Customized View of the Compliance Scorecard
With fast paced changes in infrastructure, and increased flexibility for deployments into cloud platforms, remaining compliant to Industry Standards such as NIST 800-53, ISO 27001, and other security benchmarks has becoming increasingly challenging. DivvyCloud’s Compliance Scorecard helps you audit compliance and identify risks in your cloud environment in a simple, transparent way.
Compliance Scorecard can assist teams of all types (auditors, operations, security teams and managers) in identifying areas with possible compliance issues, as well as providing guidance for acting appropriately on the right resources to mitigate those issues. Using a heat-map type visual, customers can now see in a single view where they are failing these compliance checks.
Selecting Compliance Scorecard from the left side navigation menu for the first time, displays a checklist of required and optional items needed before using the Scorecard. You must have at least one cloud account added. Having some custom badges or custom packs created is optional, but helpful.
Compliance Scorecard Checklist
If clouds have already been added, select an Insight Pack as a starting point. Selections allow for DivvyCloud Packs or Custom Packs. Under Insight Pack, customers can filter only insight severities they'd like to see (Critical, Major, Minor, etc).
The four choices in the upper right allow customization of the scope of interest. Cloud Provider types (AWS, Azure, GCP, etc.), Singular Accounts, Badges, and specific Resource Types. Any selections you check are treated as an OR functionality. There is also a checkbox you can select to see Noncompliant Resources Only.
When making these selections, you will only see options available to that pack. For example, if you don't have any Minor insights in a specific pack, you will be unable to select that severity.
Options Available for Scoping the View
These selections will display a heat-map listing your cloud accounts on the y axis, and insights along the x axis. With each insight, you can get an overall view of where you stand in multiple cloud accounts.
Red means resources are less than 85% compliant. A key at the bottom of the scorecard shows a percentage of the insight’s resources that are compliant, and how that correlates to the colors shown on the heat-map.
Clicking on a singular cloud account (on the y axis of the scorecard) shows all insights listed for that account. In the example below, we have clicked into our AWS QA account.
Alternatively, clicking on the insight name itself (on the x axis of the scorecard), results in a list of all accounts that are impacted for that insight. Shown below are all results from multiple cloud accounts when clicking on a specific insight.
In the example below, you can see we want to drill further down into 'Storage Containers without Access Logging' in a specific account.
Hovering over the cell will show the insight name and the number of impacted (noncompliant) resources.
Clicking on the red box displays a breakdown of what resources are noncompliant in each account.
Customers have some viewing options here:
- To see the insight exemptions, as opposed to the impacted resources, click on Impacted Resources and select Exempt Resources instead.
- If the insight has multiple resource types, you can select Resource Type and select a new resource type to view.
You also have the ability to download the Impacted and Exempt Resources using the Download button on the right. You can also search for specific resources using the search button on the bottom.
Further down the page, you'll find resource totals for the last 30 days, as well as a breakdown of resources by type and by region.
Resource History (last 30 days)
Resources by Type and Region
Scrolling all the way to the bottom, you can view insight information, including an overview of the insight (and why it is important), any remediation steps (recommended bot workflow or manual remediation steps), and compliance information showing the frameworks to which that specific insight adheres.
To return to the scorecard, you can click the purple Back button on the top right of the page.
DivvyCloud's Compliance Scorecard is exportable in multiple ways. You can download a .XLSx file, subscribe via email, or upload it to a AWS or GCP Storage Container of your choice.
Click Export (in the upper right), then select Download. You have two options:
- All Entries will return ALL insights for that pack.
- Current View will only give insights that apply to your sort options.
Downloading All Entries will download everything for that pack. All severities, badges, and resource types will be null when selecting this download type, i.e., the download will not be limited to selected severities, badges, or resource types.
The Excel file will have multiple tabs of information: An Overview, Insights Scorecard, Impacted Resources, and Exempt Resources.
The Scorecard Tab in an Excel Download
Selecting Download (Excel), and then Current View, will download your currently selected insight pack, accounting for all severities, badges, and resource types selected. For example, if you select the resource type API Accounting Config, the file will only show the insights that apply to that resource type.
The downloaded Impacted Resources and Resource Exemptions tabs list metadata about those resources, including Account Name and ID, Resource Type, Provider ID, Resource Name, and Region, as well as the insight with a link back to the DivvyCloud console.
Click Export (in the upper right), then select Subscribe. You have two options:
- Manage Subscriptions
- Current View
Selecting Manage Subscriptions will take you to a new page that allows you to interact with subscriptions that have already been created.
In the screen shot below, the available options are:
- Send Now - Sends an immediate email
- Edit - Allows customers to change the Name of the email subscription, the email addresses it's being sent to, the Subject line, and the cadence (daily/weekly)
- Delete - Removing the Email Subscription
Options to Manage Subscriptions from Compliance Scoreboard Download
When the email is sent, it has a short message along with an attached Excel file, similar to the download option.
Selecting Current View, a pop up will appear which you will be prompted to complete. This will create the scheduled email subscription for this current view (including scopes for severities, badges, and resource types) either Daily or Weekly.
Click Export (in the upper right), then select Upload. Again you have two options:
- Manage Exports
Selecting Schedule displays the pop up shown below. Completing the information here creates the export configuration, and shows what time (UTC) this export will be run. Here, you will:
- Give the current view of the scorecard a name.
- Name the export group.
- Name the actual storage container where this upload will be sent. If you start typing either an AWS or GCP storage container that is already connected to DivvyCloud, a drop down will appear with the storage container name, account, and region.
When creating an export configuration, you can create multiple configs within a group. For example, you can export ISO 27001, GDPR, and a custom pack all to the same group. Once you've created the export group, you can reuse it anytime you are creating exports.
Selecting Manage Exports will open a new page that allows you to interact with exports that have already been created.
Exports appear in a card format with some information about each Export, e.g., the number of export configurations, the cloud account to which it is exporting, the last run time, whether the export is pending its first run, and whether the export is enabled or disabled.
As shown below, the available options for managing Exports are:
- Subscribe - Similar to the email subscription shown above, this option allows customers to subscribe to weekly or daily emails containing an export of this information.
- Validate - Validates the configuration of this storage container to receive the export from DivvyCloud, and enables the daily export.
- Disable/Enable - Disables or enables the export of data from DivvyCloud to the storage container.
- Run Now - Sends an export to the storage container.
- Edit - Allows customers to change the name of the export, the storage container it's being sent to, and the list of associated export configurations (you can have multiple exports in one group).
- Delete - Removes the selected export configuration.