Passing a SOC2 audit can be challenging for SaaS companies, especially those with teams that need secure remote access to sensitive information and shared resources. But it’s well worth the effort, because having a current SOC 2 report demonstrates a serious and ongoing commitment to information security. The report may also be a prerequisite that many customers look for, before signing up or agreeing to do business.
It can be hard to find remote access solutions that make your SOC 2 auditor happy without negatively affecting the end user experience. Especially when it comes to remote work, your team needs a solution that’s scalable, affordable, and easy to roll out and maintain — all while providing permitted users secure access to the resources they need.
Tailscale can help improve the security posture at your organization in a way that satisfies many of the SOC 2 requirements auditors will review. If you want to jump straight to the nitty-gritty, here’s a summary of SOC 2 compliance standards with Tailscale features that support them:
Processing and integrity
Confidentiality & Privacy
- End-to-end encryption
- Tailscale SSH, remote access, and site-to-site networking overlaid on top of fully encrypted WireGuard VPN infrastructure
We go into more detail about each of these features below, but before we get to that, let’s take a quick look at what SOC 2 is and why it’s important.
What is SOC 2 and how does it work?
SOC 2 is a cybersecurity compliance standard with a set of requirements for handling customer data. SOC 2 certification is designed to help organizations ensure that their security policies protect the privacy, availability, and processing integrity of their data, and demonstrate that safety for their customers. SOC 2 compliance is particularly important for organizations that store, process, or transmit sensitive data or personally identifiable information (PII).
The SOC 2 audit process evaluates an organization based on the Trust Services Criteria (TSC) as set forth by the Association of International Certified Professional Accountants (AICPA), which includes five primary categories, or pillars:
- Security: The security pillar evaluates the effectiveness of an organization’s controls to protect against unauthorized access to sensitive data. This includes controls related to physical security, logical security, network access security, and other security-related areas.
- Availability: The availability pillar evaluates the effectiveness of an organization’s controls to ensure that systems, data, and services are available and accessible to meet business objectives. This includes controls related to system availability, system redundancy, and disaster recovery.
- Processing and integrity: The processing integrity pillar evaluates the effectiveness of an organization’s controls to ensure that processing is complete, accurate, timely, and authorized. This includes controls related to data processing, data validation, and data accuracy.
- Confidentiality: The confidentiality pillar evaluates the effectiveness of an organization’s controls to protect confidential information from unauthorized access, disclosures, and destruction. This includes controls related to data classification, data access controls, and encryption.
- Privacy: The privacy pillar evaluates the effectiveness of an organization’s controls to protect personal information per relevant privacy laws, regulations, and industry standards. This includes controls related to data privacy policies and procedures, consent management, and privacy notice and disclosure.
Following are some more in-depth considerations of how Tailscale can help satisfy these requirements.
If you’re working toward SOC 2 compliance, your company most likely already has a well-designed network architecture that includes network segmentation, firewalls, intrusion and detection prevention, and other security controls that help protect against cyber threats.
Tailscale supports multi-factor authentication (MFA) with the most commonly used SSO providers, including Google, Azure AD, GitHub, and Okta. Developers using Tailscale can also SSH into any SSH-enabled device on their network using Tailscale SSH, without having to manually generate, distribute, or rotate keys.
Tailscale admins can implement ACLs to ensure that individuals or user groups in your Tailscale network (tailnet) have access only to the systems and data they’re authorized to access. This includes implementing strong authentication requirements, such as multi-factor authentication and role-based access controls (RBAC) that limit access to data based on the user’s job within the organization.
In the Tailscale ACL file, you can add or edit device tags to assign identities to specific devices. You can then use those tags to restrict access or manage which types of devices are able to communicate with each other. You can also assign multiple tags to a device.
Using these ACL and device tagging features, you can get fine-grained access control based on user roles, and you can configure groups of users for quicker and more effective management. With user approval and device approval, admins can also review and approve users and devices before they join the network — to ensure that only trusted users and devices can access internal resources.
With tailnet lock, you can be sure that no new (and potentially malicious) nodes are added to your network. When tailnet lock is enabled, every node that attempts to join your network must first be signed by an already-trusted node. This ensures that even if Tailscale were hacked, attackers wouldn’t be able to surreptitiously add a node that’s authorized to send or receive encrypted traffic to your network.
Tailscale’s logging features support security monitoring and incident response processes. Every Tailscale agent in your tailnet streams its logs to a central log server. This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.
By comparing the logs of two endpoints, you can detect whether entries have been lost or tampered with. You can use intrusion detection system (IDS) rules to automatically detect suspicious activity on your network. You can also stream logs via API to a security information and event management (SIEM) system such as Splunk or DataDog to help you analyze this information at scale.
Furthermore, Tailscale’s configuration audit logging is enabled by default for all tailnets. Configuration audit logs include timestamps, what actions took place, who or what took the action, the resource that was acted upon, and a differential of before-and-after values for changed values.
