SOC 2 compliance for SSH, Kubernetes, and Databases

Teleport is designed to meet SOC 2 requirements for the purposes of accessing infrastructure, change management, and system operations. This document outlines a high level overview of how Teleport can be used to help your company to become SOC 2 compliant.

warning SOC 2 compliance features are only available for Teleport Enterprise and Teleport Enterprise Cloud.

SOC 2 or Service Organization Controls were developed by the American Institute of CPAs (AICPA). They are based on five trust services criteria: security, availability, processing integrity, confidentiality, and privacy.

Teleport helps with 4 of the 9 control areas.

Teleport helps with separation of duties using RBAC and restricts access to authorized users

Provide role-based access controls (RBAC) using short-lived certificates and your existing identity management service.

Teleport issues temporary security credentials according to the user's role.

Teleport helps audit and monitor access.

Audit events and session recordings are securely stored in a vault to prevent tampering.

Convert logins, executed commands, deployments and other events into structured audit logs.

Monitor, share and join interactive sessions in real-time from the CLI or browser.

Teleport helps users elevate their permissions during incidents, RBAC helps limit the need for approvals. The Teleport Slack integration allows for managers to quickly approve temporary SSH Access Requests.

Let engineers request elevated permissions on the fly without ever leaving the terminal

Approve or deny permission requests with ChatOps workflow via Slack or other supported platforms.

Extend and customize permission elevation workflow with a simple API and extendable plugin system.

Below is a table of principles and common points of focus listed by AICPA's official "Trust Services Criteria" reference document and how Teleport helps satisfy them.

Each principle has many "Points of Focus" which will apply differently to different products and organizations, talk to an auditor to understand exactly which points of focus apply to your organization.