DivvyCloud’s Compliance Scorecard helps you audit compliance and identify risks in your cloud environment in a simple, transparent way. It can assist teams of all types (auditors, operations, security teams, and managers) in identifying areas with possible compliance issues and provide guidance for acting appropriately on the right resources to mitigate those issues.
Using a heatmap type visual, as well as summaries and a history of noncompliant resources, you can readily see where resources are failing these compliance checks.
Before you get started with the Compliance Scorecard, you will need the following:
- A functional DivvyCloud platform install
- At least one cloud account connected to DivvyCloud (see steps below)
- While not required, having some custom badges or custom Insight packs already created can also be helpful.
The first time you open the Compliance Scorecard (under Security on the left-hand navigation menu), you will be prompted to add a cloud account to provide the scorecard with the data it needs to analyze.
- To review the steps for connecting a cloud to your DivvyCloud platform, check out the Cloud Account Setup instructions.
After connecting your cloud account, it may take up to an hour to complete the initial data harvesting for display on the Compliance Scorecard landing page.
While the system is processing the data, you will have the opportunity to "Check Results" periodically. The system verifies that there are enough resources to display the scorecard data.
Whether you have just connected your cloud account(s) or your cloud accounts were connected previously, the initial page load of the Compliance Scorecard will not include any information.
To get started, select an Insight Pack from the "Insight Filters" section of the options. Once you have selected your desired "Insight Pack", the "Submit" button will be enabled.
Insight Filters include:
- Insight Packs
- Resource Types
Cloud Filters include:
- Cloud Types (e.g., AWS, Azure, GPC, etc.)
- Clouds (e.g., individual cloud accounts)
This section explains some of the capabilities and nuances around using the filtering system. It's fairly intuitive but has some smarter capabilities we want to take a minute to explain in greater detail.
Searching in a Filter
Clicking on a filtering option activates the field and allows you to narrow the search for any of the filters available. Begin typing a filtering option in the Search field to quickly access the filters of interest.
Selecting in a Filter
Users can select items individually or based on narrowed results (above you can click to select all 63 Insights). This search and select can be done for multiple terms or criteria within a single filtering option. The total number of selected items will dynamically update as selections are made.
Viewing the total of selected items
- A check mark next to the total number indicates ALL of the items available in a filter are selected.
- A "-" minus sign next to the total number indicates that SOME of the items available (any quantity less than the total available) are selected.
Deselecting a field
Click anywhere in the spaces around the filters to deselect the area you are working within.
Clearing all filters
At present, you can only clear all of the filters by manually deselecting the items you have selected, choosing a new organization, or reloading the page.
Other items to note
- Switching Organizations will refresh the data on the page and clear/reset any/all selected filters.
- Individual Insights have a severity status assigned on an Insight-by-Insight basis.
After selecting your desired filters, the Compliance Scorecard shows a number of data displays, including a heatmap, a chart showing noncompliance by severity, and a histogram of newly-discovered noncompliant resources.
The heatmap displays just below the filtering options and includes the date. It lists your scoped cloud accounts (or cloud filters) on the y-axis, and your Insights (as determined by the selected Insight Pack and any additional filtering) along the x-axis. With each Insight, you can get an overall view of where you stand in multiple cloud accounts.
- A legend displays at the base with the percentage of the Insight’s resources that are compliant, and how that correlates to the colors shown on the heatmap, e.g., red means resources are less than 85% compliant.
- In addition to basic navigation for the heatmap, you will find separate pagination controls for clouds and Insights, as well as the ability to adjust how many clouds or Insights are displayed per page (up to 50 for each).
An additional display option shows details for noncompliant resources for a single insight and a specific cloud. From the heatmap, hovering over any colored cell shows the number of noncompliant resources out of the total number of resources associated with a specific cloud (listed on the y-axis) and a specific insight (listed on the x-axis). Clicking on the cell itself will open the detailed display limited to the single cloud account and single insight selected.
