Magalix Policies are Now Associated with SOC 2 Type 1

Overview

For those DevOps teams working in a regulated space, translating security and compliance requirements into multi-platform configurations has become a part of a growing list of responsibilities that teams are now tasked to take on. In many orgs, this knowledge requires external factors such as training and consulting and may take weeks just for onboarding.

At Magalix, “making things easy” is one of our core principles. With our Reports module, we already provide reports for CIS Benchmark, MITRE ATT&CK, and PCI-DSS. We now include support for SOC2 Type 1, so that operators can immediately check their running configuration against the 5 Trusted Service Criteria.  

Understanding SOC2 Compliance

 SOC 2 is a compliance standard for technology-based service organizations that store customer data in the cloud. Complying with the standard demonstrates that the systems are meeting the requirements relevant to security, processing integrity, availability, confidentiality, and privacy.

There are two types of SOC 2 reports:

• SOC 2 Type 1: this report describes the organization’s system, the controls in place, and whether the system’s design adheres with the relevant trust principles.
• SOC 2 Type 2: this report is similar to the Type 1 report, except that the assessment of these controls are observed over a period of 6 months.

Here, we will be outlining the SOC2 Type 1 policies now available part of the Magalix library.

SOC2 Type 1

Magalix Policies are now associated with SOC2 Type 1 controls. We have broken down each of the 5 Trusted Service Criteria (TSCs), along with the 17 COSO (Committee of Sponsoring Organizations) principles so you can immediately identify which Kubernetes objects are SOC1 Type 1 compliant within seconds.

Figure 1: An example of our RunTime engine.

Along with real time updates in our Dashboard, Magalix also provides standardized reporting for audiences that may not necessarily want to know about all the technical details of your implementation but would want to know your compliance state.

Figure 2: A SOC2 Sample Report

For tips and tricks on how to run and manage Kubernetes in production, download Weaveworks whitepaper.

How it Works?

Each policy has been handcrafted and individually mapped to a Standard, and a control. For example, the Availability Criteria A1.1 states:

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

In Kubernetes, this could mean setting Horizontal Policy Autoscaler (HPA), or even something simpler like ensuring CPU requests and limits is set. Whichever the case, these are example configurations that your organization understands and requires at all times. Each Policy in our library is tagged and labeled appropriately, taking the guesswork out of the equation. Allocate more time to implementing your standards, and less time understanding what needs to be enforced.

In Addition...

Magalix not only has your SOC2 Type 1 policies covered, but our continuously growing Policy library covers other best practices and standards such as PCI-DSS, HIPAA, and CIS Benchmark. Pick and choose which Standards you care about and only report on those.

Magalix is the easiest way to understand your Cloud-native security posture and the fastest way towards compliance.

Sign up for a 30-day commitment-free trial and see the policies in action.