.svg)
In cloud environments, access control is a managed service. AWS IAM provides centralized identity, Okta handles SSO across every SaaS tool, and the entire access lifecycle is API-driven. Provision a user, assign a role, revoke on termination. The access model is clean because the platform was designed that way.
On-premise environments don't have that luxury. The identity layer is Active Directory running on a dedicated server. Some systems join the domain, others don't. Network appliances have their own local accounts. Database servers have SQL logins that may or may not align with AD. The VPN has its own certificate-based authentication, and the bastion host sits between everything.
The Challenge
The question isn't whether on-premise environments can satisfy SOC 2 access controls. They absolutely can. The challenge is stitching together a coherent access model from heterogeneous systems and presenting it in a way that auditors can follow.
This post covers how to implement and evidence SOC 2 access controls in on-premise environments, from centralized identity through quarterly reviews. It's part of a broader series on SOC 2 readiness for bare metal and on-prem infrastructure.
What SOC 2 Expects for Access Control
CC6.1 Authentication
Logical access controls that restrict access to authorized users. Covers authentication mechanisms, unique IDs, and password policies.
CC6.2 Lifecycle
Access is provisioned based on authorization and removed when no longer needed. Onboarding, role changes, and termination.
CC6.3 RBAC
Role-based access aligned with job responsibilities. RBAC matrices and least-privilege principles.
CC6.6 Network Access
Restrictions on system access including network-level controls. Where VPN, bastion host, and network segmentation intersect with identity.
The auditor isn't looking for a specific technology. They're looking for a system where access is controlled, attributable to individuals, reviewed periodically, and revoked promptly when someone leaves.
Centralized Identity: Active Directory and LDAPS
Active Directory remains the backbone of identity management in most on-premise environments. For SOC 2, it serves as the central directory that auditors use to understand who has access to what.
AD as the Identity Source of Truth
A production-dedicated AD server provides centralized authentication and authorization for internal staff. Windows servers join the domain and inherit Group Policy Objects (GPOs) for password enforcement, idle timeout, and access restrictions. The bastion host authenticates against AD, creating a single identity layer for administrative access.
For SOC 2 evidence, the AD user listing becomes a primary artifact. An export showing username, display name, account status (enabled/disabled), and last logon date gives the auditor a snapshot of the identity population. Combined with the RBAC matrix, it demonstrates that each account maps to a named individual with a defined role.
LDAPS for Secure Authentication
Systems that support LDAP integration should connect to AD over LDAPS (LDAP over TLS) rather than plain LDAP. This encrypts authentication traffic between the application and the directory, satisfying CC6.1 requirements around protecting authentication credentials. The configuration itself serves as evidence, showing that authentication traffic is encrypted in transit.
Systems That Don't Join AD
Not every system in an on-premise environment supports Active Directory integration. Network appliances (switches, firewall appliances), certain database servers, and legacy applications often maintain their own local account directories.
For these systems, the approach is straightforward:
- Unique local accounts for each administrator, not shared generic accounts
- Password policies enforced locally that align with the organizational standard (NIST 800-63B recommends 8 characters with MFA or 15 characters without)
- Documentation of which systems use local accounts and why AD integration isn't available
The Shared Account Problem
Shared accounts are one of the most common findings in on-premise SOC 2 audits. Auditors will specifically request an export of shared accounts and expect to see an audit trail that attributes activity to individuals.
Best Practice: Privileged Access Management
Where shared accounts are unavoidable (break-glass scenarios, legacy systems), use a PAM solution like CyberArk, JumpServer, or HashiCorp Vault to automate credential checkout, rotation after each use, and session recording. PAM provides the audit trail auditors expect: who checked out the credential, when, and what they did.
For teams not ready for full PAM deployment, the minimum requirements are:
- Account documented in a shared account inventory with business justification
- Credentials stored in a password manager with access logging enabled
- Audit logs demonstrate each use is attributable to a specific individual
- Credentials rotated after each use
- Inventory reviewed and re-approved at least annually
Named individual accounts should be the default. Shared accounts should be the documented exception, ideally managed through PAM, or at minimum through a password manager with strict access logging.
The Access Path: VPN, MFA, and Bastion Host
In cloud environments, administrative access flows through the cloud provider's console with IAM roles and MFA. In on-premise environments, the access path needs to be architecturally defined and consistently enforced.
