Customized View of the Compliance Scorecard
With fast paced changes in infrastructure, and increased flexibility for deployments into cloud platforms, remaining compliant to Industry Standards such as NIST 800-53, ISO 27001, and other security benchmarks has becoming increasingly challenging. DivvyCloud’s Compliance Scorecard helps you audit compliance and identify risks in your cloud environment in a simple, transparent way.
Compliance Scorecard can assist teams of all types (auditors, operations, security teams, and managers) in identifying areas with possible compliance issues, as well as providing guidance for acting appropriately on the right resources to mitigate those issues. Using a heat-map type visual, as well as summaries and a history of noncompliant resources, customers can readily see where they are failing these compliance checks.
The first time you select Compliance Scorecard (under Security on the left-hand navigation menu), you'll see a checklist of required and optional items needed before using the Scorecard. You must have at least one cloud account added. Having some custom badges or custom packs created is optional, but helpful.
If clouds have already been added, you can filter your results using the collapsible selection bar (to the left of the scorecard).
Results can be filtered by:
- Insight pack (DivvyCloud packs or custom packs)
- Cloud provider type (AWS, GCP, Azure, AliBaba, etc.)
- Individual cloud accounts
- Insight severity (Critical, Major, Minor, etc.)
- Resource type
- Specific Insights
After selecting a specific pack, you will only see options available to that pack. For example, you will be unable to select 'Minor' as a severity if you have no 'Minor' insights in the pack your are searching.
Any selections you check are treated as an OR functionality.
Options Available for Scoping the View
Your selections result in a variety of displays: a heat map, summary plots of noncompliant resources by severity and by resource type, and a histogram of newly-discovered noncompliant resources.
The heat-map, displayed in the bottom half of your screen, lists your scoped cloud accounts on the y-axis, and your selected insights along the x-axis. With each insight, you can get an overall view of where you stand in multiple cloud accounts.
A key in the collapsible side menu shows a percentage of the insight’s resources that are compliant, and how that correlates to the colors shown on the heat-map, e.g., red means resources are less than 85% compliant.
Clicking on a single cloud account name (on the y-axis of the scorecard) displays a detailed list of all insights within the compliance pack being reviewed for this cloud, the severity of each insight, and the number of impacted (noncompliant) resources over total resources for the selected cloud. In the example below, we have clicked into our AWS QA account.
Alternatively, clicking on an insight name (on the x-axis) of the heat map, results in multiple displays of all accounts that are impacted for that insight. Shown below are all the various displays showing impacted resources for the insight, 'Encryption Key Disabled' (for the selected compliance pack and the scoped clouds).
Detailed List of Impacted Resources
The first display shows a listing of the impacted resources (top portion of the screen). The full list can be downloaded by selecting the 'Download' button. The download is in the form of two spreadsheets, one each for Impacted Resources and for Exempt Resources.
Histogram of Impacted Resources
The second display is a histogram of impacted resources found over the past 30 days. The colors of the bars in this histogram have no special meaning; they are for ease in reading the histogram only.
Impacted Resources by Type and Region
Scrolling further down this page, you'll see additional displays for impacted resources by resource type, and by region:
Scrolling to the very bottom of the page displays information specific to the selected insight, including a description of the insight, remediation, and recommended Bot workflow to complete the remediation.
On the Compliance Scorecard main page, an additional display option shows details for impacted resources for a single insight and a specific cloud. From the heat map, hovering over any colored cell shows the number of impacted resources over the total number of resources associated with a specific cloud (listed on the y-axis) and a specific insight (listed on the x-axis):
Clicking on the cell itself will open the same four displays (above), limited to the single cloud account selected.
From the main page of the Compliance Scorecard, and under the 'Resources' tab, this pie chart displays the percentage of noncompliant resources by severity for the scoped clouds against the selected compliance pack. Hovering your cursor over any segment of the pie displays the exact number of noncompliant resources at a particular severity.
Also under the 'Resources' tab, this doughnut chart displays the percentage of noncompliant resources by resource type for the scoped clouds against the selected compliance pack. Hovering your cursor over any segment of the pie displays the exact number of noncompliant resources of a particular resource type.
From the main Compliance Scorecard page, under the 'History' tab, a histogram displays the total number of noncompliant resources for the scoped clouds against the selected compliance pack for the selected date. Hovering your cursor over any segment of the display shows the exact total number of noncompliant resources discovered on that date.
DivvyCloud's Compliance Scorecard is exportable in multiple ways:
- Downloading an .XLSx file
- Via email subscription
- Uploading to an AWS or GCP storage container
These export options are available by selecting 'Export' at the bottom of the expanded Compliance Scorecard menu.
Selecting 'Download (Excel)' gives you have two options:
'All Entries' -- downloads ALL insights for the selected pack, including all severities, badges, and resource types, i.e., the download will not be limited to selected severities, badges, or resource types.
'Current View' -- downloads ONLY insights that apply to your currently selected insight pack, severities, badges, and resource types.
The downloaded Excel file will have multiple tabs of information: An Overview, the Scorecard, Impacted Resources, and Exempt Resources.
The Scorecard Tab in an Excel Download
The downloaded Impacted Resources and Resource Exemptions tabs list metadata about those resources, including Account Name and ID, Resource Type, Provider ID, Resource Name, and Region, as well as the insight with a link back to the DivvyCloud console.
Selecting 'Subscribe (Email)' gives you options to Schedule an email or to Manage Subscriptions. When the email is sent, it has a short message along with an attached Excel file, similar to the download option described above.
- 'Schedule' - opens a dialog where you can create and schedule an email subscription:
'Manage Subscriptions' - opens a new page that allows you to manage existing subscriptions, shown as individual cards. Selecting the
...on a subscription allows you to:
- Send Now - send an immediate email
- Edit - change the Name of the email subscription, the email addresses it's being sent to, the Subject line, and the cadence (daily/weekly)
- Delete - remove the Email Subscription
Selecting 'Upload (Cloud Storage)' gives you options to Schedule or Manage exports.
1.'Schedule' - displays the dialog shown below. Completing the information here creates the export configuration, and shows what time (UTC) this export will be run. Here, you will:
- Name the current view of the scorecard
- Name the export group
- Name the actual storage container where this upload will be sent. If you start typing either an AWS or GCP storage container that is already connected to DivvyCloud, a drop down will appear with the storage container name, account, and region.
When creating an export configuration, you can create multiple configurations within a group. For example, you can export ISO 27001, GDPR, and a custom pack all to the same group. To create a group, begin typing the group name on the 'Export Group Name' line. (If the group already exists, the name will appear on a drop-down list, once you begin typing; you can then select the group name.) Once you've created the export group, you can reuse it anytime you are creating exports.
- 'Manage Exports' - opens a new page that allows you to manage existing exports. Exports appear in a card format displaying the number of export configurations associated with this export, the cloud account to which it is exporting, the last run time (or whether the export is pending its first run), and whether the export is enabled or disabled.
... on a subscription allows you to:
- Subscribe - similar to the email subscription (above), allows you to subscribe to weekly or daily emails containing an export of this information
- Validate - validates the configuration of this storage container to receive the export from DivvyCloud; enables the daily export
- Disable/Enable - disables or enables the export of data from DivvyCloud to the storage container
- Run Now - sends an export to the storage container
- Edit - allows you to change the name of the export, the storage container it's being sent to, and the list of associated export configurations (you can have multiple exports in one group)
- Delete - removes the selected export configuration