Compliance Scorecard

The InsightCloudSec Compliance Scorecard helps you audit compliance and identify risks in your cloud environment in a simple, transparent way. It can assist teams of all types (auditors, operations, security teams, and managers) in identifying areas with possible compliance issues and provide guidance for acting appropriately on the right resources to mitigate those issues.

Using a heatmap-style visual, as well as summaries and a history of noncompliant resources, you can readily see where resources are failing these compliance checks.

Compliance Scorecard Heatmap

Prerequisites

Before you get started with the Compliance Scorecard, you will need the following:

  • A functional InsightCloudSec platform install
  • At least one cloud account connected to InsightCloudSec (see steps below)
  • While not required, having some custom badges or custom Insight packs already created can also be helpful.

It's also helpful to have a basic understanding of Insights and Compliance Packs in InsightCloudSec. Reach out to support through the Customer Support Portal if you have any questions.

Connecting Your Cloud

The first time you open the Compliance Scorecard (under Security on the left-hand navigation menu), you will be prompted to add a cloud account to provide the scorecard with the data it needs to analyze. To review the steps for connecting a cloud to your InsightCloudSec platform, check out the Cloud Account Setup instructions.

After connecting your cloud account, it may take up to an hour to complete the initial data harvesting for display on the Compliance Scorecard landing page.While the system is processing the data, you will have the opportunity to Check Results periodically. The system verifies that there are enough resources to display the scorecard data.

Selecting Filters

Whether you have just connected your cloud account(s) or your cloud accounts were connected previously, the initial page load of the Compliance Scorecard does not include any information.

Filter typeDescription
Insight FiltersInsight Filters include:
  • Insight Packs
  • Severities
  • Resource Types
  • Insights
Resource FiltersResource Filters include three tabs, and each of the tabs provides filters that are specific to the tab selected.

  • Cloud/Cluster: Filters resources with findings into groups based on the Cloud or Cluster. This filter includes all Clusters.
    Filters on: Cloud Types, Badges, Clouds/Clusters
  • Cluster/Namespace: Filters resources with findings into groups based on Cluster, or by Namespace for one Cluster. This filter only applies to Clusters added via Cloud Workload Protect/Kubernetes Security Guardrails.
    Filters on Badges, Clusters, Namespaces
  • Resource Group: Filters resources with findings into groups based on Azure Resource Groups or Custom Resource Groups.
    Filters on Azure Resource Groups, Custom Resource Groups

Select a filter

  1. Go to Cloud > Cloud Accounts and select the cloud you want to filter.
  2. On the cloud account page, click Insight Filters.
  3. Select an Insight Pack.
  4. Click Submit.

Filtering Features

This section explains some of the capabilities and nuances around using the filtering system. It's fairly intuitive but has some smarter capabilities we want to take a minute to explain in greater detail.

ActionDescription
Searching in a FilterClicking on a filtering option activates the field and allows you to narrow the search for any of the filters available. Begin typing a filtering option in the Search field to quickly access the filters of interest.
Selecting in a FilterUsers can select items individually or based on narrowed results (above you can click to select all 63 Insights). This search and select can be done for multiple terms or criteria within a single filtering option. The total number of selected items will dynamically update as selections are made.
Viewing the total of selected items
  • A check mark next to the total number indicates ALL of the items available in a filter are selected.
  • A "-" minus sign next to the total number indicates that some of the items available (any quantity less than the total available) are selected.
Deselecting a fieldClick anywhere in the spaces around the filters to deselect the area you are working within.
Clearing all filtersAt present, you can only clear all of the filters by manually deselecting the items you have selected, choosing a new organization, or reloading the page.
Other items to note
  • Switching Organizations will refresh the data on the page and clear/reset any/all selected filters.
  • Individual Insights have a severity status assigned on an Insight-by-Insight basis.

Review the Compliance Scorecard

Using a heatmap-style visual, as well as summaries and a history of noncompliant resources, you can readily see where resources are failing these compliance checks.

  1. Go to Security > Compliance Scorecard.
  2. Select the associated cloud account.
  3. Review the compliance details.

Scorecard displays

After selecting your desired filters, the Compliance Scorecard shows a number of data displays, including a heatmap, a chart showing noncompliance by severity, and a histogram of total pack findings.

The Heatmap

The Heatmap

The heatmap displays just below the filtering options and includes the date. It lists your scoped cloud accounts (or cloud filters) on the y-axis (vertical), and your Insights (as determined by the selected Insight Pack and any additional filtering) along the x-axis (horizontal). With each Insight, you can get an overall view of where you stand in multiple cloud accounts.

  • A legend displays at the base with the percentage of the Insight’s resources that are compliant and how that correlates to the colors shown on the heatmap, e.g., red means resources are less than 85% compliant.
  • In addition to basic navigation for the heatmap, you will find separate pagination controls for clouds and Insights, as well as the ability to adjust how many clouds or Insights are displayed per page (up to 50 for each).
  • There are often many pages of data depending on the size of your cloud footprint.
Heatmap Cell details

Heatmap Cell details

An additional display option shows details (when data is available) for resources for a single Insight and a specific cloud.