VPN as the Front Door
The VPN gateway is typically the sole entry point to the on-premise environment from the Internet. A well-configured VPN for SOC 2 includes:
- Multi-factor authentication combining at least two independent factors. A strong implementation uses a device certificate (something you have), a PIN or password (something you know), and a TOTP token via an authenticator app (something you have). Three factors at the perimeter means MFA doesn't need to be enforced again on every individual system behind the VPN, though this should be documented as a deliberate architectural decision.
- Individual certificates issued per user, not shared certificates. The VPN certificate listing (showing CN, serial number, assigned user, and issuance date) becomes direct evidence for CC6.1.
- Certificate rotation on a defined schedule, tested annually.
Bastion Host as the Mandatory Gateway
For administrative access, the bastion host (or jump server) sits between the VPN and production systems. It's the only system authorized to reach production servers via RDP, SSH, or equivalent protocols. Firewall rules should explicitly block direct administrative access from any source other than the bastion host.
Bastion Host Evidence Points
- Session logging showing who connected and when, creating an attributable audit trail
- Session controls such as clipboard restrictions, blocked mapped drives, and blocked printer redirection
- Idle session timeout (typically 10-20 minutes) enforced via Group Policy
- Authentication against Active Directory, tying every session to a named individual
The bastion host architecture converts what could be a complex web of direct server connections into a single, auditable access path. This is the on-premise equivalent of AWS Session Manager or Azure Bastion.
RBAC: Defining Who Gets What
SOC 2 CC6.2 and CC6.3 require that access is provisioned based on authorization and aligned with job responsibilities. A formal RBAC (Role-Based Access Control) matrix is the cleanest way to demonstrate this.
Building the Matrix
| Role | Access Level |
| Infrastructure Administrator | Full access: VPN, AD, bastion, production servers, databases, security tools, network appliances |
| Application Developer | Dev subnet VPN, UAT environment admin, application admin, version control |
| Application Support | Limited VPN, application support interface, ticketing system |
| Administrative Staff | Email and collaboration tools only, no VPN access |
Each role defines the baseline access that should exist. Anything beyond the baseline requires a ticket with justification and approval.
Evidence That Works
The RBAC matrix itself is a primary evidence artifact for CC6.3. Pair it with:
- Management sign-off showing the matrix was reviewed and approved
- Onboarding tickets that reference the matrix when provisioning access
- Exception tickets for any access that deviates from the standard role
This gives the auditor a complete picture: the policy (matrix), the process (provisioning via tickets), and the evidence (approved tickets referencing the matrix).
Password Policies Across Heterogeneous Systems
One of the unique challenges of on-premise SOC 2 is enforcing consistent password policies across systems with different capabilities.
The Standard
NIST 800-63B provides a practical baseline: 8-character minimum with MFA, or 15-character minimum without. Adopting a recognized standard gives the auditor confidence that the policy isn't arbitrary.
Per-System Evidence
| System Type | Evidence Source |
| Windows Servers (AD-joined) | GPO export from secpol.msc or gpresult /r showing min length, complexity, lockout, password age |
| Bastion Host | GPO evidence if AD-joined, or local security policy if standalone |
| Linux Systems | Config from /etc/security/pwquality.conf, /etc/pam.d/common-password, /etc/login.defs, /etc/security/faillock.conf |
| Database (MSSQL) | Query output from sys.sql_logins showing is_policy_checked and is_expiration_checked |
| Network Appliances | Local account settings; compensating controls documented where capabilities are limited |
The evidence is different for each system type, but the standard is consistent. This is exactly the kind of deliberate, documented approach that satisfies auditors.
Quarterly Access Reviews
SOC 2 CC6.2 expects periodic validation that access remains appropriate. Annual reviews are the minimum, but quarterly reviews demonstrate stronger control operation, especially during a Type 2 observation period.
The Review Process
1 Extract the current user and role list from each in-scope system (AD, VPN, bastion, servers, databases, security tools, version control)
2 Compare each account against the RBAC matrix and current org chart
3 Document a keep, remove, or modify decision for each account
4 Execute any required changes in the source system
5 Record the review with timestamps, reviewer name, and management sign-off
What Auditors Look For
A review that finds nothing to change every quarter is a red flag. A review that occasionally flags a dormant account or an overly broad permission, with documented remediation, tells a much stronger story.
Idle and Dormant Account Management
Accounts that haven't been used in months are a common audit finding. SOC 2 CC6.2 expects that access is removed when no longer needed, and idle accounts are a visible indicator of potential gaps.
Automated controls: For application-level accounts (end users), automated idle account disabling is the strongest control. A configurable inactivity threshold (typically 180 days) that automatically disables accounts creates continuous evidence without manual effort.
