Compliance Framework
Panoptica provides the compliance tools you need to meet your business goals. Panoptica scans, monitors, and remediates your cloud stack to ensure that it aligns with a a number of key compliance requirements. We offer full compliance and ensure security best practices for AWS, Azure, GCP, and Kubernetes.
The compliance frameworks Panoptica supports include: CIS, PCI-DSS, HIPAA, GDPR, and SOC2 - with custom compliance capabilities coming soon. We continually monitor changing guidelines and measures to ensure that you remain compliant with a wide range of international standards and regulations.
Panoptica assesses not only the relevant compliance benchmarks, but also connects security issues and vulnerabilities found across your cloud stack. With our compliance capabilities, you can:
- Visualize full asset metadata in a dynamic dashboard.
- Verify all relevant compliance requirements.
- Export reports for efficient sharing.
Go to the Compliance Frameworks tab under Posture Management to view all of the accounts and frameworks that Panoptica is monitoring.
Use the Top Bar Filter to filter the findings by Scope, and Account using the drop-down lists at the top.
Filters and Groupings
You can further refine the results using predefined filters, custom queries, and aggregation:
- By default, Panoptica displays compliance frameworks for all of your assets. If you prefer to view an individual provider—AWS, GCP, Azure, OCI or Kubernetes—select that button at the top of the screen.
The number beside each provider indicates the number of frameworks that apply to that environment.
- Use the drop-down Filter option to narrow the results by:
- Percentage
- Provider
- Framework
- Compliance
- Type into the Search bar to filter by text in the account parameters.
Frameworks Table
The unfiltered view of the Frameworks table lists all of the resources you have onboarded to Panoptica, and the relevant compliance frameworks against which Panoptica is assessing them. For each Framework Name, the table displays the number of Controls and Sub-controls, as well as a bar chart indicating the Compliance Progress.
- Click Grouped by to aggregate the displayed results by Provider or Framework
- Click Sort by to arrange the list by Provider, Framework, Rules, Sections, or Progress.
- Select which columns are displayed by clicking the Columns button, in the upper right.
- The list of findings can be downloaded in CSV format, for further review and analysis using Excel or any similar tool.
Click on any row in the table to view additional details about that framework. In addition to summary information about each control, the Controls view also displays bar charts indicating the compliance progress at the control level. This view can be sorted by Number of rules, Control, Progress, or Section.
Expand any row on the Controls table using the chevron (>) at the beginning of the line to drill down to the sub-controls level.
Click on the text in the Sub-Control column to pop up extensive details about that sub-control. In addition to a graphical Compliance Progress indicator, the Sub-Control Details window includes Audit information, Rationale, Description, Remediation, and more, depending on the type of assessment.
For some rules, Panoptica is unable to automatically assess compliance. This is indicated in the Check Type column in the Sub-control table. When the Check Type is Manual, you will see three dots (•••) at the end of that line to open a drop-down list Action menu. Click Set as Compliant if you know that asset or resource to be compliant with the relevant rule or standard.
Drill down further by expanding any row at the sub-control level, again using the chevron (>) at the beginning of the line.
The expanded Sub-control view reveals the type of rule (Network, User, etc.), when relevant. It also indicates the number of assets affected by this rule, and how they fared in the compliance assessment.
Click on the rule text to pop up additional details about that rule. The Rule Details window includes a list of assets affected by this compliance rule, and the accounts where you'll find them.
Supported Frameworks and Versions
Panoptica supports the following compliance frameworks, across AWS, Azure and GCP:
| Framework | Provider | Current Version |
|---|---|---|
| CIS Foundations Benchmark | AWS | 1.3 |
| GDPR | AWS | n/a |
| HIPAA | AWS | n/a |
| PCI-DSS | AWS | 3.2.1 |
| SOC2 | AWS | n/a |
| CIS Foundations Benchmark | Azure | 1.3 |
| HIPAA | Azure | n/a |
| CIS Foundations Benchmark | GCP | 2.0.0 |
| CIS Foundations Benchmark | Kubernetes | See table below |
In Kubernetes, Panoptica supports the following benchmarks and versions:
| Source | Kubernetes Benchmark | Kubernetes Versions |
|---|---|---|
| CIS | 1.5.1 | 1.15 |
| CIS | 1.6.0 | 1.16-1.18 |
| CIS | 1.2 | 1.19-1.21 |
| CIS | 1.23 | 1.22-1.23 |
| CIS | 1.24 | 1.24 |
| CIS | 1.7 | 1.25 |
| CIS | GKE 1.0.0 | GKE |
| CIS | GKE 1.2.0 | GKE |
| CIS | EKS 1.0.1 | EKS |
| CIS | EKS 1.1.0 | EKS |
| CIS | EKS 1.2.0 | EKS |
| CIS | ACK 1.0.0 | ACK |
| CIS | AKS 1.0.0 | AKS |
| RHEL | RedHat OpenShift hardening guide | OCP 3.10-3.11 |
| CIS | OCP4 1.1.0 | OCP 4.1- |
| CIS | 1.6.0-k3s | k3s v1.16-v1.24 |
| DISA | Kubernetes Ver 1, Rel 6 | EKS |
| CIS | TKGI 1.2.53 | vmware |
Compliance Calculation
Panoptica calculates compliance based on the percentage of the rules and standards that have passed assessment. The calculation methods vary for single accounts versus on the scope level.
Single Account
At the account level, compliance percentage is a simple average of the controls that make up the compliance framework of that account. We take the number of compliant assets or resources, and divide it by the total number of assets or resources.
Delving down to the control level, compliance is a simple average of the sub-controls that have passed compliance assessment.
Automatic
Under a sub-control, things start getting interesting. The sub-control percentage is based on the simple average of all rules where we found matches. When we don’t see any matches on a rule, we don’t include it in the calculation of the sub-control.
Manual
Manual sub-controls are rules that Panoptica is not able to assess automatically. To gain a complete picture, you will need to verify whether a sub-control is compliant or not. By default, sub-controls are set to 0%, until you set it as compliant, at which point it will be 100%.
Special “One response” rules
Some of the rules are so called “one response” rules, meaning that the rule is compliant if there is at least one asset or resource that is correctly configured according to the rule. If Panoptica finds at least one asset or resource that is correctly configured according to the rule, then all of the assets or resources are considered compliant.
If there are no assets or resources configured according to the rule, that rule receives a score of 0%, and we list all the assets or resources that are not compliant. The compliance percentage for “one response” rules can be either 0% or 100%.
Scope
When calculating compliance for multiple accounts in a defined scope, the percentage at the account level is the same: a simple average of all accounts. This applies to the control level as well.
At the sub-control level, however, Panoptica examines the number of rules that are compliant, which can vary greatly between accounts. If one account has few assets or resources correctly configured, but another account has many assessments that fail compliance, the score will be lower than that at the account level.
For example, if there are two accounts in a scope—one compliant and one not—the average is 50%. However, if the compliant account has 10 rules that have passed, and the non-compliant one has 90 that have failed, the score will be 10% (10/100).
Updated 5 months ago
For details regarding the frameworks Panoptica supports, see Supported Frameworks
To learn how Panoptica calculates compliance, see Compliance Calculation