| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-10-09 |
secure-enterprise |
{{site.data.keyword.attribute-definition-list}}
{: #security-compliance-scanning}
For highly regulated industries, such as financial services, achieving continuous compliance within a cloud environment is an important first step toward protecting customer and application data. Historically, that process was difficult and manual, which placed your organization at risk. But, with {{site.data.keyword.compliance_full}}, you can integrate daily, automatic compliance checks into your development lifecycle to help minimize that risk. {: shortdesc}
A new and improved experience of {{site.data.keyword.compliance_short}} is here! Be sure that you're working with the latest architecture to avoid migration issues later. To learn more, see How it works. {: tip}
{: #scc-before-begin}
Before you get started, be sure that you have the following prerequistes:
- Resources in your account to evaluate.
- An {{site.data.keyword.cos_full_notm}} bucket for results storage.
- The proper access to perform scans.
Scanning your resources does not ensure regulatory compliance. An evaluation provides a point in time statement of your current posture for a specific resource. It is your responsibility to review and interpret the results to ensure that your organization is adhering to the controls that are required for your industry. {: important}
{: #scc-storage}
Before you can start evaluating your resources for compliance, you must configure an {{site.data.keyword.cos_short}} bucket where {{site.data.keyword.compliance_short}} can forward your results data for long-term storage. For more information about bucket requirements, see Storing and processing data in {{site.data.keyword.compliance_short}}.
To connect your {{site.data.keyword.cos_short}} bucket, you can use the {{site.data.keyword.compliance_short}} UI.
- Go to the {{site.data.keyword.compliance_short}} by clicking the Menu icon in the {{site.data.keyword.cloud_notm}} console and selecting Security and Compliance.
- In the navigation, click Settings.
- On the Storage tile, click Connect.
- Ensure that the service-to-service policy between {{site.data.keyword.cos_short}} and {{site.data.keyword.compliance_short}} is configured. If a policy is already in place, this screen is not shown and you can skip to the next step.
- Select an instance of {{site.data.keyword.cos_short}}.
- From the table, select the bucket that you want to use.
- Click Connect.
{: #scc-attachment}
An attachment is how you target a specific grouping of your resources to evaluate against a specific profile.
-
In the {{site.data.keyword.compliance_short}} navigation, click Dashboard Then, click Get started.
-
Select the Profile that you want to use to evaluate compliance.
If you don't see a profile that meets your specific needs, you can always create a custom profile.
-
Target your attachment by selecting a Scope and identifying any resources that you want to Exclude. Then, click Next.
-
Optional: Customize the evaluations in your scan by editing the default parameters to match your specific use case.
-
Click Next.
-
Select the frequency at which you want to evaluate your attachment.
-
Optional: Configure notifications.
-
If you want to receive notifications, toggle Notify me to On.
-
By default, when notifications are enabled, you are alerted when 15% or more of your controls fail in a single scan. You can change this by adjusting the Threshold percentage.
For example, if you have a profile with 100 controls and you want to be notified if 5 of them fail, you would select 5% as your threshold.
-
Optional: Select specific controls that you want to be notified about. If there are high priority controls that pertain specifically to your job role, you might want to be notified every time that they fail. You can identify up to 15 controls per scan that you can receive individual notifications for. These notifications are sent regardless of whether the threshold identified in the previous step has been met.
- Click Select control.
- Select the controls that you want to be notified about by checking the box next to the control.
- Click Ok.
-
-
Review your choices and click Create.
When you create your attachment, a scan is scheduled and results are available within 24 hours. When the scan completes your results are available on the Dashboard in the {{site.data.keyword.compliance_short}} UI.
{: #scc-results}
When your scan completes, the results are available on the Dashboard tab in the {{site.data.keyword.compliance_short}} UI. The results are provided in both a graphical and detailed format.
When you visit the dashboard, you can see three graphical representations of data that has been aggregated from your scans.
{: caption="Example dashboard" caption-side="bottom"}
The three graphs that you can see are:
Success rate : The rate at which your configurations pass the evaluation that is conducted. Note: The number of evaluations conducted does not always match the number of billable evaluations, as there is no charge for assessments evaluated as unable to perform. Be sure to look for the billable evaluations in each scan result if you need to estimate your cost.
Total controls : The total number of controls that have been evaluated in the past 30 days.
Total evaluations : The total number of evaluations that have been run in the past 30 days. An evaluation is the check of one resource against one assessment.
From the dashboard, you can drill into your results to see more detailed information about each evaluation that was conducted.
{: #scc-next}
While you wait for your scan to complete, learn more about adding {{site.data.keyword.compliance_short}} into your pipelines through DevSecOps.