Violation routing
Compliance engine routes and escalates violations to specific teams and individuals. Using tags and other data from CMDB, compliance engine will identify security and compliance contacts for every configuration item involved in a violation. Assigning remediation tasks to the most appropriate team is the first step in pursuing expedited resolution. Using violation routing feature, SecDevOps teams can reduce their workloads by automatically forwarding remediation requests directly to the account and application owners.
Enforcement handling
Compliance engine is designed to allow those responsible for remediation to request an appeal from cloud security and compliance operations. Using Cloudaware CMDB workflows, appeal request can be escalated to multiple stakeholders. Ignoring violations even for legitimate reasons creates poor security governance culture where subsequently legitimate violations are likely be ignored at some point. By dealing with legitimate violations using a process driven approach where no violation remains ignored, security teams not only protect cloud infrastructure, but nurture the responsibility culture.
Approval workflow
Approval workflows allow compliance engine administrators to create automated processes to handle appeal requests in response to compliance violations. Compliance engine supports advanced approval workflows where multiple concurrent stakeholders are required for a sign off as well as staggered processes where various department representatives will sign off sequentially. Cloudaware approval workflows feature is designed to avoid situations where violations are in a dead end state and are ignored.
Compliance performance
Compliance engine provides insightful indicators about how various teams are handling compliance violations. Besides standard metrics, such as violation volume over time and mean time to repair, compliance engine dashboards show which teams are overloaded with violations and will not be able to resolve violations within a pre-configured timeline. Customers are able to compare their statistics, such as mean time to repair, exception rate and others against statistical average of other Cloudaware customers.
Multi-cloud - AWS, GCP, Azure
Out of the box, Compliance Engine supports all three leading cloud providers including CIS benchmarks for Amazon Web Services, Google Cloud and Microsoft Azure. Unlike competitive products, Compliance Engine does not make direct calls to cloud APIs, but relies instead on the data from Cloudaware CMDB. Not only this design approach eliminates issues with throttling, but also allows for the possibility to create custom policies that rely on non-cloud provider data.
Supports JIRA and ServiceNow
Compliance Engine creates violations in external ticketing systems, such as JIRA and ServiceNow. Using violation routing logic, tickets will be assigned to specific teams or individuals. Cloudaware will also update external tickets when violations are remediated or need to be escalated. SecDevOp teams will customize templates for external tickets to include additional remediation instructions and escalation procedures.
Plan Remediation Activities
Using CMDB Workflows Cloudaware can execute a wide range of automated actions when compliance engine finds or updates a violation. Automated actions commonly include REST or SOAP API requests and email notifications, Slack messages, AWS Lambda and custom webhook invocations.
Write Your Own Policies
Compliance Engine lets you customize any built-in policy or write your own from scratch using Apex and SOQL programming languages. For example, many users prefer to customize policies to define violation and escalation thresholds for specific accounts and subscriptions. Using CMDB Sandbox environment, compliance engine developers can estimate the impact of policy modifications on number of potential violations before production deployment.