Home / Blog / Data Security

How do you prove least privilege for SaaS backups in a SOC 2 audit?

Rewind | Last updated on May 27, 2026 | 4 minute read

Answer: To prove least privilege for SaaS backups under SOC 2 (specifically Common Criteria 6.1, 6.2, and 6.3), you need: a documented access control policy explicitly covering backup systems, role-based access controls with named roles for backup admin, read-only restore, and audit-only access, quarterly access reviews with evidence, MFA on all backup admin accounts, full audit logs of backup access and operations, and a tested process for joiners/movers/leavers that includes backup system access. Most organizations have these for production systems and miss them for backup systems.

Backup systems are a recurring blind spot in SOC 2 readiness. The reasoning is intuitive: backup is operational plumbing, not customer-facing infrastructure. But auditors increasingly recognize that backup repositories contain the same (sometimes more) sensitive data than production systems, and they apply the same access control rigor. The good news is that the requirements are well-defined; the work is in making the controls real and producing the evidence on demand.

Which SOC 2 criteria actually apply

SOC 2’s Trust Services Criteria include Common Criteria for Security, which apply to every SOC 2 audit. The relevant access control criteria are CC6.1 (logical access security), CC6.2 (account provisioning and removal), and CC6.3 (periodic review of access). A SOC 2 access control policy is, in the auditor’s words, “the foundational evidence demonstrating a deliberate and management-approved strategy for securing information assets.” The policy must cover all systems handling sensitive data, which includes backup systems.

Availability criteria also matter. Auditors expect documented recovery objectives (RTO/RPO), tested disaster recovery plans, regular backups with documented retention schedules, and tested restoration procedures. Without these, you fail Availability even if Security is otherwise clean.

What auditors actually look for in backup access

Five evidence categories are routinely sampled:

  • A documented policy. Not aspirational, actual. The policy specifies who can perform which operations on backup data, with named roles.
  • Role-based access controls (RBAC) in the backup system itself. Auditors will ask for a screenshot of the role assignments and compare it to the policy. They will look for separation between backup administration, restore execution, and audit access.
  • Multi-factor authentication on all backup admin accounts. Increasingly non-negotiable. Auditors will sample login records.
  • Quarterly access reviews. Evidence, typically dated review documents signed off by system owners, that access was actually reviewed and changes were made where needed.
  • Audit logs. Every access event, every backup operation, every restore, with retention long enough to span the audit window. Auditors will sample specific dates: “Show me who restored what on March 14th.”

The common failure modes

Five patterns produce audit findings:

  • Shared accounts. “Admin” credentials shared across the platform team. Auditors reject these because they break the chain of accountability. Per SOC 2 guidance: “Unique Authentication: All users must have individual IDs. Shared credentials are prohibited.”
  • Over-broad permissions. Everyone in DevOps can delete backups. Auditors require evidence that delete authority is restricted to a small, named group with separation of duties.
  • No granularity by project or scope. If the same admin role has access to every backup regardless of business unit, you cannot prove least privilege by project. For organizations with sensitive data segregation requirements, this is a finding.
  • Joiner/mover/leaver gaps. Backup system access not included in offboarding playbooks. Auditors will look for an ex-employee with backup access lingering past their termination date.
  • Backup repository risk. Backups themselves are a ransomware target. Veeam’s 2024 research found 96% of ransomware attacks explicitly target backup repositories. Auditors increasingly examine whether backup write/delete access is meaningfully constrained.

A practical evidence checklist

Before the audit window opens, assemble:

  • Backup access control policy document, dated and approved by management.
  • Inventory of named roles in the backup system with the operations each can perform.
  • List of users in each role, with hire date, role assignment date, and job title.
  • MFA enforcement evidence: system configuration screenshot, plus sample login records.
  • Quarterly access review records signed by system owners, with any changes documented.
  • Audit log samples covering several random dates from the audit window.
  • Documentation of at least one successful restore test during the audit window, with logs of who performed it and what was restored.
  • Joiner/mover/leaver process documentation that explicitly names backup system access.

Backup as a compliance asset, not just a cost

The reframe that helps most teams is to stop treating backup as operational overhead and start treating it as a control. A properly designed backup posture with role-based access, granular permissions, project-level scoping, immutability, and audit logging is not just disaster recovery infrastructure. It is evidence of operational discipline that streamlines SOC 2, ISO 27001, and increasingly, customer security reviews. The same controls that satisfy auditors are the controls that make recovery survivable.

Where the bar is moving

SOC 2’s bar on access controls is rising. Auditors in 2025 and 2026 are expecting centralized logging, MFA on every sensitive account, quarterly access reviews, joiner/mover/leaver enforcement, and demonstrable least privilege across all systems holding sensitive data. Backup systems are now firmly inside that perimeter. Organizations that get ahead of this requirement have an easier audit, a better incident posture, and a credible answer for the security questionnaires that increasingly determine enterprise deals.

Sources

  1. SOC 2 Auditors — Access Control Policy Template (CC6.1, CC6.2, CC6.3) — https://soc2auditors.org/insights/soc-2-access-control-policy-template/
  2. Bright Defense — SOC 2 Requirements — https://www.brightdefense.com/resources/soc-2-requirements/
  3. ComplyJet — SOC 2 Controls List (2025) — https://www.complyjet.com/blog/soc-2-controls
  4. Konfirmity — SOC 2 Backup and Recovery (cites Veeam 2024 ransomware research) — https://www.konfirmity.com/blog/soc-2-backup-and-recovery-for-soc-2
  5. The Pun Group — Top 5 SOC 2 Backup Requirements — https://pungroup.cpa/blog/soc-2-backup-requirements/
Profile picture of <a class=Rewind">
Rewind
Rewind is a leading and trusted provider of cloud backup and data recovery solutions, helping businesses safeguard their critical SaaS data from loss, corruption, and cyber threats.