From the heatmap, users can review impacted resources in one of two ways:
1.Clicking on the Insight name will provide a "Report Card" view for all impacted resources on all cloud accounts.
2. Clicking on an individual cell will provide a "Report Card" view for all impacted resources for the single cloud account.
In both option 1. and option 2., any column with yellow or red cells displays details on the noncompliant resources.
- Cells for compliant resources (green) display a different "Report Card" with Insight summary details.
- Cells with no impact (grey) do not have generate a "Report Card" view.
From Report Card view, users also have the ability to:
- Download - providing a .CSV export of the details for the impacted resources, either for an individual or multiple cloud accounts
- Create Bot - launches Bot creation based on the applicable Insight for the impacted resource(s)
- Clicking on the identifier of an individual noncompliant resource opens a view with additional details for the noncompliant resource.
Directly under the heatmap, the pie chart displays the percentage of noncompliant resources by severity for the scoped clouds against the filtered insights. Hovering your cursor over any segment of the pie displays the exact number of noncompliant resources at a particular severity.
At the bottom of the page, a histogram displays the total number of noncompliant resources for the scoped clouds against the selected compliance pack for the selected date (over a two week period). Hovering your cursor over any segment of the display shows the exact total number of noncompliant resources discovered on that date.
Clicking on a single cloud account name (on the y-axis of the scorecard) displays a detailed list of all Insights within the compliance pack being reviewed for this cloud, the severity of each Insight, and the number of impacted (noncompliant) resources out of total resources for the selected cloud. In the example below, we have clicked into our AWS Engineering account.
Clicking on an Insight name (on the x-axis) of the heatmap results in multiple displays of all accounts that are impacted for that Insight. (To return to the main Compliance Scorecard display, click the X at the top right of the page, or hit the Escape button.)
You can also view these details from the Report Card view (displayed above), by clicking on an individual Insight name and expand the details on the Insight from this view.
List of Impacted (Noncompliant) Resources
The top display on the page lists the impacted (noncompliant) resources. This view defaults to "All Resources" (noncompliant) to display the full list and can be filtered by applicable Resource Types.
The full list can be downloaded by selecting the 'Download' button which provides two spreadsheets, one each for Impacted Resources and for Exempt Resources. You can also use the 'Create Bot' button to create a bot for this Insight.
Note: if you select an Insight that does not include impacted (noncompliant) resources, no list or associated charts (histogram, Resources by Type, Resources by Region, etc.) will display since these are driven by the data surrounding impacted (noncompliant) resources.
Histogram of Impacted (Noncompliant) Resources
The second display on the page shows a histogram of impacted resources found over the past 30 days. The colors of the bars in this histogram have no special meaning; they are for ease in reading the histogram only.
Impacted (Noncompliant) Resources by Type and Region
Scrolling further down this page, you'll see additional displays for impacted resources by resource type and by region:
Scrolling to the very bottom of the page displays information specific to the selected Insight, including a description of the Insight, remediation, and recommended Bot workflow to complete the remediation.
DivvyCloud's Compliance Scorecard is exportable in multiple ways:
- Downloading an .XLSx file (this option is limited by size, i.e., if your report is too large this option will be greyed out)
- Via email subscription
- Uploading to an AWS or GCP storage container
These export options are available by selecting 'Export' from the ellipsis menu on the right of the filter options.
Download options for Excel are available from the main filtering menu and from the Report Card view for impacted resources.
To download an Excel report of all of the entries you should:
Select your desired Filters, and then from the heatmap view click on the ellipses next to the "Submit" button. This will open the export options.
- Note: The "Download Excel" option has data size limitations, i.e., if your report is too large this option will be greyed out.
- Selecting Download (Excel) from the heatmap will download ALL Insights for the selected pack, including all severities, badges, and resource types, i.e., the download will not be limited to selected severities, badges, or resource types; and will contain multiple tabs of information.
To download an Excel report around an individual Insight for a single cloud account or an individual Insight for ALL of your cloud accounts, do the following:
Select the individual cell under the Insight/Cloud Account, or select the Insight Pack name.
Select the "Download" button from the Report Card View. This downloads ONLY the selected Insight for the impacted resources and will include severities, badges, and resource types; it will also contain multiple tabs of information.
Percentage of Compliance
Each cell in the Compliance Scorecard uses a color code to represent the percentage of compliance for all resources within the cloud account that are checked against a specific Insight. This percentage is calculated as 1 minus the ratio of noncompliant resources to total resources checked against that insight, and the ratio is then multiplied by 100 to obtain a percentage.
For example, a field shows 50 impacted (noncompliant) resources out of a total of 1000 assessed resources for an Insight. The compliance for the assessed resources is therefore (1 - [50/1000])*100%, or 95%, so the field is color-coded yellow, indicating a compliance level of between 95% and 99%.
Note: In the UI, the scorecard is displayed as Insights (along the X-axis) vs Cloud accounts (along the Y-axis). In the Compliance Export, the reverse is shown: Cloud accounts are on the X-axis and Insights along the Y-Axis. The calculation of percent compliance, though, is the same in both cases.
The downloaded Impacted Resources and Resource Exemptions tabs list metadata about those resources, including Account Name and ID, Resource Type, Provider ID, Resource Name, and Region, as well as the Insight name with a link back to the DivvyCloud application.
Selecting 'Subscribe (Email)' gives you options to Create New (Email) Subscription or to Manage Subscriptions. When the email is sent, it has a short message along with an attached Excel file, similar to the download option described above.
- 'Create New Subscription' - opens a dialog where you can create and schedule an email subscription:
- 'Manage Subscriptions' - opens a new page that allows you to manage existing subscriptions, shown as individual cards. Selecting the
...on a subscription allows you to:
- Send Now - send an immediate email
- Edit - change the Name of the email subscription, the email addresses it's being sent to, the Subject line, and the cadence (daily/weekly)
- Delete - remove the Email Subscription
Selecting 'Export Configurations (Cloud Storage)' from the Export menu gives you options to schedule (create) or manage exports.
- 'Create New Configuration' - displays the dialog shown below. Completing the information here creates the export configuration, and shows what time (UTC) this export will be run. Here, you will:
- Name the current view of the Scorecard
- Name the export group
- Name the actual storage container where this upload will be sent. If you start typing either an AWS or GCP storage container that is already connected to DivvyCloud, a drop-down will appear with the storage container name, account, and region.
When creating an export configuration, you can create multiple configurations within a group. For example, you can export ISO 27001, GDPR, and a custom pack all to the same group. To create a group, begin typing the group name on the 'Export Group Name' line. (If the group already exists, the name will appear on a drop-down list once you begin typing; you can then select the group name.) Once you've created the export group, you can reuse it anytime you are creating exports.
- 'Manage Configuration' - opens a new page that allows you to manage existing exports. Exports appear in a card format displaying the number of export configurations associated with this export, the cloud account to which it is exporting, the last run time (or whether the export is pending its first run), and whether the export is enabled or disabled.
... on a subscription allows you to:
- Subscribe - similar to the email subscription (above), allows you to subscribe to weekly or daily emails containing an export of this information.
- Validate - validates the configuration of this storage container to receive the export from DivvyCloud; enables the daily export.
- Disable/Enable - disables or enables the export of data from DivvyCloud to the storage container.
- Run Now - schedules a task to create a scorecard export and send it to the storage container.
- Edit - allows you to change the name of the export, the storage container it's being sent to, and the list of associated export configurations (you can have multiple exports in one group).
- Delete - removes the selected export configuration.
After reviewing the details here about our Compliance Scorecard, you may want to check out more information around:
Updated 8 months ago