintain availability SLAs at all times. Building inherently fault-tolerant systems which do not crumble under high load. Invest in network monitoring systems and DR plans in place.
- Confidentiality – Restrict and monitor access to organization’s confidential data and adhere to the principle of least privilege.
We do that with the goal of continuously improving our controls and processes, ensuring that we are always meeting the highest standards in the industry. In a real-world and active environment, drifts may happen, however the process we’ve built around it course-correct itself.
Protect identities, access, systems, and data
We operate in a faced paced environment and therefore our infrastructure changes fast. Yet, we still allow our team the flexibility required to build fast – without compromising security. Using the Rezonate platform, our customers understand the identity security posture with complete visibility of their identities, policies, and access requests to meet all IAM aspects required for the security, availability, and confidentiality principles.
- Centralized identity inventory – Up to date inventory of all identities: employees, 3rd party vendors, machine resources, roles, groups, applications, and all required context across your multi-IdP / multi-cloud infrastructure.
- Access events – Discover and understand every access performed on or from a monitored identity, since its creation time to its last active session and activity performed.
- Privileges analysis – Evaluate entitlements provided to actual usage and true need for access and business operation.
- Behavior baseline & drift – Analyze every access request to critical data and application and realize possible risk across our IdPs and cloud infra.
- Risky exposures – Detect and better understand critical exposures, new access requests, and policy distribution to our engineering and overall staff. While we evaluate each request and relevant context to uncover potential hidden interdependencies, risk and implications.
- Threat detection – Detect any malicious impersonating, access rights, and excessive privileges, while evaluating possible impact, and taking action before damage occurred.
- Remediate – Proactively enforce a real-world least privileged access where Rezonate’s DevOps can ‘flex’ policy for unnecessary and risky privileges and ‘relax’ entitlements and access privileges for confirmed benign ones for increased productivity and agility.
We have built this mechanism, all while abiding compliance mandates, to comply and stay audit-ready despite complex architectures to protect our most trusted asset – our customers’ data. Be able to provide required proof for observation period instantaneously without the manual effort involved.
If you want to speak with our team on how we are leveraging the Rezonate platform to protect Rezonate and by doing that, maintain SOC 2 Type 2 audit readiness for everything related to your identity and access, sign up for a demo or simply let us know [email protected].
Thank you to our partners, EY and Scytale, for their partnership on this and future milestones.