Continuous Compliance

In this topic:

    Overview

    CloudGuard Dome9 Continuous Compliance extends the capabilities of the Compliance Engine by evaluating your cloud environments continuously, and notifying you of any changes in the security posture of any of them. You can apply the same policies that you use with the Compliance Engine, with rules built using the GSL language. Receive notification of findings or of changes by email, on the CloudGuard Dome9 Alert Console, or through AWS SNS.

    The CloudGuard Dome9 Compliance Engine will apply the bundles to cloud environments approximately every hour, and update the compliance results that are shown in the Compliance Dashboard. Notifications of findings (issues) are sent out according to Notification Policies that are configured for each bundle/account.

    Concepts

    Compliance Associations

    You set up Continuous Compliance by associating compliance rules bundles with your cloud accounts. This determines which bundles are applied to which accounts. This is a continuous compliance association

    The Compliance Engine automatically applies the bundles to the selected accounts approximately ever hour. In this way, your accounts are checked continuously, and issues are detected almost immediately.

    Notification Policies

    You also associate Notification Policies to the compliance association. This indicates how the findings are to be sent to you. You can configure several compliance bundles to be applied to a single account, and can configure several notification options (for example, email reports, SMS alerts, etc.). Different Notification Policies can be associated with each cloud account or bundle, so you can direct specific findings to target audiences, at the time and in the way most effective for them.

    Notification Policies indicate how and when notifications of findings are sent. Findings can be sent by secure email, AWS SNS. They can also be forwarded to the Alerts Findings dashboard.

    Notification types

    Notification Policies can have different types of notifications of findings. These include email reports, compliance reports, SNS notifications, and messages to external ticketing systems such as ServiceNow and PagerDuty. Reports can be executive summary reports, or detailed reports of the compliance posture of your networks.

    The following are the different types of notifications that can be selected for Notification Policies.

    Executive Summary Report

    The executive summary report will show you the results score for each of your cloud accounts, and compare it to the previous results (in the previous report). It will also show an aggregated result for all your accounts. It is sent by email.

    Detailed Report

    The detailed report will show you, in addition to the information in the summary report, details for each failed test. it will also show new or changed findings since the previous report, and list findings from previous reports that have been resolved. This will provide a complete picture of the compliance posture of your cloud environments, and an indication of progress towards resolving open issues. It is sent by email.

    Alerts

    An alert notification is a finding sent to the Alerts page on the Dome9 console. Each finding will be sent as a separate notification. The alert has all the details for the finding.

    AWS SNS Notification

    An SNS notification is a message for a single finding, sent to an AWS SNS target.

    Ticketing systems

    A message for each finding is sent to a ticketing system (it must be configured in Dome9). You can then see the findings on the ticketing system (for each system on it specific alerts or notifications console).

     

    Benefits

    • Automatic continuous evaluation of your cloud environments with policy bundles that you select

    • automatic notification of results or changes by email, SNS, or on Dome9 Console

    • Granular notifications to relevant individuals or teams

    • Evaluate cross-account and cross-platform

    • Executive summary and detailed reports of findings

    Use-cases

    • Security/Compliance managers receive a weekly high-level report.

    • Relevant security/compliance teams receive immediate email notification of any entity that failed compliance test

    • Relevant security/compliance teams receive daily aggregated email report of all entities that failed compliance test

    • Relevant security/compliance teams receive daily aggregated email report of all new entities that failed compliance test since the last report

    • Receive SNS notification of new entities that failed compliance test. Notification can be consumed by any integrated system.

     
     

    Actions

     
     

    Set up a Continuous Compliance Association

    A continuous compliance association is a compliance bundle, associated with a cloud account and a notification policy. Dome9 continuously assesses the accounts in your compliance associations, with the bundles you have selected, and notifies you with the notification policy you have selected.

    Navigate to the Continuous Compliance option, in the Compliance & Governance menu. This shows a list of compliance associations, organized by Cloud Account. 

    You can change the grouping to show associations by bundles.

