In cloud environments, access control is a managed service. AWS IAM provides centralized identity, Okta handles SSO across every SaaS tool, and the entire access lifecycle is API-driven. Provision a user, assign a role, revoke on termination. The access model is clean because the platform was designed that way.
On-premise environments don't have that luxury. The identity layer is Active Directory running on a dedicated server. Some systems join the domain, others don't. Network appliances have their own local accounts. Database servers have SQL logins that may or may not align with AD. The VPN has its own certificate-based authentication, and the bastion host sits between everything.
The Challenge
The question isn't whether on-premise environments can satisfy SOC 2 access controls. They absolutely can. The challenge is stitching together a coherent access model from heterogeneous systems and presenting it in a way that auditors can follow.
This post covers how to implement and evidence SOC 2 access controls in on-premise environments, from centralized identity through quarterly reviews. It's part of a broader series on SOC 2 readiness for bare metal and on-prem infrastructure.
CC6.1 Authentication
Logical access controls that restrict access to authorized users. Covers authentication mechanisms, unique IDs, and password policies.
CC6.2 Lifecycle
Access is provisioned based on authorization and removed when no longer needed. Onboarding, role changes, and termination.
CC6.3 RBAC
Role-based access aligned with job responsibilities. RBAC matrices and least-privilege principles.
CC6.6 Network Access
Restrictions on system access including network-level controls. Where VPN, bastion host, and network segmentation intersect with identity.
The auditor isn't looking for a specific technology. They're looking for a system where access is controlled, attributable to individuals, reviewed periodically, and revoked promptly when someone leaves.
Active Directory remains the backbone of identity management in most on-premise environments. For SOC 2, it serves as the central directory that auditors use to understand who has access to what.
A production-dedicated AD server provides centralized authentication and authorization for internal staff. Windows servers join the domain and inherit Group Policy Objects (GPOs) for password enforcement, idle timeout, and access restrictions. The bastion host authenticates against AD, creating a single identity layer for administrative access.
For SOC 2 evidence, the AD user listing becomes a primary artifact. An export showing username, display name, account status (enabled/disabled), and last logon date gives the auditor a snapshot of the identity population. Combined with the RBAC matrix, it demonstrates that each account maps to a named individual with a defined role.
Systems that support LDAP integration should connect to AD over LDAPS (LDAP over TLS) rather than plain LDAP. This encrypts authentication traffic between the application and the directory, satisfying CC6.1 requirements around protecting authentication credentials. The configuration itself serves as evidence, showing that authentication traffic is encrypted in transit.
Not every system in an on-premise environment supports Active Directory integration. Network appliances (switches, firewall appliances), certain database servers, and legacy applications often maintain their own local account directories.
For these systems, the approach is straightforward:
Shared accounts are one of the most common findings in on-premise SOC 2 audits. Auditors will specifically request an export of shared accounts and expect to see an audit trail that attributes activity to individuals.
Best Practice: Privileged Access Management
Where shared accounts are unavoidable (break-glass scenarios, legacy systems), use a PAM solution like CyberArk, JumpServer, or HashiCorp Vault to automate credential checkout, rotation after each use, and session recording. PAM provides the audit trail auditors expect: who checked out the credential, when, and what they did.
For teams not ready for full PAM deployment, the minimum requirements are:
Named individual accounts should be the default. Shared accounts should be the documented exception, ideally managed through PAM, or at minimum through a password manager with strict access logging.
In cloud environments, administrative access flows through the cloud provider's console with IAM roles and MFA. In on-premise environments, the access path needs to be architecturally defined and consistently enforced.
The VPN gateway is typically the sole entry point to the on-premise environment from the Internet. A well-configured VPN for SOC 2 includes:
For administrative access, the bastion host (or jump server) sits between the VPN and production systems. It's the only system authorized to reach production servers via RDP, SSH, or equivalent protocols. Firewall rules should explicitly block direct administrative access from any source other than the bastion host.
Bastion Host Evidence Points
The bastion host architecture converts what could be a complex web of direct server connections into a single, auditable access path. This is the on-premise equivalent of AWS Session Manager or Azure Bastion.
SOC 2 CC6.2 and CC6.3 require that access is provisioned based on authorization and aligned with job responsibilities. A formal RBAC (Role-Based Access Control) matrix is the cleanest way to demonstrate this.
| Role | Access Level |
| Infrastructure Administrator | Full access: VPN, AD, bastion, production servers, databases, security tools, network appliances |
| Application Developer | Dev subnet VPN, UAT environment admin, application admin, version control |
| Application Support | Limited VPN, application support interface, ticketing system |
| Administrative Staff | Email and collaboration tools only, no VPN access |
Each role defines the baseline access that should exist. Anything beyond the baseline requires a ticket with justification and approval.
The RBAC matrix itself is a primary evidence artifact for CC6.3. Pair it with:
This gives the auditor a complete picture: the policy (matrix), the process (provisioning via tickets), and the evidence (approved tickets referencing the matrix).
One of the unique challenges of on-premise SOC 2 is enforcing consistent password policies across systems with different capabilities.
The Standard
NIST 800-63B provides a practical baseline: 8-character minimum with MFA, or 15-character minimum without. Adopting a recognized standard gives the auditor confidence that the policy isn't arbitrary.
| System Type | Evidence Source |
| Windows Servers (AD-joined) | GPO export from secpol.msc or gpresult /r showing min length, complexity, lockout, password age |
| Bastion Host | GPO evidence if AD-joined, or local security policy if standalone |
| Linux Systems | Config from /etc/security/pwquality.conf, /etc/pam.d/common-password, /etc/login.defs, /etc/security/faillock.conf |
| Database (MSSQL) | Query output from sys.sql_logins showing is_policy_checked and is_expiration_checked |
| Network Appliances | Local account settings; compensating controls documented where capabilities are limited |
The evidence is different for each system type, but the standard is consistent. This is exactly the kind of deliberate, documented approach that satisfies auditors.
