CSPMCSPM

Multi cloud security posture management (CSPM)

Framework-centered automated conformance assessment

benefits icon UCF-enabled dashboards
benefits icon Exemption handling
benefits icon Compliance boundaries
benefits icon Violation routing

Architecture

Compliance Engine has a rich library of compliance policies and industry benchmarks to select from for checking security, reliability, performance, efficiency and optimizing spendings. Compliance Engine leverages CMDB to evaluate all infrastructure resources across all clouds, meaning that evaluation is ran against CMDB data not against the cloud inventory. With minimal API calls to the cloud provider, API throttling issues and cost overhead are eliminated.

image-block-architecture

Specifications

  • AWS, Azure, GCP, Heroku
  • 550+ pre-built policies and benchmarks
  • CIS, ISO, HIPAA, PCI, GDPR, SOC2, NIST, FedRamp, CCM
  • extensive CMDB data to enrich policies
  • non-cloud provider data to evaluate
  • REST/SOAP API requests, email notifications, Slack messages, AWS Lambda and custom webhook invocations

Performance

Quick policy deployment helps to assess the security posture just in few hours in Compliance Engine. Results of policy runs are available right in CMDB.

image-block-violation-lifecycle

Violation lifecycle methodology

Our compliance methodology states that every violation must either be resolved or exempted. Violations cannot be ignored. Define rules to trigger incidents for new violations in your ticketing system. Use workflows to route and escalate tickets to responsible teams or users. Compliance Engine provides remediation tips to resolve issues quicker. Request and approve exemptions to get rid of unnecessary violations noise. Automate the whole process: once a vulnerability is fixed, the related ticket is closed.

UCF-enabled dashboards

Compliance is based upon complying with certain authority documents, that is statutes, regulations, directives, principles, standards, guidelines, best practices, policies, and procedures. Cloudaware relies on the Unified Compliance Framework (UCF) to assist enterprises in alignment with commonly accepted compliance controls. Customers address Cloudaware Compliance Status Dashboard that cross-references more than 900 UCF authority documents to define what particular standards and articles specific to their industry they need to comply with.

image-block-ucf

Exemption handling

Security teams are overloaded by violations due to rapid cloud adoption and increasing security misconfigurations. Some violations are actually legitimate deviations from the accepted usage. For example, there may be storage buckets that should be publicly accessible since they host websites available from outside the organization. Mixing acceptable deviations and actual compliance violations creates an operational pattern where some violations may be ignored for an extended period of time. Therefore, SecOps teams require a workflow process to exempt acceptable deviations so that true violations are never ignored. Using Cloudaware CMDB workflows, SecOps and business stakeholders can create a new security governance culture when all violations are either remediated or exempted.

image-block-exemption-handling

Compliance boundaries

Using compliance boundaries, Cloudaware can assess controls specific to the risk profile and regulatory requirements of each business application. This allows risk management and TVM teams to create remediation plans aligned with business service level agreements and priorities. DevOps teams can leverage IaC templates and compliance boundaries by deploying applications into environments that meet the required security controls from inception.

image-block-compliance-boundaries

POLICY DEVELOPMENT
AS A SERVICE

Users can request Cloudaware support to deliver any custom Compliance Engine policy in 48 hours or less. Additionally, users can develop their own policies using open programming language based on Java.

image-block-policy-development

Violation routing

Compliance Engine routes and escalates violations to specific teams and individuals. Using tags and other data from CMDB, Compliance Engine will identify security and compliance contacts for every configuration item involved in a violation. Assigning remediation tasks to the most appropriate team is the first step in pursuing an expedited resolution. Using violation routing feature, SecDevOps teams can reduce their workloads by automatically forwarding remediation requests directly to the account and application owners.

image-block-violation-routing

Auto-remediation

Compliance Engine supports advanced remediation automation processes to handle repetitive violations. Cloudaware provides a CloudFormation template with permissions required to run a workflow invoking a Lambda function once a violation is triggered. Auto-remediation workflows allow customers to improve violation trends and optimize overall compliance significantly.

image-block-auto-remediation

Ticketing integrations

Compliance Engine creates violations in external ticketing systems, such as Jira, ServiceNow CMDB, Rally, etc. Customers can use violation routing logic to assign tickets to specific teams or individuals. Cloudaware will also update external tickets when violations are remediated or need to be escalated. SecDevOps teams will customize templates for external tickets to include additional remediation instructions and escalation procedures.

image-block-ticketing-integrations

Ready to
get started?