  • Hovering over any colored cell (data available) shows the number of impacted resources out of the total number of resources associated with a specific cloud (listed on the y-axis) and a specific Insight (listed on the x-axis) and any applicable exemptions (Insights).
  • Clicking on the cell will open a detailed display (Report Card) with data limited to the single cloud account and the single Insight selected. (Details on the Report Card are below.)

Filtering Options From the Report Card view, you can:

  • Search within the displayed content
  • Filter by Resource Type
  • Toggle the display to include Exempt Resources
  • Click on an individual resource to view additional details

Other Features

  • Download - providing a .CSV export of the details for the impacted resources, either for an individual or multiple cloud accounts
  • Create Bot - launches Bot creation based on the applicable Insight for the impacted resource(s)
  • Clicking on the identifier of an individual impacted resource (under Name) opens a view with additional details for the noncompliant resource.
Heatmap Viewing Impacted Resources

From the heatmap, users can review impacted resources in one of two ways:

  1. Clicking on the Insight name (on the x-axis) will provide a "Report Card" view for all impacted resources on all cloud accounts (refer to the Detailed List of Insights by Cloud Account section on this page.
  2. Clicking on an individual cell which provides the same "Report Card" view for all impacted resources for the single cloud account.

In both option 1. and option 2. above any column with yellow or red cells displays details on the noncompliant resources.

Default Cell Options

Cells with no impacted resources (green) display a different "Report Card" with Insight summary details.

  • Cells with no impact (grey) do not have generate a "Report Card" view.
Detailed List of Insights by Cloud Account

Clicking on a single cloud account name (on the y-axis of the scorecard) displays a detailed list of all Insights within the compliance pack being reviewed for this cloud, the severity of each Insight, and the number of impacted resources out of total resources for the selected cloud.

  • (To return to the main Compliance Scorecard display, click the X at the top right of the page, or hit the Escape button.)
  • Selecting an individual Insight from this view expands the content and displays additional data about the resources that are impacted for that Insight.
  • For an Insight with no impacted resources (e.g., Impacted: 0/57) there will be no resource data to drill down into.
Details by Insight (Report Card)

Details by Insight (Report Card)

Clicking on an Insight name (on the x-axis) of the heatmap results in displays of all accounts that are impacted for that individual Insight.

Impacted (Noncompliant) Resources

The Report Card page for the selected Insight lists the impacted (noncompliant) resources. This view defaults to "All Resources" (noncompliant) and can be filtered by applicable Resource Types.

Filtering Options

From the Report Card view, users also have the ability to filter the display further. You can:

  • Search within the displayed content
  • Filter by Resource Type
  • Toggle the display to include Exempt Resources
Other Features
  • Download: providing a .CSV export of the details for the impacted resources, either for an individual or multiple cloud accounts
  • Create Bot: launches Bot creation based on the applicable Insight for the impacted resource(s)
  • Create Exemption: launches the exemption form and allows you to create a new exemption based on your selected impacted resource. Read instructions for creating an exemption
  • Clicking on the identifier of an individual impacted resource (under Name) opens a view with additional details for the noncompliant resource.

Note: if you select an Insight that does not include impacted (noncompliant) resources, no list or associated charts (histogram, Resources by Type, Resources by Region, etc.) will display since these are driven by the data surrounding impacted (noncompliant) resources.

Histogram of Impacted (Noncompliant) Resources

The second display on the page shows a histogram of impacted resources found over the past 30 days. The colors of the bars in this histogram have no special meaning; they are for ease in reading the histogram only.

Impacted (Noncompliant) Resources by Type and Region

Scrolling further down this page, you'll see additional displays for impacted resources by resource type and by region:

Insight Information

Scrolling to the very bottom of the page displays information specific to the selected Insight, including a description of the Insight, remediation, and recommended Bot workflow to complete the remediation.

Compliance Scorecard - Noncompliant Resources by Severity

Directly under the heatmap (on the main Compliance Scorecard page), the pie chart displays the percentage of noncompliant resources by severity for the scoped clouds against the filtered insights. Hovering your cursor over any segment of the pie displays the exact number of noncompliant resources at a particular severity.

Compliance Scorecard - Total Pack Findings

At the bottom of the page, a histogram displays the total pack findings for the scoped clouds against the selected compliance pack for the selected date (over a two week period). Hovering your cursor over any segment of the display shows the exact total number of findings discovered on that date.

What is a Finding?

The term "finding" indicates a single Insight check against a resource. If the resource matches any Filter included in the Insight, it is counted as a "finding". A single resource may be valid for multiple Insights, and as a result, may have multiple "findings".

