Continuous Compliance

In this topic:

    Overview

    Dome9 Continuous Compliance extends the capabilities of the Compliance Engine by evaluating your cloud environments continuously, and notifying you of any changes in the security posture of any of them. You can apply the same policies that you use with the Compliance Engine, with rules built using the GSL language. Receive notification of findings or of changes by email, on the Dome9 Console, or through AWS SNS.

    The Dome9 Compliance Engine applies the bundles you selected to the cloud environments you select approximately every hour, and updates the compliance results that are shown in the Compliance Dashboard. Notifications are sent out according to Notification Policies that are configured for each bundle/account

    You set up Continuous Compliance by associating compliance rules bundles with your cloud accounts, and then associating them with Notification Policies, which indicate how the results are to be sent to you. This is a continuous compliance policy. You can easily associate several bundles with a single account, or associate a single bundle to a number of accounts, across different cloud platforms. Different Notification Policies can be associated with each cloud account or bundle, so you can direct specific findings to target audiences, at the time and in the way most effective for them.

    Notification Policies indicate how and when notifications of findings are sent. Findings can be sent by secure email, or by AWS SNS. They can also be forwarded to the Alerts Findings dashboard.

    You can also perform bulk operations, to remove a number of policies in one step.

    Notification types

    You can use the Notification Policies to generate different types of notifications of findings. These include email reports, emaicompliance reports, and send them to email recipients. These reports can be executive summary reports, or detailed reports of the the compliance posture of your networks.

    The following are the different types of notifications that can be selected for Notification Policies.

    Executive Summary Report

    The executive summary report will show you the results score for each of your cloud accounts, and compare it to the previous results (in the previous report). It will also show an aggregated result for all your accounts. It is sent by email.

    Detailed Report

    The detailed report will show you, in addition to the information in the summary report, details for each failed test. it will also show new or changed findings since the previous report, and list findings from previous reports that have been resolved. This will provide a complete picture of the compliance posture of your cloud environments, and an indication of progress towards resolving open issues. It is sent by email.

    Alerts

    An alert notification is a finding sent to the Finding Alerts page on the Dome9 console. Each finding will be sent as a separate notification. The alert has all the details for the finding.

    AWS SNS Notification

    An SNS notification is a message for a single finding, sent to an AWS SNS target.

     

    Benefits

    • automatic continuous evaluation of your cloud environments with policy bundles that you select

    • automatic notification of results or changes by email, SNS, or on Dome9 Console

    • granular notifications to relevant individuals or teams

    • evaluate cross-account and cross-platform

    • executive summary and detailed reports of findings

    Use-cases

    • Security/Compliance managers receive a weekly high-level report.

    • Relevant security/compliance teams receive immediate email notification of any entity that failed compliance test

    • Relevant security/compliance teams receive daily aggregated email report of all entities that failed compliance test

    • Relevant security/compliance teams receive daily aggregated email report of all new entities that failed compliance test since the last report

    • Receive SNS notification of new entities that failed compliance test. Notification can be consumed by any integrated system.

     
     

    Actions

    Set up a Notification Policy

    Notification Policies indicate what compliance results findings are sent out, when and how they are sent out, and to whom. You can create any number of policies, and associate them with any bundle or cloud account, to customize the notification of compliance issues according to your needs.

    1. Navigate to the Continuous Compliance main page, in the Compliance & Governance menu.

    2. Click Manage Notifications, in the upper right. A list of your notification policies is shown on the left. 

    3. Click Add new policyNotification-Policy-new-policy.png
       
    4. Enter a name and description for policy, and select the type of notifications from the list. 

    5. Select the notification options for the policy, as follows:
      • Alerts Console - each finding for this policy will be sent to the Finding Alerts page (in Notifications, in the Administration menu)
      • Scheduled Report - a report will be sent to email recipients regular periods. Select the time and frequency of the report, and the type (summary or detailed). Enter a list of email recipients for the report.
      • Immediate Notification - a notification will be sent for each new or changed finding. Select the type of notification.
        • For email notifications, enter a list of email recipients.
        • For SNS notifications, enter the ARN for the AWS SNS topic, and select the format for the notification:
          • JSON - Full entity includes details of the finding, and full attributes (as maintained in Dome9) for the entity in the finding, in JSON format
          • JSON  - Basic entity includes details of the finding, and a few attributes for the entity (such as the entity id), in JSON format
          • Plain text - like the Basic entity, but in plain text format.
            Click Send test message to test the connection
    6. Click Create. The new policy will appear in the list of policies.
    7. To add another policy, click +Add new policy. This will clear all the fields, after which you can enter details for a new policy.

