Data security and compliance is a never-ending task. The dynamic nature of the cloud environment combined with growing cloud footprints that organizations maintain today makes this task even harder. As things change within a cloud infrastructure, it becomes difficult to keep track whether you are still compliant with current standards and policies using traditional tools and doing compliance assessments once or twice a year is no longer enough. 

It is also critical that the security team is aware of such changes. Sometimes an immediate notification is needed, and appropriately routed to organizational IT or security team. With other types of issues, a daily report arriving in the team mailbox in the morning is sufficient.

A few months ago, we had published a blog post that discussed a new capability in the Dome9 platform a few months ago: Continuous Compliance. Continuous Compliance allows Dome9’s customers to automate the compliance assessment process and run any selected compliance or security bundle on an ongoing basis. Once enabled, Dome9 Continuous Compliance mechanism will notify selected contacts within your organization, of any existing cloud assets or any changes that are not compliant with rules within your selected bundle.

Continuous Compliance is now released as a final preview feature, including several powerful enhancements.

Automatic generation of report findings

Continuous Compliance is a major enhancement to the Dome9 Compliance Engine. Once a bundle of compliance rules is associated with a cloud account, the Dome9 Compliance Engine will continuously run assessments of the cloud account- and generate automatic report findings on elements that do not comply with any of the rules in the bundle.

It is possible to select several different output methods for continuous compliance reports listed below- (in addition to the default report generated in the Dome9 console):

– An online assessment report.

– A scheduled email report, sent at a configurable time, to a group of email recipients. The report can include all the findings (full report), or only the findings that were generated since the previous report (changes report).

– A changes email report, sent to a group of email recipients whenever new findings are generated.

– AWS SNS notification message, sent for each newly generated finding. The SNS message (formatted as JSON or Plain text) can be consumed by any type of system, providing endless possibilities for additional integrations.

Additional integrations with other platforms will be announced soon.

Flexible reporting for different use cases

Continuous Compliance allows you to define different targets for the generated notifications and reports. Defining different targets allows each team (or individual) to consume notifications that are relevant to them, and at different intervals. Here are some examples:

– The security director could receive a weekly high-level report.

– The compliance team could consume the daily findings from the HIPAA bundle, while the security team could be notified of findings generated by the Azure Best Practices bundle.

– Another strategy could be to direct the findings to the SNS queue of the relevant DevOps team, that could then immediately work on fixing the scripts and resolve any issues.

As access to the Dome9 console is no longer mandatory, the Dome9 administrator is no longer required to serve as a dispatcher for manually generated report PDFs.

Achieve “always-on” compliance

With continuous compliance, you will gain an increase in reliability, and decrease in human error through compliance and governance automation. Dome9 ensures that your cloud environments will always be compliant with any relevant standard. By using Dome9 Continuous Compliance, you will experience significant improvements in your ‘security situational awareness’ and the ability to make fast changes without compromising security.

For more information on Dome9 Continuous Compliance and the preview program contact us.