If your organization is subject to a SOC 1 or SOC 2 audit, then you are likely familiar with the vendor management requirements under both reporting frameworks. The American Institute of Certified Public Accountants’ (AICPA) reporting standards for SOC 1 (Section AT-C 320 of SSAE #18) states that: “Management’s description of the service organization’s system and the scope of the service auditor’s engagement includes controls at the service organization that monitor the effectiveness of controls at the subservice organization, which may include some combination of ongoing monitoring to determine that potential issues are identified timely and separate evaluations to determine that the effectiveness of internal control is maintained over time. Such monitoring activities may include
- reviewing and reconciling output reports,
- holding periodic discussions with the subservice organization,
- making regular site visits to the subservice organization,
- testing controls at the subservice organization by members of the service organization’s internal audit function,
- reviewing type 1 or type 2 reports on the subservice organization’s system prepared pursuant to this section or section 205 , and
- monitoring external communications, such as customer complaints relevant to the services by the subservice organization.”
If your organization receives a SOC 2 report, then similar vendor management controls are required to address Common Criteria 9.2: “The entity assesses and manages risks associated with vendors and business partners.”
A standard component of most vendor management programs is the requirement to obtain and review SOC reports of key vendors on an annual basis. The purpose of this SOC report review is to identify operational or control deficiencies at the vendors that may impact the vendors’ customers. In some situations, this is a worthwhile exercise. For example, if a company is using a small, local data center to host its IT infrastructure, the data center’s SOC report is a very useful tool to ensure that the DC has properly designed controls that are operating effectively. Issues or deficiencies identified in the data center’s SOC report may cause the DC’s customers to institute new controls or to switch to a new data center provider to lower their risk. But what about a situation where a company uses a large, well-known hosting provider such as Amazon Web Services (AWS) or Microsoft Azure (Azure)? Does it provide any real value to review the AWS and Azure SOC reports annually or is it more of a check the box exercise? In my experience, it is the latter because AWS and Azure have mastered the compliance game, have robust control systems and always receive clean SOC reports. The purpose of this post is to provide an alternative to reviewing AWS and Azure SOC reports that provides much more value.
Both Amazon and Microsoft offer monitoring tools that provide data and actionable insights to monitor infrastructure and applications, respond to system-wide performance changes, optimize resource utilization and provide a unified view of operational health. Amazon’s tool is called CloudWatch and Microsoft’s tool is Azure Monitor. You can use these tools to detect anomalous behavior in your environments, set alarms, view logs and metrics side by side, take automated actions and troubleshoot issues. Both tools are designed to improve operational performance and resource optimization.
There are also many third parties that offer excellent monitoring tools for AWS and Azure. One example is Datadog, whose service is designed to:
- Track key service-level indicator metrics in real time
- Automatically detect unanticipated outliers, anomalies and errors
- Verify that services maintain high availability
In conclusion, if you use AWS and/or Azure to host your IT infrastructure, consider taking your vendor management program to the next level by monitoring the services with CloudWatch, Azure Monitor or a third party tool.