    You can configure Dome9 to send emails to external ticketing systems, such as ServiceNow and Jira. See Open service tickets on ServiceNow by email and Open service tickets on Jira by email.

     

    Switch between Cloud Account and Bundle views

    The Continuous Compliance page shows your Continuous Compliance Policies. There are two views of the policiies - the Cloud Account view (default view) shows policies organized by your cloud accounts, and the Bundle view, which shows policies organized by bundles.

    To select a view, click in the upper right, and then select one of the views.

     

    Set up a Continuous Compliance Policy

    A continuous compliance policy is a compliance bundle, associated with a cloud account and a notification policy. Dome9 continuously assesses the accounts in your compliance policies, with the bundles you have selected, and notifies you with the notification policy you have selected.

    You can set up a compliance policy in the Cloud Accounts tab or the Bundles tab. In the Cloud Accounts tab you can associate bundles with accounts, while in the Bundles tab you associate accounts to bundles. In both, you associate notification policies to create continuous compliance policies.

    1. Navigate to the Continuous Compliance main page, in the Compliance & Governance menu. The page opens by default in the Cloud Accounts view. This shows a list of your cloud accounts and, for each, the continuous compliance policies that have been defined for each.

    2. Click +Attach Compliance Bundles to the right of the account to which you wish to add a policy.

    3. Select Bundles from the Unattached Bundles box (upper left) that you wish to attach to the policy, and then click ATTACH. The bundles will appear in the Attached Bundles box (upper right).Bundles that are already attached to the account are not shown.

    4. Select Notification Policies from the Unattached Notification Policies box (lower left) that you wish to attach to the policy, and click ATTACH. The policies appear in the Attached Notification Policies box (lower right). Notifications, whether scheduled reports, or immediate alerts, will be sent to the recipients defined in the Notification Policies.

    5. Click APPLY and then CLOSE. The new policy will appear in the list of policies for the selected account.

      Note: Click at the right of a policy to change the notification policies associated with it, or to delete it. Click  to send all findings to the currently attached notification targets, as defined in the Notification Policies. Click on the name of the bundle (in the Cloud Account view) or account (in the Bundles view) to edit details for the item (in the corresponding page in the Dome9 console).

      Similarly, create policies in the Bundles view in the same way, but in this case, select a Bundle, and then associate accounts and notification policies with it. The same policies will appear in both the Cloud Accounts and the Bundles tabs (but organized according to accounts or bundles, respectively).

    Email Notification Reports

    You can configure Notification Policies to send compliance results as scheduled email reports. These can be detailed reports, or executive summaries. For both options, the report contains all findings in the assessed accounts, and compares the overall results with the previous report. Reports can be configured to be generated daily, weekly, and monthly.

    Summary Report

    The summary report shows the number of passed and failed tests, and the overall score for the assessment. The overall score is the percentage of passed tests, where a test is the application of a rule to a cloud entity (such as an instance or an S3 bucket) in the account. The results are based on the most recent assessment at the time the report is generated. The report shows the results for the previous report as well, for comparison.
    CC-Report-Detailed-Summary.png

    The report also shows a breakdown per account.

    Detailed report

    The detailed report shows the summary information as well as a detailed list of findings.

    CC-Report-Detailed-Summary-failed-by-rule.png

    Send (sync) all findings

    You can manually force all findings for a compliance policy to be sent to the notification targets attached to the policy. This can be useful if you need to sync all the findings.

    1. Navigate to the Continuous Compliance main page, in the Compliance & Governance menu. 
    2. Click  opposite the policy you wish to sync. 
    3. Select the notification type and policies (from those that are attached to the policy), and then click Send.
     

    Remove notification policies with bulk operations

    You can perform bulk operations on a group of policies, either in the Cloud Accounts or Bundles tabs. Currently, you can detach the policies with a bulk operation.

    Note: future versions of the Dome9 Console will have additional bulk operations.

    1. Check the boxes next to the bundles or accounts that you wish to delete (depending on the view), and then click

      in the pop-up box to delete them.

    2. Click Yes to confirm the deletion.