SOC 2 CC6.2 expects periodic validation that access remains appropriate. Annual reviews are the minimum, but quarterly reviews demonstrate stronger control operation, especially during a Type 2 observation period.
1 Extract the current user and role list from each in-scope system (AD, VPN, bastion, servers, databases, security tools, version control)
2 Compare each account against the RBAC matrix and current org chart
3 Document a keep, remove, or modify decision for each account
4 Execute any required changes in the source system
5 Record the review with timestamps, reviewer name, and management sign-off
What Auditors Look For
A review that finds nothing to change every quarter is a red flag. A review that occasionally flags a dormant account or an overly broad permission, with documented remediation, tells a much stronger story.
Accounts that haven't been used in months are a common audit finding. SOC 2 CC6.2 expects that access is removed when no longer needed, and idle accounts are a visible indicator of potential gaps.
Automated controls: For application-level accounts (end users), automated idle account disabling is the strongest control. A configurable inactivity threshold (typically 180 days) that automatically disables accounts creates continuous evidence without manual effort.
Manual controls: For infrastructure accounts (AD, VPN, bastion), the quarterly access review should specifically flag accounts with no recent logon activity. AD's last logon attribute and VPN connection logs provide the data needed to identify these accounts.
Scope
VPN gateway, Active Directory, bastion host, production servers, databases, security tools, network appliances, version control, and any application with administrative access.
Technology
Active Directory with LDAPS for centralized identity, VPN with multi-factor authentication (certificate + PIN + TOTP), bastion host with session controls, PAM or password manager for shared credentials, Wazuh for compliance monitoring of password policies and screen lock enforcement.
Evidence
AD user listings, VPN certificate inventory, RBAC matrix with management sign-off, onboarding and offboarding tickets with per-system timestamps, quarterly access review templates with screenshots, password policy exports per system type, bastion host session logs, idle account remediation records.
Process
RBAC-based provisioning via tickets, 4-hour termination SLA for security departures, 24-hour for voluntary, quarterly access reviews covering all in-scope systems, annual RBAC matrix review with management sign-off, credential rotation on departure.
People
A designated access administrator responsible for provisioning, reviews, and termination processing, with a documented backup. In smaller teams, this is typically the infrastructure or security manager.
Cloud IAM is centralized by design. One console, one set of roles, one audit log. On-premise access control requires assembling the same coherent model from multiple independent systems, each with its own authentication mechanism and evidence format.
The work is more manual, but the result can be equally strong. In some ways, on-premise access models force more deliberate design decisions. Every access path is architectural, not just a checkbox in a console. The bastion host pattern creates a cleaner audit trail than many cloud environments where administrative access flows through multiple paths.
Companies running on-premise infrastructure can still use compliance automation platforms for the identity-related controls that have integration points: endpoint management, HR system onboarding triggers, and directory service monitoring. The platform won't replace the quarterly review or the per-system password evidence, but it will centralize what it can reach.
Access control intersects with nearly every other SOC 2 domain. The network security controls that enforce the bastion host architecture, the vulnerability scanning that runs on systems these accounts access, and the logging architecture that records what these accounts do are all part of the same program.
Next in this series: backup and disaster recovery for on-premise infrastructure, where the evidence model shifts from access logs to restoration testing and offsite transfer verification.
Our fractional security team gets you SOC 2 ready on any infrastructure, cloud or on-prem.
Yes. SOC 2 requires logical access controls, unique IDs, role-based provisioning, and periodic reviews. Active Directory, local system accounts with consistent password policies, VPN with MFA, and a bastion host architecture satisfy these requirements. The evidence format differs from cloud, but the controls are equivalent.
AD serves as the central identity directory for CC6.1 (unique IDs), CC6.2 (provisioning and deprovisioning), and CC6.3 (role-based access). AD user listings, GPO exports for password policies, and group membership reports provide direct evidence. Systems that can't join AD maintain local accounts with documented compensating controls.
A bastion host is a jump server that serves as the mandatory gateway for administrative access to production systems. It satisfies CC6.1 by creating a single, auditable access path. Firewall rules block direct admin access from any source except the bastion, and session logs attribute every connection to a named individual.
Shared accounts should be the exception, not the norm. The best practice is to manage them through a PAM (Privileged Access Management) solution like CyberArk, JumpServer, or HashiCorp Vault, which automates credential checkout, rotation after each use, and session recording. Where PAM isn't deployed, shared accounts must be documented in an inventory, stored in a password manager with access logging, rotated after each use, and reviewed annually. Named individual accounts should be the default for all systems that support them.
Extract the user and role list from each in-scope system (AD, VPN, bastion, servers, databases, security tools). Compare each account against the RBAC matrix and org chart. Document a keep, remove, or modify decision for each. Execute changes and record the review with timestamps and sign-off. The output is a completed template with per-system evidence.
NIST 800-63B is the most commonly adopted standard: 8-character minimum with MFA, or 15-character minimum without. The key for SOC 2 is consistency across systems. Each system type (Windows, Linux, database, network appliance) needs its own evidence showing the password policy is enforced, even though the standard is the same.