Clouds Spelling Hybrid Feature

Vendor SOC Audits Are Critical for Hybrid Cloud Users

by Jeffrey Russell
October 08, 2015

A growing number of companies are adopting a “hybrid cloud” approach for everything from file storage to enterprise resource planning (ERP), mixing and matching applications that span on-premises, public cloud and private cloud infrastructures. As businesses make this shift, they need to protect themselves―and their customers―by using service organization controls (SOC) audits to verify the security of their cloud vendors.

Why companies are adopting the hybrid cloud
Broadly defined, hybrid cloud means some blend of public cloud services, where multiple users share hardware and software, and private systems, which have dedicated hardware and software.  It’s an increasingly popular solution that enables companies to run some business applications in the cost-effective public cloud, while keeping their most critical data, such as patient information, on hosted or on-premises private servers.

In particular, a growing number of companies are adopting “infrastructure-as-a-service” (IaaS), a form of hybrid cloud in which the user’s virtual servers are isolated and accessible only to them, although they may span shared hardware. Market research firm Gartner Inc. predicts that global spending on cloud IaaS will rise 32.8% in 2015 to almost $16.5 billion, with a compound annual growth rate of 29% forecast for 2014 to 2019.

Companies are leveraging the hybrid cloud in numerous ways. IaaS simplifies technology implementation and support, for example, because users can provision server infrastructure on demand to run development and testing environments in a virtual private cloud, turning them on/off as needed, and still have physical production servers and installation on-premises. With IaaS, companies can manage an ERP system upgrade on temporary virtual servers before deploying it on-premises, or replicate software problems in a controlled, cloud-based testing environment, where external software partners can troubleshoot the issue and apply fixes without accessing the user’s internal network. In most cases, these hybrid approaches eliminate traditional hardware limitations and significantly reduce the time to delivery.

Companies are also using IaaS to run business applications such as payroll, HR management, batch processing and internet-facing websites―and increasingly, to run ERP and other mission-critical systems. A 2014 Gartner study predicted that by 2018, at least 30% of service-centric companies, such as professional services firms, would move the majority of their ERP applications to the Cloud. According to a 2015 Gartner CIO survey, 83% of CIOs now consider IaaS as an infrastructure option, and 10% already use IaaS as their default infrastructure choice. 

Why SOC audits matter
Hybrid cloud users typically partner with a hosting provider plus other levels of cloud vendors.  For example, a company that relies on Microsoft Azure to host its cloud-based infrastructure may opt to outsource tasks such as 24/7 monitoring and management services to an IT services partner. As they shift business applications to the cloud, users need a well-defined means of verifying and documenting that all of these partners are following proper procedures for the services they provide.  

This is especially critical in a heavily regulated industry like life sciences, where companies have very stringent standards for due diligence around auditing suppliers. Although from a regulatory standpoint, these standards are aimed more at materials or manufacturing suppliers, the evaluation of service providers has heightened importance as well. Companies in sectors like life sciences and defense/aerospace also often deal with sensitive patient or client data, which means they must meet strict requirements for controls, security and access to information.

SOC audits, which are performed by third parties, provide a definitive statement of quality assurance for a vendor’s controls around security, availability, processing integrity, confidentiality and privacy. For instance, a SOC audit would show whether a service provider was using the right procedures to add a new user credential, or to assign administrative access to users of a system. The audits are a critical part of a vendor qualification process―whether a company is choosing a hosting provider, identifying software technologies that are mature enough to have gone through a SOC audit, or qualifying vendors based on their level of SOC certification.

There are three main types of SOC audits a cloud services provider can undergo.   

SOC 1: This is a report on controls at a service organization that are relevant to a user entity's internal controls for financial reporting. It is typically used by a service organization’s publicly traded customers to satisfy Sarbanes-Oxley requirements.

SOC 2: This is a report on controls at a service organization that are relevant to security, availability, processing integrity, confidentiality and/or privacy. It is utilized if it is more appropriate for a company to be assessed on its internal controls not related to financial reporting. Customers typically use this report to verify that selected operational controls were tested at the service organization.

SOC 3: This is a Trust Services report, which essentially covers the same subject matter as SOC 2 but does not provide the same level of detail. After a service organization completes this report, it can publish a seal on its website, showing its compliance. Service organizations use the SOC 3 report when they do not want to reveal the details of their controls, or when a user organization requests a compliance seal.


For companies that are themselves providing a service―Software as a Service (SaaS) businesses, for example, or companies with a product-and-service business model―vendors’ SOC audits have an additional impact. These businesses need to be able to prove the trustworthiness of their controls to their own customers, via a SOC audit, and this audit depends in part on the SOC audits of their cloud service providers.

Companies need to be ready for the cloud
More and more businesses are choosing to move applications to the hybrid cloud, to take advantage of the flexibility and scalability it offers. At the same time, service providers are increasingly focusing on cloud-based solutions, and some no longer offer any on-premises options. Market research firm Saugatuck Technology predicts that by 2018, more than 60% of enterprises will have at least half of their infrastructure and applications in the cloud.

As this shift continues to unfold, vendor SOC audits are critical.  To protect themselves and their clients, companies need to implement―or be ready to implement, if they’re not yet in the cloud―procedures to verify and document the SOC certifications for all their relevant cloud vendors.


October 08, 2015

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
Women in Life Sciences ESG
Join us for a blooming ESG discussion and a floral arrangement workshop!

July 20, 2022 | 03:00 PM - 05:00 PM PT
Unleash Your Nonprofit’s Fundraising Cloud Strategy
Realizing you need to replace outdated and siloed technology is step one.

July 19, 2022 | 01:00 PM - 01:30 PM PT
Why SaaS Metrics Matter Webinar Thumbnail
Discover how collecting and reporting the right SaaS metrics can help analyze the health of your organization.

July 19, 2022 | 10:00 AM - 11:00 AM PT