BastionZero aids in satisfying many of the SOC2 common criteria, including: 


CC6.1  The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.  

    

BastionZero uses SSO+MFA+keysplitting to control access to infrastructure


  • The entity identifies, inventories, classifies, and manages information assets. 


BastionZero autodiscovers targets and classifies them into environments.

 

  • Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. 


BastionZero uses policy-based access control to control access.


  • Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely. 


BastionZero uses SSO+MFA+keysplitting to control access to infrastructure. 


  • Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. 


Command logs, session logs and session recording document every access.  See who ran what command on what target as what user. 


  • Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets.  


BastionZero uses policy-based access control to restrict access.


  • Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software.

    

BastionZero uses SSO+MFA+keysplitting to control access to infrastructure. 


  • New internal and external infrastructure and software  are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use.


BastionZero uses secure autodiscovery to ensure that only authorized targets are added to to the customers set of accessible targets. When an engineer leaves the organization, their credentials are removed from the SSO provider and their access via BastionZero is automatically revoked. 



CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.


Grant users short-term access to resources using BastionZero. When an engineer leaves the organization, their credentials are removed from the SSO provider and their access via BastionZero is automatically revoked. 


CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.


Rather than providing standing credentials to access protected infrastructure, use BastionZero’s policy-based access control provides access on an as-needed least-privilege basis.


CC6.4 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.


How? Eliminate standing credentials (SSH keys, kubectl config parameters)    from engineer’s local machines.  Ensure that every access to infrastructure is monitored and logged. Put all infrastructure behind a NAT.  Eliminate open SSH ports that can be probed by attackers; targets phone home to BastionZero so no open ports are required on the targets.


CC7.2    The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.  


BastionZero generates real-time logs of every access to infrastructure, facilitating forensic review of related security incidents.