    You can filter the list of associations according to cloud provider, account, bundles, and Notification Policy, using the Filter pane on the left.

    1. Click ADD ASSOCIATION to add another compliance association.
    2. Select the cloud platform (AWS, Azure, or GCP), then NEXT.
    3. Select the accounts, then NEXT.
    4. Select the compliance bundles to be used, and then NEXT. You can add more bundles in the Bundles option of the Compliance & Governance menu.
    5. Select the Notification Policies for the association. To add a new Notification Policy, press ADD NOTIFICATION (and see below, Set up a Notification Policy for more details).
    6. Click SAVE.
     

     

    Set up a Notification Policy

    Notification Policies indicate what compliance results findings are sent out, when and how they are sent out, and to whom. You can create any number of policies, and associate them with any bundle or cloud account, to customize the notification of compliance issues according to your needs.

    1. Navigate to the Notifications menu option in the Continuous Compliance page, in the Compliance & Governance menu. This shows a list of all your Notification Policies.

    2. Click  ADD NOTIFICATION.  

       
    3. Enter a name and description for policy, and select the type of notifications from the list. 

    4. Select the notification options for the policy, as follows:
      • Alerts Console - each finding for this policy will be sent to the Finding Alerts page (in Notifications, in the Administration menu)
      • Scheduled Report - a report will be sent to email recipients regular periods. Select the time and frequency of the report, and the type (summary or detailed). Enter a list of email recipients for the report.
      • Immediate Notification - a notification will be sent for each new or changed finding. Select the type of notification.
        • For email notifications, enter a list of email recipients.
        • For SNS notifications, enter the ARN for the AWS SNS topic, and select the format for the notification:
          • JSON - Full entity includes details of the finding, and full attributes (as maintained in Dome9) for the entity in the finding, in JSON format
          • JSON  - Basic entity includes details of the finding, and a few attributes for the entity (such as the entity id), in JSON format
          • Plain text - like the Basic entity, but in plain text format.
            Click Send test message to test the connection
      • Security Management Systems - notifications will be sent to AWS Secure Hub (you must have an Secure Hub enabled in your AWS account; see here for details on configuring Dome9 as a provider for a Secure Hub).
      • Issue Management Systems - send notifications to external ticketing systems, such as ServiceNow, Jira, and PagerDuty
        1. Check Ticketing System, and select the system from the list.
        2. Enter connection details for the selected system:
          • ServiceNow - The SN domain (URL), user, and password
          • Jira - the Jira domain (URL), user, password, Project Key, and Issue Type
          • PagerDuty - the Routing API Key
        3. Click SAVE.
    5. Click Create. The new policy will appear in the list of policies.
    6. To add another policy, click +Add new policy. This will clear all the fields, after which you can enter details for a new policy.

    Email Notification Reports

    You can configure Notification Policies to send compliance results as scheduled email reports. These can be detailed reports, or executive summaries. For both options, the report contains all findings in the assessed accounts, and compares the overall results with the previous report. Reports can be configured to be generated daily, weekly, and monthly.

    Summary Report

    The summary report shows the number of passed and failed tests, and the overall score for the assessment. The overall score is the percentage of passed tests, where a test is the application of a rule to a cloud entity (such as an instance or an S3 bucket) in the account. The results are based on the most recent assessment at the time the report is generated. The report shows the results for the previous report as well, for comparison.
    CC-Report-Detailed-Summary.png

    The report also shows a breakdown per account.

    Detailed report

    The detailed report shows the summary information as well as a detailed list of findings.

    CC-Report-Detailed-Summary-failed-by-rule.png

    Send (sync) all findings

    You can manually force all findings for a compliance policy to be sent to the notification targets attached to the policy. This can be useful if you need to sync all the findings.

    1. Navigate to the Continuous Compliance main page, in the Compliance & Governance menu. 
    2. Click  opposite the policy you wish to sync. 
    3. Select the notification type and policies (from those that are attached to the policy), and then click SEND.