Manual controls: For infrastructure accounts (AD, VPN, bastion), the quarterly access review should specifically flag accounts with no recent logon activity. AD's last logon attribute and VPN connection logs provide the data needed to identify these accounts.
Bringing It Together: The STEPP Lens
Scope
VPN gateway, Active Directory, bastion host, production servers, databases, security tools, network appliances, version control, and any application with administrative access.
Technology
Active Directory with LDAPS for centralized identity, VPN with multi-factor authentication (certificate + PIN + TOTP), bastion host with session controls, PAM or password manager for shared credentials, Wazuh for compliance monitoring of password policies and screen lock enforcement.
Evidence
AD user listings, VPN certificate inventory, RBAC matrix with management sign-off, onboarding and offboarding tickets with per-system timestamps, quarterly access review templates with screenshots, password policy exports per system type, bastion host session logs, idle account remediation records.
Process
RBAC-based provisioning via tickets, 4-hour termination SLA for security departures, 24-hour for voluntary, quarterly access reviews covering all in-scope systems, annual RBAC matrix review with management sign-off, credential rotation on departure.
People
A designated access administrator responsible for provisioning, reviews, and termination processing, with a documented backup. In smaller teams, this is typically the infrastructure or security manager.
What Makes This Different From Cloud
Cloud IAM is centralized by design. One console, one set of roles, one audit log. On-premise access control requires assembling the same coherent model from multiple independent systems, each with its own authentication mechanism and evidence format.
The work is more manual, but the result can be equally strong. In some ways, on-premise access models force more deliberate design decisions. Every access path is architectural, not just a checkbox in a console. The bastion host pattern creates a cleaner audit trail than many cloud environments where administrative access flows through multiple paths.
Companies running on-premise infrastructure can still use compliance automation platforms for the identity-related controls that have integration points: endpoint management, HR system onboarding triggers, and directory service monitoring. The platform won't replace the quarterly review or the per-system password evidence, but it will centralize what it can reach.
What Comes Next
Access control intersects with nearly every other SOC 2 domain. The network security controls that enforce the bastion host architecture, the vulnerability scanning that runs on systems these accounts access, and the logging architecture that records what these accounts do are all part of the same program.
Next in this series: backup and disaster recovery for on-premise infrastructure, where the evidence model shifts from access logs to restoration testing and offsite transfer verification.
Building an Effective Security Program for On-Prem?
We help teams get SOC 2 ready on any infrastructure.
Frequently Asked Questions
Can on-premise environments pass SOC 2 access control requirements without Okta or AWS IAM?
Yes. SOC 2 requires logical access controls, unique IDs, role-based provisioning, and periodic reviews. Active Directory, local system accounts with consistent password policies, VPN with MFA, and a bastion host architecture satisfy these requirements. The evidence format differs from cloud, but the controls are equivalent.
How does Active Directory satisfy SOC 2 access control criteria?
AD serves as the central identity directory for CC6.1 (unique IDs), CC6.2 (provisioning and deprovisioning), and CC6.3 (role-based access). AD user listings, GPO exports for password policies, and group membership reports provide direct evidence. Systems that can't join AD maintain local accounts with documented compensating controls.
What is a bastion host and why does SOC 2 care about it?
A bastion host is a jump server that serves as the mandatory gateway for administrative access to production systems. It satisfies CC6.1 by creating a single, auditable access path. Firewall rules block direct admin access from any source except the bastion, and session logs attribute every connection to a named individual.
How should shared accounts be handled for SOC 2 in on-prem environments?
Shared accounts should be the exception, not the norm. The best practice is to manage them through a PAM (Privileged Access Management) solution like CyberArk, JumpServer, or HashiCorp Vault, which automates credential checkout, rotation after each use, and session recording. Where PAM isn't deployed, shared accounts must be documented in an inventory, stored in a password manager with access logging, rotated after each use, and reviewed annually. Named individual accounts should be the default for all systems that support them.
What does a SOC 2 quarterly access review look like for on-prem systems?
Extract the user and role list from each in-scope system (AD, VPN, bastion, servers, databases, security tools). Compare each account against the RBAC matrix and org chart. Document a keep, remove, or modify decision for each. Execute changes and record the review with timestamps and sign-off. The output is a completed template with per-system evidence.
What password standard should on-prem environments use for SOC 2?
NIST 800-63B is the most commonly adopted standard: 8-character minimum with MFA, or 15-character minimum without. The key for SOC 2 is consistency across systems. Each system type (Windows, Linux, database, network appliance) needs its own evidence showing the password policy is enforced, even though the standard is the same.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our free readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.