The increased awareness and adoption of cloud technology is simultaneously leading organization and CSPs to come up with assurance over the management and security of sensitive data. In order to satisfy stakeholders’ demands for assurance around internal controls intended to address touch-points relevant to Information security AICPA has developed the Service Organization Control (SOC) reporting framework. To support their risk assessments, user entities and business partners may request a SOC 2® report from the service organization.
SOC 2 reports permits cloud providers to communicate particulars about their services and the appropriate fit of the blueprint and operating efficiency of their controls, majorly
All five Trust Services principles are not required to be assessed. Cloud providers may select the Trust Services principle(s) that best meet their reporting objectives.
The description criteria are used by management when preparing the description of the service organization’s system and by the service auditor when evaluating the description.
Trust services criteria:
Service organization evaluates if the design and operating effectiveness of controls provides reasonable assurance that its service commitments and system requirements were achieved based on the trust services criteria relevant to the trust services category or categories included within the scope of the examination. The trust services criteria are classified into the following five categories: Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
Tata Communications is committed to SOC2 standard for its Managed cloud services. Managed Cloud Services: IPC (IZO Private Cloud) is an enterprise cloud platform, offers a flexible, scalable and reliable cloud environment. It provides a flexible platform that allows end-users to create the appropriate combination of compute, network, security, storage, and traffic management services that can meet business needs, & have the flexibility to grow with business. The IPC service is available on two models within Tata Communications’ data centers. It includes Virtual Private Cloud (VPC), Dedicated Private Cloud (DPC) and Virtual Private Data Center (VPDC). MCS services are offered to customers from the GSMC facility in Chennai. Service Operations Team provides 24×7 monitoring and support for network intrusion detection and protection devices across a variety of platforms and technologies. The Service Operations Team in turn consists of Level 1(L1), Level 2 (L2) and Level 3 (L3) Engineers who manage the day to day operations of GSMC and analyze and resolve issues. Operations Engineering Team consists of competency leads also referred to as Technology Leads who are Service Organization Controls and Procedures covers control objectives for:
|IZO Private Cloud||In-Scope services|
|Compute||Cloud services, Virtual Services, Auto Scaling|
|Network||VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV|
|Storage/Backup||Block, File and ICS (Object) backup
Scheduled data backup and data restoration
|Database||Managed Oracle, MS-SQL, DB2 or MySQL database administration|
|Middleware||Managed Middleware service is offered on
applications including JBOSS; TOMCAT; Apache
|Hypervisor||VMware, Hyper-V and KVM|
|Load balancer||Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance|
|Security||SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth|