Custom Rules - GSL Reference

In this topic:

    Dome9 Compliance Engine

    Compliance with industry standards (e.g., PCI DSS, HIPAA, SOC 2) and best practices is not only a requirement for companies in regulated industries but also a way to achieve and prove robust security to win customer trust. 

    Dome9 Compliance Engine brings one-click simplicity to the tracking, reporting and enforcement of compliance and security best practices in the public cloud. It delivers comprehensive compliance management in public cloud environments, allowing businesses to assess their compliance posture, identify risks and gaps, fix issues, enforce compliance requirements, and prove compliance in audits.

    The Compliance Engine is designed for easy and speedy compliance, streamlining the compliance process with automated data aggregation and the ability to remediate changes from a single pane of glass.


    The Compliance Engine provides:

    • End-to-end security and compliance management that allow you to see what needs to be fixed and fix it in place
    • Automated aggregation of data in real-time
    • Built-in test suites for checking compliance against standards such as PCI-DSS as well as industry best practices (e.g., 500+ tests in the Dome9 Best Practices Suite)
    • Compliance tests that cover not only network security policies (e.g., “Every security group must be part of a VPC”) , but also rules around users and roles (e.g., “Password policies must require at least one lowercase character”)
    • Printable assessment reports for proof of security posture across business units, VPCs and cloud accounts
    • Agentless, cloud-native architecture enabling coverage of built-in services and functions


    Custom Rules

    The Dome9 Compliance engine is built on Dome9's cutting edge rule engine.

    The rule engine, allows our customers to specify and enforce custom governance policies that are tailored to their business needs using the same framework.

    With custom rules, administrators can customize Dome9's pre-created bundles or create new bundles of rules that reflect their organizational needs.

    The rules are specified using a new innovative policy language called the Governance Specification Language (GSL), rules written in GSL can be easily read and understood by anyone.

    For example, here are rules written via in GSL:

    • RDS should have isStorageEncrypted = true
      This rule checks that RDS storage should be encrypted.
    • Instance should not have inboundRules with [port = 22 and protocol in ('TCP','All') and scope numberOfHosts() > 32]
      This rule checks that an instance with an open SSH port (22) should not be exposed to a wide network scope. 

    This simplicity and expressive power of GSL also means that there are no “lost in translation” errors where business logic and governance is not accurately captured by the underlying policies. GSL speeds up policy creation and minimizes errors.


    In multi-cloud environments, the Dome9 Compliance Engine with GSL can be used to specify custom rules for AWS and Azure environments in a single location using a common framework.

    Doc version: 0.7
    Updated: Feb 6, 2017