What is SOC 2?
SOC 2 is a software compliance standard overseen by the Association of International Certified Professional Accountants (AICPA), which specifies how organizations should manage customer data. It’s broken into two parts, SOC 2 Type I and SOC 2 Type II, and is the industry standard for cloud-based software.
The Type I certification is the first part of the SOC 2 compliance process, and involves defining standards, policies, and controls that meet SOC 2 standards focused on how PII data is managed, stored, accessed, and used. During the audit, an organization has to prove that they have policies in place for information security, incident response, data classification, and more.
The Type II certification is the more in-depth process of validating that the standards and policies are being followed and that the controls the organization committed to in the Type I are functioning properly.
In short, the Type I establishes controls, policies, and standards, and the Type II certification exercises those controls and ensures they are validated by an auditor. Although SOC 2 is a comprehensive compliance standard widely accepted by the software industry, Kinectify sees it as an important foundation to its security standards and practices, and not the culmination of our security strategy.
SOC 2 Competitive Advantage
Completing a SOC 2 certification is an important first step in a comprehensive cloud security program and demonstrates that the organization is committed to providing a secure computing environment for cloud-hosted software. A SOC 2 Type II report should answer most of the questions on a vendor selection questionnaire and provide peace of mind to gaming organizations like yours selecting cloud-hosted vendors.
First, a complete SOC 2 Type II report from a reputable certifying agency demonstrates that the organization has established information security practices, and follows their published information security policies. These are verified through a 3rd party auditing agency. At a minimum, this proves that the vendor considers security and secure information handling practices as a part of their software delivery process.
Secondly, any SOC 2 certified organization will have established policies and procedures for preventing, detecting, and reporting on breaches. This is extremely important because, while many uncertified organizations guarantee to report on breaches in a timely manner to their customers, they lack the infrastructure and tools to even detect that a breach has occurred, making that reporting requirement useless.
Finally, and perhaps most importantly, having a SOC 2 Type II certification demonstrates that the organization has the ability to meet the SLAs they have agreed to and are able to provide a high-availability solution to their customers. As a gaming organization selecting business-critical software, it’s vital that the provider is capable of meeting the throughput and availability demands of your organization, and having a SOC 2 Type II report will provide that information to you.
Protecting Your Gaming Data
If you lead a gaming organization, you should pay close attention to whether the vendors you use are SOC 2 Type II certified. Gaming organizations are high-value targets for hackers. You have highly sensitive data, like SSNs, addresses, phone numbers, and other valuable PII data. In addition, you enrich that data with highly-sensitive findings. For example, consider the EDD reports you do on higher risk players. These reports contain net worth and earnings information, as well as risk evaluations, findings about behavior and likelihood of criminal suspicious activity, and other sensitive information.
For AML Compliance software in particular, companies like Kinectify exist to help you catch criminals using your services. Criminals are smart and becoming more sophisticated every day. Breaching your compliance solutions and seeing what your organization is monitoring, how you are configured, and how you respond to different behaviors is of utmost value to them as it helps them navigate around the controls your organization has in place. Suffice it to say that breaching your organization’s compliance software is just as, if not more, valuable than breaching your customer PII data.
In the United States, data breaches occur every 39 seconds1, cost on average $9.4M per breach2, and takes 9 months to resolve2. It is costly and extremely time intensive if data is breached, and these costs are rising each year. Regulations like CCPA, GDPR, and others make your organization accountable for PII data and are becoming more common and increasingly difficult to understand and comply with.
On-Premise Solutions are Not Immune
Many gaming organizations, and often vendors as well, think that on-premise solutions are safer and don’t require the same attention to security that cloud solutions do. This couldn’t be further from the truth. In fact, the opposite is true. Many of the major causes of data breaches are just as prevalent on-premise as they are in cloud/SaaS solutions, most on-premise environments lack the sophisticated security solutions inherent in cloud platforms, and on-premise solutions often have lax controls because they are not “internet facing.”
Although you might not think so based on news you hear, on-premise breaches accounted for 55% of data breaches in 20221. Major causes of breaches include phishing attacks (16%), compromised business email (6%), stolen or lost credentials (19%), and malicious insider (8%), which are just as or more prevalent on-premise as they are in the cloud.
On-premise environments often lack the leading edge security software and hardware that cloud providers are expected to have. Providing hardened, multi-tiered, secure networks with leading edge threat protection is nearly impossible when building and maintaining those systems is not the core competency of your organization. Your team still has the same risks that SaaS solutions face, but don’t have the budgets or manpower to implement the same solutions.
Finally, on-premise solutions often take a more lax approach to security because they are not internet-facing solutions. Things like segregating the subnets that support the compute tier from the subnets supporting the data tier, implementing network security groups and firewalls between internal networks, inspecting inbound traffic through a WAF (web application firewall) or other tools to prevent common attacks (like injection attacks, cross-site scripting, etc.) often get overlooked. Database servers are often left open to anyone with access to the network, shared admin credentials are created for databases and for admin accounts on the servers, and key rotations and other basic security practices are ignored because the vendor is not in control of the environment the applications are hosted in.
Why SOC 2 is Necessary in Gaming
SOC 2 Type II is necessary in gaming software because, as we have already established, gaming software, and particularly gaming compliance software, house the type of data that attracts malicious hackers, and it does so at a very large scale. SOC 2 Type II ensures your organization is following industry standards and best practices for securing data, and makes sure the infrastructure, applications, and operating environment are appropriately managed for housing sensitive data.
Part of the process for becoming SOC 2 compliant is validating that the proper tools are present for preventing breaches and identifying when a breach occurs. Things like having a functional Intrusion Protection System (IPS) and Intrusion Detection System (IDS) are requirements to be SOC 2 certified. Penetration testing and security scanning are also generally required through the SOC 2 certification.
In the event a data breach does occur, SOC 2 certification ensures your organization has the information necessary to track down and contain the breach as well. There are logging requirements, log retention requirements, and access control requirements pertaining to logs that must be implemented.
Finally, for SaaS providers, it helps ensure that you not only have the correct services and infrastructure in place, but you have them configured properly as well. Auditors ask to see specific configurations, examples of log output from your system, examples of incident responses or tabletop exercises, and other artifacts that confirm the tools are not only present but operating properly.
SOC 2 Type II certification is an important certification for software vendors in the gaming industry, and is particularly important for vendors in the gaming compliance industry. It demonstrates a commitment to providing a safe, professional environment for hosting sensitive customer data, and ensures that industry standards and best practices are being followed in the development, deployment, and operation of the software. Many think of SOC 2 as a certification only for SaaS or cloud software, but it is just as, if not more, relevant to on-premise solutions, and implementing any solution, regardless of hosting location, that has not met these minimum standards should be reevaluated.
Kinectify is an AML risk management technology company serving gaming operators both in the US and Canada. Our modern AML platform seamlessly integrates all of the organization's data into a single view and workflow empowering gaming companies to efficiently manage risk across their enterprise. In addition, Kinectify's advisory services enhance gaming operators' capacity with industry experts who can design and test programs, meet compliance deadlines, and even provide outsource services for the day-to-day administration of compliance programs.
To learn more about Kinectify and book a demo, click here.