As organizations increasingly move their business communications from on-premises environments to the cloud, they are realizing a host of benefits, including unparalleled scalability, flexibility, and cost-efficiency. However, this transition also brings new challenges, especially when it comes to security. To ensure that data is effectively protected in the cloud, security controls such as the Service Organization Control (SOC 2) Type II report serve as an important mark of quality.
While most on-premises security efforts focus on protecting servers from physical harm, in the cloud, proper configuration is critical to protecting an organization. As Gartner's Cloud Security Posture Management report states, "nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and errors." However, 43% of organizations struggle with a cybersecurity talent gap and don't have the internal resources to adequately manage their systems themselves. Software as a Service providers offer to fill this gap by providing robust and managed IT systems.
But with so many vendors on the market, it is important to carefully evaluate software vendors to make sure that they are keeping your business data safe and secure. To ease the evaluation process, third-party audits are a quick way to ensure that secure and effective security protocols are in place. The gold standard to look for is a SOC 2 Type II attestation, which demonstrates an organization's commitment to the highest security standards.
SOC 2 is an assurance report by the American Institute of Certified Public Accountants (AICPA). It is a structured audit of an organizations internal controls relating to operations and compliance. Controls are tested against one or more of these five main categories:
To achieve a SOC 2 attestation, an organization must be audited by a third-party certified public auditor. There are two types of SOC 2 reports: Type I and Type II:
A common misconception is that SOC 2 is a certification. However, there is no pass or fail element to the SOC 2 attestation. Instead the organization undergoing auditing will receive a SOC 2 auditor report. Every report is a summarization of the control design, effectiveness and its use in operations. As technology rapidly advances, audits are conducted on a rolling bases and organizations continue to undergo routine testing. The resulting report is a highly insightful and confidential document.
While there is no "certification", reports use clear language to help interpret the results. Auditors provide their opinion and will give an unqualified opinion to organizations with thorough controls.
Luware is committed to ensuring that the highest security protocols are in place to protect customer data. Therefore, Luware has designed, implemented, and maintains controls to reduce the risks associated with the security of Luware Nimbus and Luware Recording.
Luware has completed its first formal audit for the period of February 1, 2023 to April 30, 2023 and obtained the SOC 2 Type II attestation in September 2023 on the principles of Security, receiving an unqualified opinion. To ensure continuous risk mitigation, Luware will continue to engage an independent service auditor to issue the SOC 2 Type II attestation report on the principles of Security.