Operating a fine-grained authorization service for customers requires a foundation of security and trust that must be thought of and maintained in every aspect of the company. To that end, Aserto is proud to announce that we have successfully completed our first security audit and are certified as SOC 2 Type II compliant!

SOC 2 is an industry standard compliance certification which is issued by independent auditors. It assesses how effective security measures and controls are over time by observing operations for six months. SOC 2 compliance demonstrates that Aserto has implemented policies and procedures to operate our services according to security best practices and, most importantly, that our implementations have been tested by a third-party to ensure we follow them consistently.

As authorization and controls are at the heart of SOC 2, we take this very seriously. In fact, using Aserto to authorize access to our own product enables us to capture decision logs about every access decision made. This gives us even more confidence in our ability to stand behind the security of our product.

Security practices

SOC 2 tests our ability to maintain key trust principals and gives us a comprehensive report that goes into detail about our security practices. Here are some important highlights:

Infrastructure security: Our efforts in this category include both logical and physical restrictions to assure that only authorized individuals can access production systems. Additionally, production operations and data are entirely separated from all other environments. And IT security tools, including intrusion detection and two factor authentication, are in place to help protect against security breaches that can lead to unauthorized systems access.

Organizational security: HR performs employee background checks and all employees are required to complete security awareness training during onboarding. Additionally, systems used by employees have minimum password policies enforced, anti-malware tools, and full disk encryption in place.

Product security: All production system activity is logged. Vulnerability scanning and system monitoring are in place as additional measures.

Confidentiality: We securely encrypt and manage data in transmission and at rest to protect the interests and privacy of our customers. We also grant the bare minimum permissions to employees to ensure they have access to the resources they need to do their jobs, no more and no less.

Privacy: The collection and storage of personal data is done in accordance with generally accepted privacy principles.

Availability: Assures that we have a resilient infrastructure in place to maintain consistent and reliable access to each of our services, as well as a tested disaster recovery plan to quickly restore operations in the event of regional failure.

Conclusion

SOC 2 Type II compliance demonstrates that Aserto has implemented policies and procedures according to security best practices, including: infrastructure security, organizational security, product security, privacy, confidentiality, and more.

We went to considerable effort to put these policies and procedures in place because we believe that SOC 2 Type II will provide our partners with confidence that our product has been vetted as a safe platform that you can build your business on.

It’s important to note that this is a culmination of effort from every person in the company, from leadership to engineering, HR, and every employee at Aserto who have made the effort to educate themselves and incorporate good security principles into their ongoing work.

Our ongoing compliance is automated and monitored through software from Vanta. You can view our constantly updated trust report here: https://trust.aserto.com/.

If you are an Aserto customer and would like to view our entire SOC 2 Type II report, please reach out to us at info@aserto.com to request a copy.