Continuous Compliance

In this topic:

    Overview

    CloudGuard Dome9 Continuous Compliance extends the capabilities of the Compliance Engine by evaluating your cloud environments continuously, and notifying you of any changes in the security posture of any of them. You can apply the same rulesets that you use with the Compliance Engine, with rules built using the GSL language. Receive notification of findings or of changes by email, on the CloudGuard Dome9 Alert Console, or through AWS SNS.

    The CloudGuard Dome9 Compliance Engine will apply the rulesets to cloud environments approximately every hour, and update the compliance results that are shown in the Compliance Dashboard. Notifications of findings (issues) are sent out according to Notification Policies that are configured for each bundle/account.

    Compliance Policies

    You set up Continuous Compliance by associating compliance rulesets with your cloud accounts. This determines which rules are applied to which accounts. This is a continuous compliance policy

    The Compliance Engine automatically applies the rulesets to the selected accounts approximately ever hour. In this way, your accounts are checked continuously, and issues are detected almost immediately.

    Notification Policies

    You also associate Notification Policies to the compliance policy. This indicates how the findings are to be sent to you. You can configure several compliance rulesets to be applied to a single account, and can configure several notification options (for example, email reports, SMS alerts, etc.). Different Notification Policies can be associated with each cloud account or ruleset, so you can direct specific findings to target audiences, at the time and in the way most effective for them.

    Notification Policies indicate how and when notifications of findings are sent. Findings can be sent by secure email, AWS SNS. They can also be forwarded to the Alerts Findings dashboard. 

     

    Benefits

    • Automatic continuous evaluation of your cloud environments with policy rulesets that you select

    • automatic notification of results or changes by email, SNS, or on Dome9 Console

    • Granular notifications to relevant individuals or teams

    • Evaluate cross-account and cross-platform

    • Executive summary and detailed reports of findings

    Use-cases

    • Security/Compliance managers receive a weekly high-level report.

    • Relevant security/compliance teams receive immediate email notification of any entity that failed compliance test

    • Relevant security/compliance teams receive daily aggregated email report of all entities that failed compliance test

    • Relevant security/compliance teams receive daily aggregated email report of all new entities that failed compliance test since the last report

    • Receive SNS notification of new entities that failed compliance test. Notification can be consumed by any integrated system.

     
     

    Actions

     
     

    Set up a Continuous Compliance Policy

    A continuous compliance policy is a compliance bundle, associated with a cloud account and a notification policy. Dome9 continuously assesses the accounts in your compliance policies, with the rulesets you have selected, and notifies you with the notification policy you have selected.

    Navigate to the Policies option, in the Compliance & Governance menu. This shows a list of compliance associations, organized by Cloud Account. 

    You can show the policies grouped by cloud accounts or by rulesets.

    Use the filter pane on the left to filter the list of policies according to cloud provider, account, ruleset, and Notification Policy.

    1. Click ADD POLICY to add another compliance policy.
    2. Select the cloud platform (AWS, Azure, or GCP), then click NEXT.
    3. Select the accounts (more than one can be selected), then click NEXT.
    4. Select the compliance rulesets for the policy (more than one can be selected), and then click NEXT. You can add more rulesets in the Rulesets option of the Compliance & Governance menu.


    5. Select the Notification Policies for the association. To add a new Notification Policy, press ADD NOTIFICATION (and see Set up a Notification Policy for more details).
    6. Click SAVE