CloudGuard Dome9 Help

Compliance and Governance


Overview

The CloudGuard Dome9 Compliance Engine tests your cloud environments for compliance against industry standards and best practices, or your organization's own security policies, using rules that you define, or using sets of rules (rulesets) developed by Dome9 that are available out-of-the-box . Dome9 provides a comprehensive set of rulesets covering many of the common standards, such as PCI-DSS and HIPAA, for cloud security, which you can run immediately on your cloud accounts. In addition, you can build and test new rules, or modify existing rules, using an intuitive graphical rule builder, to tailor policies to your organization's specific needs and compliance goals.

The Compliance Engine works with all cloud providers, and can check compliance in for an organization with a multi-cloud presence.

You can also use the Compliance Engine to test your cloud accounts continuously, and receive notifications when issues are detected.

You can see detailed results of tests, or view summary reports.

The Compliance Engine accesses your cloud accounts directly, using cloud provider APIs and the Dome9 policies you set up on these accounts (see Onboard an AWS Account) to assess compliance. It works on all cloud providers, and you can test compliance even when your cloud presence is distributed over multiple cloud providers.

Compliance & Governance

The Dome9 Compliance Engine evaluates your cloud environment using compliance rulesets and rules.

Rulesets & Rules

The Compliance Engine uses a set of rulesets to test your cloud accounts. Rulesets contain rules, which are individual tests of a capability in your account. For example, a rule could test whether an account has a 'root' user, or whether a password policy is enforced.

The Compliance Engine includes a set of predefined rulesets, developed by Dome9, which test for common cloud security standards and best practices. These include remediation steps which you can apply to your account. These rulesets cannot be changed, but you can clone them, to make a copy, and modify the copy.

Note: once remediation steps are applied to an account, and Dome9 is updated (time may vary, based on backend sync intervals), re-run the assessment to verify the remedy.

Dome9 GSL (Governance Specification Language)

Rules used by the Compliance Engine are defined using the Dome9 Governance Specification Language (GSL). This is a user-readable, intuitive language that describes the test. For example, the rule

S3Bucket should have logging.enabled=true

checks that logging is enabled for AWS S3Buckets.

See The CloudGuard Dome9 GSL Language for details and examples of the GSL syntax, and how to build rules.

Built-in Rulesets

The Compliance Engine comes with a set of predefined rulesets, developed by Dome9, that cover common cloud security standards such as PCI-DSS, HIPAA, and CIS Foundations, for AWS, Azure, and GCP.

Benefits

  • At-a-glance dashboard view of organizational compliance across entire cloud presence, on all providers

  • Check compliance with cloud security standards

  • Clear reports indicate non-compliant issues

  • Easily build custom rules using graphical rule builder (GSL)

  • Predefined (built-in) rulesets developed by Dome9 cover a wide range of standards and best practices

Use-cases

  • Enforce cloud accounts compliance with standards

  • Enforce compliance with organizational policies across the estate

  • Review the security and compliance posture across the entire estate using a unified dashboard

  • Evaluate compliance of a proposed cloud design (CloudFormation Template), before actual deployment

  • Customize the compliance engine dashboard according to your needs, allowing you to focus on the more sensitive and interesting environments

  • Review latest assessment results and apply remediation

  • Review assessments on specific environment from specific point in time

  • Create customized compliance or organizational policy rules

Views

The Compliance and Governance module has the following views.

Actions

See also

The CloudGuard Dome9 GSL Language

CFT Assessment

Policy Reports