Compliance

Overview

The Compliance feature in OpenGovernance is built around benchmarks, which are groups of policies enforcing security and regulatory standards. Benchmarks can be configured to:

• Automatically apply to all connections.

• Target specific connections explicitly.

Benchmarks can also track audit drifts, though this feature is disabled by default. A benchmark is evaluated based on a schedule or when explicitly triggered, and the results, known as "Findings," are recorded for each resource, indicating whether it passed or failed.

Benchmarks

A benchmark in OpenGovernance is a structured collection of controls, each defined in YAML, that sets standards or criteria necessary to ensure that an environment adheres to specific regulations, best practices, or security guidelines. It specifies the required state of security settings and configurations essential for effectively securing cloud resources.

Each control within the benchmark acts as a policy, detailing specific requirements such as encryption protocols, access controls, or configuration settings. This YAML-based approach provides precision and scalability in security management, aligning the environment with established compliance and security standards, thus ensuring thorough and effective security governance.

Here’s how you might conceptualize it:

• Benchmark as a Collection: Think of a compliance benchmark as a folder or package that contains multiple files (policies). Each file (control) specifies a particular security aspect that must be configured correctly.

• Policy Details: Each control (policy) is written as a YAML document that defines the correct configuration or setting. For example, a control might specify that all data stored in cloud storage must be encrypted using specific encryption standards.

• Ensuring Compliance: Open Governance uses the policy YAML documents to check for compliance. The compliance results for reach control policy is called a finding. If a Benchmark is asked to maintain drift history, it creates an event, every time a drift is noticed (i.e. previous x passed control A, but it just failed)

• Findings and Their Role in Ensuring Compliance: Findings are the compliance results generated by evaluating a resource against specific benchmarks in OpenGovernance. They indicate whether a resource passes or fails the defined controls. Findings ensure compliance by systematically tracking adherence to security and regulatory standards, enabling auditability and continuous improvement.