Blog Continuous Compliance

Introducing Continuous Compliance

Joseph Spurrier

6 min read

Last updated on February 4th, 2023 at 3:05pm

Our mission is to make peoples’ lives easier in the cloud. We developed this mission statement when we started because we wanted to align our internal team members and the needs of our customers. The cloud landscape - and our customers' business objectives - continue to evolve. As workloads grow, we want to ensure we can support the increasing requirements of our customers.

In this blog post, I'll introduce the latest functionality in continuous compliance.

Enhancing our Compliance Pillar

We built our platform around the three pillars of cloud governance:

  • Account Management - the management of cloud accounts as well as user/group permissions and abilities inside the software and inside the cloud service providers.
  • Budget Enforcement - the visualization and enforcement of cloud spend boundaries through reports, notifications, and even actions at funding source, organization unit, and project levels.
  • Compliance Automation - the orchestration of applying baselines and configurations across all of your cloud accounts.

We frequently joke that these are the ABCs of Governance, and most organizations in the cloud have challenges across all three pillars. Compliance is becoming increasingly important as the number of cloud services expand. Seemingly every day AWS and Azure release 10 new services and enhancements. With these additions, there are more opportunities for misconfigurations like the highly publicized "public S3 buckets" which leave sensitive data exposed to anyone on the internet.

Misconfigurations account for the majority of cloud security incidents today. We wanted a way to further protect our customers from these accidents. Time is a finite resource; there aren't enough hours in the day for us to do our jobs perfectly all the time. So, we're tweaking our third pillar from "Compliance Automation" to "Continuous Compliance". now provides the detection, reporting, and remediation of misconfigurations to enhance our existing "prevention" capabilities.

Underneath the Hood of Compliance

When we initially looked into expanding our compliance capabilities, we considered building our own engine. It's exciting to brainstorm all the possible implementations of our own engine, built from the ground up with our own sweat and technical ingenuity. After meeting internally, Chris, our head of Design & Engineering, suggested we look at one of the most well-known cloud rules engines: Cloud Custodian. Initially developed at Capital One, it's now an open-source project that has expanded to support AWS, Azure, and Google. After a spike and a proof of concept, we quickly realized it was more beneficial to build an integration platform and then plug in Cloud Custodian to leverage the skills and expertise of the community.

Our new continuous compliance capability is made up of three core components:

  • The dashboard
  • The engine
  • The API

Our compliance dashboard brings the most important information forward to help your security team see the current state of the environment. The dashboard is what your leaders want to see - how is my cloud doing right now. We display findings discovered across your cloud resources, providing you with the ability to acknowledge (archive) or add exceptions (suppress) on a resource level. You can build compliance standards (NIST, CIS, Corporate Best Practices) made up of compliance checks (check for public S3 bucket, check for unattached EBS volume). You then attach these standards to cloud rules for propagation to your cloud accounts.

As noted above, the engine is powered by Cloud Custodian. We provide many policies out of the box to get you going on day 1. These are standard Cloud Custodian YAML policies which can be customized or added by your security team. Are you already using Cloud Custodian? Great! We can provide an interface for what you've already written. Haven't dipped your toes in yet? Don't worry, policies are approachable and easy to work with so your security team can focus on the business problem instead of the tooling.

The final component is the API. I'm not going to say we've saved the best for last, but our plans for the API have us charged. We want to be the "single pane of glass" for you and this is the next step on that journey. You can now hook up your COTS or homegrown solutions to the API to send any findings or results. Here's a couple use cases:

  • One of our customers is using the dashboard as a "health" dashboard. They send in notifications when a network is configured incorrectly, a serverless function is failing, or there is an error communicating with a service.
  • Another customer wants to bring in results from their reporting system, Prisma.
  • One customer wants to record non-technical findings in the compliance dashboard such as when an environment is missing documentation or procedures for a project.

We would love to hear what use cases you come up with once you start using it!

The Lifecycle of Continuous Compliance

This is one of the biggest features we've built in at one time and we had all hands on deck across the team to meet our release date. It really was a huge collaboration between engineering and DevOps, with our delivery, sales, and marketing teams building the awareness with our customers. It's exciting to see everything come to fruition. It was also a great learning experience for the teams to learn Cloud Custodian since it was new to many of our engineers.

After a few months of work, we're excited to provide all aspect of continuous compliance:

  • Prevention using Cloud Rules to set the permissions and boundaries for users
  • Detection of misconfigurations by continuously monitoring the environments for changes using Cloud Custodian and other external tools via API integration
  • Reporting of compliance status through our new dashboard
  • Remediation using Cloud Custodian and other cloud native services to ensure that when misconfigurations do occur, they are resolved as quickly as possible to keep your environments safe and secure
chart with prevent detect report remediate details

Compliance Best Practices

During our implementation, we identified best practices that will help our customers as they take advantage of continuous compliance:

  • Start without remediations. When writing compliance policies, it's easy to go back and add in remediation actions. You should first verify you're finding the misconfigurations. Then, the second step is resolving them.
  • Don't forget about the root user. You have to write policies a little differently when targeting a root user so make sure you don't forget about them.
  • Include important metadata. We've provided the field `data_json` to hold any type of text data that you want to send along with the finding. You should provide information to the security team such as when a resource was created and the creator of the resource. This provides the security team with the context they need to make informed decisions on how to resolve.
  • Test outside of production. This probably seems like a no-brainer, but it's a good idea to keep an environment that you can use for developing and testing outside of production - especially when working with remediations. Although the remediations are designed to be a good thing, they can interfere with production systems that have vetted infrastructures that may not be allowed in other types of environments.

On the Compliance Horizon

You're going to see the number of integrations growing, including within our new continuous compliance pillar. We're already working with a few partners to integrate their products. If you have suggestions for integrations, let us know via our Support Center.

About the Author

Joseph Spurrier

Joe was previously the CTO at Kion.

Start your cloud operations journey.

Request a demo today,