Guardrails for Cloud & Container Compliance

Automate Compliance of Your Cloud and Container Infrastructure

Identify policy violations in real-time and take automatic, user-defined action to remediate them.

See 10 Example Policies

Guardrails for Cloud & Container Compliance

Automate Compliance of Your Cloud and Container Infrastructure

Identify policy violations in real-time and take automatic, user-defined action to remediate them.

See 10 Example Policies

Achieve continuous compliance across clouds and containers

Amazon

Microsoft

Google

Alibaba

Kubernetes

Achieve continuous compliance across clouds and containers

Amazon

Microsoft

Google

Alibaba

Kubernetes

Stay Compliant with Standards and Regulations

PCI DSS

HIPAA

GDPR

SOC 2

ISO 27001

CIS

NIST CSF

NIST 800-53

FedRAMP CCM

CSA CCM

165 out-of-the-box policies mapped to these standards and regulations: See 10 example policies

Stay Compliant with Standards and Regulations

PCI DSS

HIPAA

GDPR

SOC 2

ISO 27001

CIS

NIST CSF

NIST 800-53

FedRAMP CCM

CSA CCM

165 out-of-the-box policies mapped to these standards and regulations: See 10 example policies

Don’t let compliance be a periodic, manual effort!

Install DivvyCloud today to achieve continuous compliance and reduce risk

Customers Love and Trust DivvyCloud

“DivvyCloud is a way to deploy policy, minimize blast radius and give developers the freedom to operate within the guide rails of safety.”

Thomas Martin

Head of Application Modernization, GE Digital

Reduce Risk: 10 Examples of Our 165 Out-of-the-Box Policies

Volume Encryption Not Enabled With PHI Tags

Encrypting volume data-in-transit and at rest can help you meet stricter security and encryption compliance requirements.Maps to Security Standards:

  • HIPPA: Encryption Controls – 164.312(a)(2)(iv)
  • PCI DSS: Requirement 3: Protect stored cardholder data
  • GDPR: Article 32: Security of processing
  • SOC 2: C1.1, C1.2, C1.3, C1.7, CC5.6
  • NIST 800-53: SC-28
Cloud Account Without Global API Accounting Config

Global API Accounting Config records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. Global API Accounting provides a history of API calls for each account, including API calls made via the management console, SDKs, command line tools, and other cloud services.
Maps to Security Standards:

  • HIPAA: Audit Controls – 164.312(b)(2)
  • PCI DSS: Requirement 10: Track and monitor all access to network resources and cardholder data
  • GDPR: Article 30: Maintain Records of Processing Activities
  • NIST Cyber Security Framework (CSF): ID.AM-1
  • NIST 800-53: AU-12
  • Center for Internet Security (CIS) – AWS: Logging 2.1
  • ISO 27001: A.10.10.1 – Audit Logging
  • SOC 2: A1.2, CC5.3, CC6.1
  • CSA Cloud Controls Matrix (CCM): AIS-04, BCR-07, BCR-10, BCR-11, IAM-01, IAM-12, IVS-01, IVS-03
Snapshot With PHI Unencrypted

Snapshots are a point-in-time archive of a data volume. Ensuring the data is encrypted at rest allows for additional protection if the snapshot inadvertently becomes accessible to unauthorized parties. On certain cloud platforms, AWS for example, unencrypted snapshots can be made public allowing unintentional access. Maps to Security Standards:

  • HIPAA: Encryption Controls – 164.312(a)(2)(iv)
  • PCI DSS: Requirement 3: Protect stored cardholder data
  • GDPR: Article 32: Security of processing
  • SOC 2: C1.1, CC1.2, C1.7, CC5.6, CC5.7
  • NIST 800-53: SC-28
Cloud Root Account API Access Key Present

The root account is the most privileged user in a cloud account. API Keys provide programmatic access to a given cloud account. It is recommended that all API keys associated with the root account be removed. Maps to Security Standards:

  • HIPPA: Access Control – 164.312(a)(1)
  • PCI-DSS: Requirement 8: Identify and authenticate access to system
  • Components
  • SOC 2: CC5.3, CC5.4
  • ISO 27001: A.11.5.1 – Secure log-on procedures
  • FedRAMP CCM 3.0.1: IVS-11
  • Center for Internet Security (CIS): Identity & Access Management 1.12
  • NIST 800.53: AC-6
Cloud Account Without Root Account MFA Protection

