Our latest release, 20.2, is special for many reasons. It marks our first major release as DivvyCloud by Rapid7. We look forward to delivering innovative solutions to you as part of the Rapid7 team. Rest assured, we will continue to listen to our customers’ needs, aligning our collective priorities into the product roadmap as we grow.
This release is also noteworthy because it includes our new and much anticipated Infrastructure as Code (IaC) Security capability. Other highlights include:
- Expansion of Organizations
- Compliance Scorecard Improvements
- Updated NIST 800-53 Compliance Pack
As with each release, we have improved our overall cloud parity by expanding our support and capabilities for resources within DivvyCloud. These improvements allow our customers additional capabilities around visibility, reporting, and automation.
We developed IaC Security to complement our automated remediation capabilities. Instead of identifying and reacting to issues, IaC Security uses a proactive approach. It enables organizations to implement security controls earlier in their CI/CD pipeline (shifting left) and provides an opportunity to address compliance and security concerns before deployment or modifications are made to your cloud infrastructure.
This new capability allows users to pull in preconfigured infrastructure templates to drive secure and compliant development from the start. Using DivvyCloud’s comprehensive knowledge of a customer’s cloud infrastructure, via Dynamic Analysis, along with DivvyCloud Insights, IaC Security analyzes proposed code changes to determine if the changes would violate security or compliance policies. By understanding the full impact of the changes before runtime, our customers will be more efficient and have better security.
You can find details about this feature in the IaC section of the documentation.
Added Support for Organizations
DivvyCloud offers the ability to add multiple projects or accounts to “Organizations.” The Organizations feature allows you to enable the automatic addition of all associated cloud projects or accounts and badging by organization or folder. This means less maintenance and better synchronization. For example, when a project or account is removed, it doesn’t remain in our tool as a stale artifact that could generate false positives for non-compliance; rather, the Organizations feature recognizes that the project or account has been removed and will not generate information on the resource.
Our Organizations feature, previously only available for GCP projects, is now extended to AWS. Don’t worry, we’ll add this feature for Azure in the near future. Read more about DivvyCloud Organizations for GCP and the newly added Organizations for AWS.
Compliance Scorecard Improvements
We have redesigned the Scorecard to improve readability while offering even greater visibility into your overall compliance picture, as well as significantly improving performance. The redesign includes:
- Expanded filtering section
- Heat Map presentation moved to follow filtering section
- Additional displays (also improved for readability), including Noncompliance by Severity and History of Discovered Noncompliant Resources, visible by scrolling down the page
We have also retained previous navigation functionality, including pagination controls for Insights and clouds, as well as the ability to click into each account/cell to view more detail.
Additional improvements to the Scorecard include improvements to the Excel download, which translates to a more readable format with additional information about your compliance picture. Users can more readily parse the downloaded data, which now includes:
- For noncompliant resources—the severity of a problem and the time the problem was first discovered
- For exemptions—the creator and approver of the exemption
- Clarification on values reported—the downloaded report now shows four different rows of values clarifying total resources in violation, number of resources assessed, percentage of noncompliant resources, or percent compliance versus percent noncompliance. These values then are matched with the scorecard’s color legend.
Dynamic links in the Excel download will also take you back into the DivvyCloud tool to the exact location of a particular issue.
Find the updated documentation for the Compliance Scorecard here.
Updated NIST 800-53 Compliance Pack
NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. As laws, regulations, and frameworks like this one evolve and change over time, DivvyCloud can help your organization maintain compliance. In this release, we have updated the NIST 800-53 Compliance Pack to reflect the changes in NIST 800-53 Revision 4. The legacy version of the pack is still available, but because it will eventually be deprecated, we recommend using the updated version. Read more for complete details.