Export Options

The Compliance Scorecard supports multiple forms of export including:

  • Via an .XLSX file download (this option is limited by size, i.e., if your report is too large, this option will be greyed out)
  • Via email subscription
  • Via cloud storage subscription (AWS or GCP storage container)
  • Via a shareable link Note: This functionality is currently in Alpha and may change in future InsightCloudSec releases. Only Domain and Organization Admins have access to this functionality. These export options are available by clicking "Options" next to the "Submit" button.
  • The Compliance Scorecard also supports the ability to export content across multiple organizations to a single S3 bucket. This specific capability is available by request, as a feature flag. Reach out to us through the Customer Support Portal for assistance with configuring/enabling this feature.

Downloading (Excel)

Download options for Excel are available from the main filtering menu and from the Report Card view for impacted resources. All Insights for the selected pack will be downloaded, and not limited to selected severities, badges, or resource types and will contain multiple tabs of information.

The Download Excel option has data size limitations. If your report is too large, you are unable to download the file.

Download Excel

  1. Select your desired Filters, and then from the heatmap view click Options next to the "Submit" button.
  2. In the Export Options window, click Download (Excel).
  3. To download an Excel report around an individual Insight for a single cloud account or an individual Insight for ALL of your cloud accounts, do the following:
    1. Select the individual cell under the Insight/Cloud Account, or select the Insight Pack name.
    2. Select the "Download" button from the Report Card View. This downloads ONLY the selected Insight for the impacted resources and will include severities, badges, and resource types; it will also contain multiple tabs of information.

Percentage of Compliance

Each cell in the Compliance Scorecard uses a color code to represent the percentage of compliance for all resources within the cloud account that are checked against a specific Insight. This percentage is calculated as 1 minus the ratio of noncompliant resources to total resources checked against that insight, and the ratio is then multiplied by 100 to obtain a percentage.

For example, a field shows 50 impacted (noncompliant) resources out of a total of 1000 assessed resources for an Insight. The compliance for the assessed resources is therefore (1 - [50/1000])*100, or 95%, so the field is color-coded yellow, indicating a compliance level of between 95% and 99%.

In the UI, the scorecard is displayed as Insights (along the X-axis) vs Cloud accounts (along the Y-axis). In the Compliance Export, the reverse is shown: Cloud accounts are on the X-axis and Insights along the Y-Axis. The calculation of percent compliance, though, is the same in both cases.

The downloaded Impacted Resources and Resource Exemptions tabs list metadata about those resources, including Account Name and ID, Resource Type, Provider ID, Resource Name, and Region, as well as the Insight name with a link back to the InsightCloudSec application.

Create Email Subscription

Clicking "Create Email Subscription" from the "Options" menu opens a dialog where you can create and schedule an email subscription. When the email is sent, it has a short message along with an attached Excel file, similar to the download option described above.

Create Cloud Storage Subscription

Clicking "Create Cloud Storage Subscription" from the "Options" menu opens a dialog where you can create a compliance scorecard export configuration for an AWS or GCP storage container. Completing the information here creates the export configuration and shows what time (UTC) this export will be run. Here, you will:

  • Name the current view of the Scorecard
  • Name the actual storage container where this upload will be sent. If you start typing either an AWS or GCP storage container that is already connected to InsightCloudSec, a drop-down will appear with the storage container name, account, and region.
  • Name the Resource tag(s) to include in the export
  • Name the Badge(s) to include in the export

Manage Subscriptions

Clicking Options > Manage Subscriptions opens a new page that allows you to manage existing subscriptions. Existing subscriptions appear in a list format that displays the subscription name and type, whether it's enabled, the number of badges and tags associated with the subscription, and much more. Selecting the ellipsis ... on a subscription opens the actions menu, which offers several options that can vary depending on the subscription type.

ActionDescription
Send Now (email)
Run Now (cloud storage)
Sends an immediate email subscription / Schedules a task to create the configured Compliance Scorecard view and exports it to the storage container
Validate Settings (cloud storage only)Validates the configuration information for the given cloud storage subscription. The configuration must be validated before it can be enabled.
Enable / Disable (cloud storage only)Enables or disables data export to the configured cloud storage container
Edit FiltersOpens the Compliance Scorecard view that was configured prior to creating the subscription. From here, you can make edits to the view, preview the new view (with any changes), and save any changes. If this option is inactive, see Convert for more information.
Edit SettingsOpens the configuration window for the subscription and allows you to make changes to its settings, e.g., badges, tags, name, email recipients, cloud storage container name, etc.
DeleteRemoves the subscription
Convert (grouped cloud storage subscriptions only)Converts the selected subscription that is part of an export group to a singular subscription. Enables Edit Filters. See the callout below for more information.

Using Export Groups

Starting with InsightCloudSec version 21.6, cloud storage subscriptions (formerly known as export configurations) can no longer be configured to use groups. Users who upgrade to 21.6 will have the option to convert their grouped cloud storage subscriptions to individual cloud storage subscriptions.

What's Next

After reviewing the details here about our Compliance Scorecard, you may want to check out more information around:

  • Learning more about Insights or our Compliance Packs.
  • Our Integrations--we offer many third-party integrations with detailed instructions on getting your InsightCloudSec platform set up with each.