Read Time: 5 minutes
Service organizations, including cloud service providers such as AWS, Google, and Microsoft, have dedicated significant time and effort to developing strong internal controls and published their SOC report periodically. However, maintaining a secure control environment also depends one critical component that’s often outside provider’s control: the customers.
When cloud service providers assume certain responsibilities will be carried out by you as their customers, like managing user access or securing endpoints, these are known as complementary user entity controls (CUECs), which play a vital role in ensuring both parties contribute effectively to overall security.
What is a CUEC?
A complementary user entity control (CUEC) refers to controls that service providers expect their customers to implement so the service remains secure and effective. In a SOC report, cloud service providers describe their own controls and outline shared responsibilities. The provider safeguards infrastructure and data, while customers manage password policies and security configurations.
CUECs are mandatory disclosures in any SOC report but they are not required to be implemented by the providers. Rather, they must be clearly communicated so the customers can implement them to rely on the controls.
Why CUECs Matter
CUECs play a key role in defining shared responsibilities and supporting accurate audits. Without clear CUECs, providers, customers and auditors may face challenges in understanding control coverage, it could lead to dispute about who are responsible for security controls to function as intended.
Example of CUECs in SOC 2 Reports
If you are customer of a cloud service providers, you can obtain their SOC 2 report in their portal. The report includes a section outlining customer responsibilities; often titled “Complementary User Entity Controls” listing actions expected from customers, which auditors consider when evaluating whether controls meet the Trust Services Criteria for security, availability, processing integrity, confidentiality, or privacy.
Example of CUECs:
- Enabling multi-factor authentication
- Keeping endpoint protection up to date
- Disabling former employee accounts promptly
- Reviewing and updating user access regularly
- Setting up IP allowlisting when available
These actions are out of cloud service provider’s scope but they are critical dependencies for the system to remain secure.
Helping Customers Implement and Evaluating Their CUECs
In today’s interconnected digital ecosystem, security and compliance are shared efforts between service providers and their customers. Crowe can assist organizations navigate SOC audit requirements, align customer controls with CUEC requirements and ensure shared responsibilities are well understood.