The root account is the most privileged user in a cloud account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to the cloud account, (s)he will be prompted for username and password as well as for an authentication code from an AWS MFA device. Note: When virtual MFA is used for root accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independently of any individual personal devices. (“non-personal virtual MFA”) This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company. Maps to Security Standards:

  • HIPPA: Access Control – 164.312(a)(1)
  • PCI DSS: Requirement 8: Identify and authenticate access to system components
  • SOC 2: CC5.3, CC5.7
  • Center for Internet Security (CIS): Identity & Access Management 1.13
  • NIST Cyber Security Framework (CSF): DE.CM-3
  • NIST 800-53: PM-11
Network Without Traffic Logging

Network Traffic Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your network. Network Traffic Logs provide visibility into network traffic that traverses the network and can be used to detect anomalous traffic or insight during security workflows. Maps to Security Standards:

  • HIPAA: Audit Controls – 164.312(b)(2)
  • PCI DSS: Requirement 10: Track and monitor all access to network resources and cardholder data
  • GDPR: Article 30: Maintain Records of Processing Activities
  • Center for Internet Security (CIS) – AWS: Networking 4.3
  • NIST Cyber Security Framework (CSF): PR.PT-4
  • NIST 800-53: AU-12
  • ISO 27001: A.10.10.1 – Audit Logging
  • SOC 2: A1.2, CC6.1
  • FedRAMP CCM 3.0.1: IVS-01
Instance Exposing SSH To World

Secure Shell (SSH) is a protocol for connecting to a remote system using a cryptographically secure connection over what might be an unsecured network. SSH typically uses port 22 on the host system for connections. If the security group rules governing access to an instance leave this port open, it is possible for anyone to attempt to connect to the host system. Therefore it is recommended that connections using SSH only be allowed from trusted networks. Maps to Security Standards:

  • PCI DSS: Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • GDPR: Article 25: Data protection by Design and by Default
  • NIST Cyber Security Framework (CSF): ID.RA-1
  • NIST 800-53: AC-17
  • ISO 27001: A.11.4.4 – Remote diagnostic and configuration port protection
  • SOC 2: C1.1, C1.2, CC5.7
  • FedRAMP CCM 3.0.1: IVS-07
  • Center for Internet Security (CIS) – Microsoft Azure: Networking 6.2
Access List Exposes SSH to World (Security Group)

Access Lists (Security Groups) provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 22. Maps to Security Standards:

  • PCI DSS: Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • GDPR: Article 25: Data protection by Design and by Default
  • NIST Cyber Security Framework (CSF): ID.RA-1
  • NIST 800-53: AC-17
  • Center for Internet Security (CIS) – AWS: Networking 4.1
  • ISO 27001: A.11.4.4 – Remote diagnostic and configuration port protection
  • FedRAMP CCM 3.0.1: IVS-07
  • SOC 2: C1.2, C1.3, C1.7, CC5.6
  • CSA Cloud Controls Matrix (CCM): GRM-01
  • Center for Internet Security (CIS) – GCP: Networking 3.6
Access List Exposes Windows RDP to World (Security Group)

Access Lists (Security Groups) provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 3389. Maps to Security Standards:

  • PCI DSS: Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • GDPR: Article 25: Data protection by Design and by Default
  • NIST Cyber Security Framework (CSF): ID.RA-1
  • NIST 800-53: AC-17
  • Center for Internet Security (CIS) – AWS: Networking 4.2
  • ISO 27001: A.11.4.4 – Remote diagnostic and configuration port protection
  • SOC 2: C1.1, C1.2
  • FedRAMP CCM 3.0.1: IVS-07
  • CSA Cloud Controls Matrix (CCM): GRM-01
  • Center for Internet Security (CIS) – GCP: Networking 3.7
Distributed Table Cluster Open to World

Distributed Tables can have access policies attached to define who can access the objects stored within. These policies can be extremely stringent or can be permissive and allow access to anyone in the World. It is strongly discouraged to open access to the public as doing so can result in the exposure of PII and other sensitive data. Maps to Security Standards:

  • GDPR: Article 25: Data protection by Design and by Default
  • PCI DSS: Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • ISO 27001: A.11.4.4 – Remote diagnostic and configuration port protection
  • SOC 2: CC5.7

DivvyCloud’s CSA Cloud Controls Matrix (CCM) Insight Pack

DivvyCloud has taken this framework of cloud-specific controls and implemented it as one of our Insight Packs.  This operationalizes the controls, allowing DivvyCloud customers immediate, and continued visibility into policy violations and automated remediation of those violations.