Tailscale’s mesh network architecture (based on WireGuard) means that your network remains available, even if Tailscale isn’t. Our open-source node software and coordination server help your nodes find each other, then it gets out of the way, meaning you have fewer single points of failure. For Tailscale networks that rely on subnet routers, you can set up a failover subnet router (high-availability) to ensure your network maintains connectivity if one subnet router fails.
As an extra failsafe to ensure connectivity if the coordination server fails to establish a connection between two nodes, Tailscale runs dozens of DERP relay servers distributed across the globe. Tailscale clients automatically choose the nearest DERP relay for low latency. Because Tailscale private keys never leave their node of origin, DERP servers cannot decrypt your traffic — they only forward already-encrypted traffic from one node to another. You can also opt to run your own custom DERP servers.
Using exit nodes, remote employees can encrypt and securely route traffic destined for the public internet through a designated node — which is particularly useful when traveling or using untrusted Wi-Fi, where the threat of malware and other attacks is higher.
What’s more, Tailscale works on mobile devices and all major operating systems, including Linux, macOS, and Windows.
Processing and integrity
Firewalls can be a critical element in securing your organization’s network, but gaining access to resources protected behind them often involves opening ports and tedious manual configurations, which can introduce additional vulnerabilities. Thanks to NAT traversal, nodes in your tailnet can connect directly, without the need to compromise the integrity of your firewalls.
Privacy & Confidentiality
Your organization should encrypt sensitive data both in transit and at rest to protect it from unauthorized access. This includes implementing secure protocols for data transmission, such as HTTPS and SSL/TLS, and using encryption technologies like AES and RSA for data at rest.
When remote employees need to access resources in a network, it’s important that traffic between the user device and the resource in your network is encrypted. Tailscale is built on top of WireGuard, which creates lightweight and secure tunnels between endpoints with state-of-the-art cryptography. With Tailscale, all remote access traffic is end-to-end encrypted to help ensure this data is not compromised in transit — no matter where your team is working from.
With Tailscale SSH, developers can access sensitive information even from mobile devices and across operating systems. Tailscale encrypts SSH connections over WireGuard, while also making the process easier than ever by authenticating via your existing identity provider, and by managing keys on your behalf.
With Tailscale, you can securely enable the transfer of data between private resources in your tailnet. You can even use site-to-site networking to connect two subnet routers to each other — if, for example, you want to connect a server to a database, two physical offices, or virtual private clouds (VPCs) hosted on AWS and GCP, respectively.
Bonus: monitoring and incident response
As mentioned above, corporate networks will most likely have robust security controls in place. Monitoring and incident response to quickly detect and respond to security incidents is a good start. However, for SOC 2 compliance, this will likely include implementing intrusion detection and prevention systems, security information and event management (SIEM) tools, and a formal incident response plan.
More about our own SOC 2 journey
Here are some key takeaways from our own SOC 2 audit:
- Start early! Even as a security-focused company, it still took us six months to achieve SOC 2 Type I compliance — between finding and engaging an auditor and implementing additional controls. Completing our SOC 2 Type II compliance took an additional three months.
- Time gets eaten up in unexpected ways. SOC 2 is a standard that was developed by accountants, so many of its “security” requirements aren’t what you might expect. For example, org charts, job descriptions, and performance reviews are all considered security risks. Working on these unexpected security concerns was the most time-consuming part of our SOC 2 process.
- Not all SOC 2 support tools are helpful. There are a host of third-party SOC 2 tools and aids to support your compliance journey. These automated tools can verify whether you have security settings correctly enabled in your infrastructure. If you have a straightforward infrastructure, these tools can save you valuable time. But if you have a complex infrastructure (like we do), you’ll need to take the time to build your own tools. That said, some things just aren’t worth building from the ground up, such as security training tools. We use Ninjio for our employee security awareness training, and it’s awesome.
- For SOC 2, Tailscale is a VPN. Tailscale is much more than a VPN, but your auditor will be happy that your traffic can be encrypted with a VPN connection.
- Ensure that third parties meet the same standards. If you rely on third-party vendors, you should ensure those vendors meet the same security standards and requirements as your company. You can accomplish this either by contractually binding the vendor to the same SOC 2 standards, or by regularly auditing and monitoring the vendor’s security practices.
If you’re still unsure whether Tailscale can help you achieve SOC 2 compliance, reach out to our sales team to find out how we can help. Or download Tailscale and try it for free.
Get started with Tailscale today.
Frequently Asked Questions
Here are some answers to common questions.
What is the difference between SOC 2 Type I and SOC 2 Type II?
A SOC 2 Type I assessment evaluates your organization’s security posture at a single point in time, and whether your policies and practices meet SOC 2’s Trust Services Criteria. A SOC 2 Type II audit assesses whether you have effectively followed those security policies and practices over a certain period of time, typically six months or more.