Cloud Security & SOC 2 Readiness for a US Pharmaceutical Company
Pharmaceutical organisations operating in the United States handle some of the most sensitive data in any industry — clinical research, patient information, proprietary drug development data, and regulated business records. For a prestigious US-based pharmaceutical company operating a cloud-heavy infrastructure on Microsoft Azure, achieving SOC 2 compliance required more than a policy review. It required a thorough, technical assessment of every layer of their cloud environment and every application handling sensitive data. Securze was engaged to deliver exactly that — a comprehensive Azure cloud configuration review and vulnerability assessment across their virtual desktop and web application infrastructure, providing the organisation with a clear, accurate, and actionable picture of their security posture ahead of their SOC 2 audit.
Microsoft Azure provides a powerful and scalable cloud infrastructure, but the security of any Azure environment is only as strong as the configuration decisions made within it. Misconfigurations, in identity and access management, network security groups, storage permissions, logging settings, and security policies, are among the leading causes of cloud security incidents and among the most common findings in SOC 2 readiness assessments.
Securze conducted a comprehensive review of this organisation’s entire Azure environment, examining every layer of their cloud configuration against industry best practices, Microsoft’s own security benchmarks, and the specific control requirements of the SOC 2 framework. The review covered identity and access management policies, role assignments and privilege configurations, network security group rules, storage account permissions and exposure, logging and monitoring configurations, encryption settings across data at rest and in transit, and the overall architecture of the cloud environment.
Every finding was documented with a clear description of the misconfiguration, the risk it presented to the organisation, and specific, prioritised remediation guidance mapped directly to the relevant SOC 2 trust service criteria. The organisation received not just a list of issues but a structured remediation roadmap that gave their internal team a clear path to resolving each finding in order of risk and compliance impact.
Beyond cloud configuration, the organisation’s virtual desktop infrastructure and web applications represented critical attack surfaces that required dedicated security testing. Virtual desktop environments handling sensitive pharmaceutical data are high-value targets, a single compromised session can provide an attacker with access to research data, regulated records, and internal systems. Web applications processing business and research workflows carry their own class of vulnerabilities that configuration reviews alone cannot uncover.
Securze conducted structured Vulnerability Assessment and Penetration Testing across both environments. The VDI assessment examined the security of the virtual desktop infrastructure from multiple perspectives, testing for session isolation weaknesses, privilege escalation opportunities, data leakage risks, and misconfigurations that could allow an attacker to move laterally within the environment or access data beyond their permitted scope.
Web application testing was conducted against every application in scope, combining automated scanning with deep manual testing by Securze’s certified security engineers. Testing covered the full range of web application vulnerability classes, injection flaws, authentication and session management weaknesses, access control failures, security misconfigurations, and business logic vulnerabilities specific to the organisation’s application workflows. Every finding was validated manually to eliminate false positives and documented with clear, actionable remediation guidance.
SOC 2 readiness is ultimately a question of evidence, can the organisation demonstrate, to the satisfaction of an independent auditor, that the controls required by the SOC 2 trust service criteria are in place, functioning, and effective? For a cloud-heavy organisation, the answers to those questions live largely in the configuration of their cloud environment and the security of their applications and infrastructure.
Every finding identified through Securze’s cloud configuration review and penetration testing was mapped directly to the relevant SOC 2 trust service criteria, availability, confidentiality, security, and processing integrity. This mapping gave the organisation’s leadership and compliance team a precise understanding of which gaps posed a direct risk to their SOC 2 audit outcome and which remediation actions would have the greatest impact on their compliance posture.
The deliverables provided to the organisation went beyond technical findings. Securze produced a structured SOC 2 readiness report that consolidated all findings, their compliance implications, and a prioritised remediation plan into a single document that could be used directly by the organisation’s internal team and their auditors. The organisation entered their SOC 2 audit with a complete understanding of their security posture, a documented remediation history, and the confidence that every significant gap had been identified and addressed.
Securze delivered a comprehensive cloud security assessment and SOC 2 readiness programme for a prestigious US-based pharmaceutical company, covering their full Azure environment, virtual desktop infrastructure, and web applications. The engagement gave the organisation the technical depth, compliance mapping, and remediation clarity needed to approach their SOC 2 audit with confidence.
Contact Securze to discuss how we approach cloud security and compliance readiness for your organisation.
Contact us at the Consulting WP office nearest to you or submit a business inquiry online.
“Securze performed an extensive evaluation of our applications, identifying potential vulnerabilities and providing a comprehensive and insightful report. Their timely responses to our inquiries and ongoing support made the entire process smooth and efficient. The detailed findings and recommendations provided by Securze have been invaluable in enhancing our security measures.”
