Compliance is one of the most important aspects of cloud governance. Every business must adhere to the industry regulations such as PCI-DSS, HIPAA and Benchmark standards such as CIS Azure, CIS AWS and ISO 27017. With CoreStack, ensuring cloud compliance is easier than ever before.
CoreStack’s Compliance Dashboard offers an in-depth view of the compliance status of the cloud in a single pane. It displays security findings and appropriate recommendations for the same.
Tenant Based Summary
The consolidated status on compliance posture in terms of Policy violations for each Tenant (Dept) is shown as different tiles. Admin can select a specific Tenant to view the compliance details for that tenant.
For example, there are two tenants available in the account shown in the figure below.
Tenant1 is created for AWS account. By default, the first tenant details will be displayed. For this tenant, AWS related compliance standards, policy violations and cloud native security findings would be displayed.
Tenant2 is created for Azure account. For this tenant, Azure related compliance standards, policy violations and cloud native security findings would be displayed.
This dashboard is split into 3 sections: Industry Specific Compliance, Policy Violations by Category and Cloud Specific Security Findings.
1. Industry Specific Compliance – This section shows compliance posture of the cloud accounts with respect to industry standards such as such as PCI-DSS, HIPAA and Benchmark standards such as CIS Azure, CIS AWS and ISO 27017. Both industry standards and Benchmark standards collectively referred as Compliance Standards.
2. Policy Violations by Category – This section shows security findings as per the configurations set in the Policies section. For example, it can be enterprise policies related to Tagging Standards, Security Group Ports, Encryption etc.
3. Cloud Native Security Findings – This section displays security findings from cloud native assessments from AWS Inspector or Azure Security Center that are high-risk, for example, using a system with old updates, not installing patch updates, etc. There are no recommendations provided for this.
Industry Specific Compliance
The standards that you would like to enable for each cloud account can be selected while onboarding that cloud account. The list of supported Industry Standards and Benchmark Standards are available in the “Compliance” tab as part of onboarding configuration (Please see figure below)
Note: You must be using the “custom” setting to be able to select specific standards of your choice.
The regions / locations within the cloud account that must be considered for the compliance assessments must also be selected as part of the onboarding configuration.
Pre-requisite for AWS Accounts: AWS config recorder should be turned “ON” for each region for which compliance assessment is required. This can be done using a CFN template “create_config” available in CoreStack Template Marketplace. You would also have to create an user which can be done by running the CFN template “create_corestack_assessment_user”.
Each compliance standard would have a set of controls which describes the control objective to be met in a specific category such as Access control, Identity and Access Management, Networking.
The controls are mapped as default controls for each compliance standard derived from respective compliance organizations. One or more Cloud native policies from CoreStack Policies module are mapped to each control.
The figure below explains the relationship among compliance standards, controls and policies.
In the figure below, CIS AWS compliance standard is showing the number of controls with Violations and Error status. The compliance posture of each standard is shown as status bar under each standard name. Respective count of each Success/Violations/Error is displayed in the bar and user can click on the count to view the list of controls under each category.
The number 78/89 for CIS AWS indicates the no. of controls that had some policies mapped and were considered for this assessment. This means that only 78 out of 89 total controls were assessed to arrive at the posture. The remaining 11 controls could not be assessed at this point either because they are manual controls or CoreStack does not have the relevant policies at this point.
After the completion of assessment, for each control, the assessment output is reported as Success / Violations / Errors.
Success – If all the policies mapped to controls executed successfully and no violations reported for any policies, then control output is marked as Success.
Violations – If any of the policies mapped to controls reported any violations, then control output is marked as Violations. Even if the status of other policies could be Success or Error, the status of violated policy takes precedence for the control.
Errors – If any of the policies mapped to controls reported any error, then control output is marked as Error. The error occurs due to incorrect configuration of policy parameters or unavailable permissions. Even if the status of other policies could be Success, the status of error reported policy takes precedence for the control.
In the below figure, the by clicking the violations count, the respective controls would be displayed.
List of controls for each category is displayed in the bottom half of the screen. On clicking any control in the bottom half, the control details and mapped policies would be displayed along with status of each policy.
By clicking on View resources button, the violations details are displayed in a separate screen.
In the left panel, the violated policy along with its severity indicator (Red / Amber / Green), Policy Name, Cloud Account and the count of impacted resources are displayed.
Once you select this violation, you would see the actual list of resources on the right side. The drop-down above the list of resources will have the list of available remedial actions for this violation. You can also “Skip” certain violations if you prefer not to take any of the actions.
Please refer the “Recommendations Dashboard” page for more details about this.
Policy Violations by Category
Policies are Technical rules which checks cloud resources for violations against industry standards and CoreStack best practices. The policies are classified into Security, Cost and Operation. Under each main classification, there are subclassifications defined.
The policy violations under each category along with their current status are displayed as shown below:
The Policy Violations by Category displays the summary of policy violated resources for each category. It provides total resources violated, how many resolved or skipped and how many violations are open.
You can click on any specific count to view the actual list of the violations. By clicking the Open count under “Cost”category, the list of resources with violations are displayed in the details pane.
In the details pane, resources with policy violations are displayed. By Clicking View button, users can view the recommendation details and perform remediation actions.
Users can either skip the findings or take the remediation action if automated remediation is available. Please refer “Recommendations Dashboard” for more details.
Cloud Native Security Findings
Azure Security Center or AWS inspector identifies security vulnerabilities in the cloud resources. For example, installation of suspicious packages in the VM, not installing OS security updates, quota limit breached by a service, etc.
These security findings are vulnerabilities that are picked up by CoreStack as per the onboarded cloud accounts.
To get the cloud native security findings AWS Inspector should be configured for AWS accounts and Azure Security Center should be enabled for Azure accounts. Also, while onboarding the cloud account into CoreStack, these services must be enabled in the Compliance tab.
For each cloud account that has cloud native security findings enabled, a summary of resources with violations would be displayed as below.
Drill down views – Resource Type, Findings Type, Resource Group etc.
By clicking on the summary view, details pane would be displayed along with severity breakup, resource type breakup and region/location wise breakup.