Future-Proofing Your Compliance: Strategic Insights with Mondoo and Terraform

Introduction

In today's fast-paced digital landscape, ensuring compliance with various frameworks is crucial for companies to maintain the security and integrity of their infrastructure and applications. Mondoo is a powerful security and compliance platform that offers numerous benefits for managing compliance across various frameworks, reducing manual effort and human error, and enabling real-time monitoring as well as alert options for prompt corrective actions. It offers customizable prominent compliance frameworks like ISO 27001, CIS or NIST and provides real-time insights and reporting. Find out more in our blog about Mondoo.

This blog post will explore how Mondoo can help companies achieve automated compliance across different frameworks, and provide a step-by-step guide on how to do so. We will also cover how to manage frameworks using Terraform automation.

Why Compliance Matters

Compliance is essential for companies to ensure that their infrastructure and applications adhere to regulatory and internal standards, as failure to comply can result in significant financial losses, reputational damage, or even legal consequences. The NIS-2 Directive mandates that by October 2024, all EU member states must transpose the directive into national law, enforcing stricter security requirements. Digital signatures play a crucial role in this context by providing a reliable method for verifying the authenticity and integrity of digital documents and transactions, thereby enhancing cybersecurity. Incorporating digital signatures into your company's cybersecurity strategy helps ensure compliance with regulatory standards, protects against cyber threats, and supports a verifiable audit trail.

The NIS-2 Directive is scheduled for completion by October 2024.

This blog will therefore provide an overview of the key aspects of NIS-2 in a timely manner.

What is NIS-2?

The NIS-2 Directive (Network and Information Security) is an EU regulation designed to enhance cybersecurity across member states by introducing more rigorous security requirements for companies. It requires the implementation of enhanced measures for the protection of critical infrastructure, thereby enhancing preparedness and response to potential cyber threats. The directive significantly broadens its scope compared to its predecessor, now encompassing new sectors, making compliance a more comprehensive and complex task. Under NIS-2, essential and important entities are also required to implement industry-accepted and state-of-the-art cybersecurity measures across several domains, including incident prevention, detection, and response, as well as business continuity and crisis management​.

Significant innovations

The NIS-2 Directive extends its scope to include more sectors such as healthcare, digital infrastructure, public administration, and transport. It mandates comprehensive risk management measures and regular security assessments, along with stricter reporting requirements for security incidents within tight deadlines. Entities must report cyber incidents swiftly and with detailed information, helping standardize incident reporting across the EU. This improved reporting process allows for a more proactive and informed approach to managing and safeguarding digital infrastructure​.

Digital Signatures: A Key Component for Security

Digital signatures are crucial for meeting NIS-2 requirements by enhancing security and reducing cybercrime risks. They ensure the authenticity and integrity of documents, offer a legally binding way to authenticate transactions, and aid in compliance by providing traceability and security for data, facilitating audits and regulatory adherence.

Mondoo’s Compliance Frameworks

Mondoo's compliance framework is built on the principles of continuous monitoring and assurance. It provides a structured approach to compliance management, enabling organisations to automate evidence collection and reporting. A framework contains and is based on industry-recognized standards and guidelines, such as CIS Controls, ISO 27001 and already NIS 2, which are mapped to specific controls and checks.

• Controls: Each control represents a requirement or guideline from a compliance framework. For example, "Article 21.2 d - Supply Chain Security" is a control from the NIS 2 Cybersecurity Directive framework.

• Checks: Checks are single benchmarks and assess specific practices and settings that assets must follow to meet the requirements of a control. For instance, “Ensure That ‘All users with the following roles’ is set to ‘Owner’” for Microsoft Azure Subscriptions is a check that ensures compliance with the control mentioned before.

• Policies: Policies contain the single checks that are used to evaluate compliance. Each control is linked to one or more checks, which are located within policies and are enabled to collect evidence for compliance assessment. The following graphic shows how single checks of policies are mapped to controls.

Note that not all checks of a policy have to be included in a control.

How it Works

1. Enable a Framework: Organisations select the compliance frameworks they want to comply with, such as CIS Controls or NIS-2. This enables Mondoo to collect data for the controls in the selected framework. A compliance framework can be enabled for a whole space within a Mondoo organisation. We can do so by navigating to the Compliance Framework tab within the Mondoo dashboard and selecting the desired framework or by using Mondoo’s Terraform provider. Mondoo also allows us to upload our own custom frameworks.

2. Enable Policies: Mondoo identifies the policies and checks required to evaluate compliance for the selected framework. These policies must be enabled to collect evidence for compliance assessment and complete compliance.

3. Continuous Monitoring: Mondoo continuously collects evidence from the enabled checks, providing real-time insights into compliance status. Mapped checks can be reviewed at anytime for linked assets.

4. Reporting and Alerts: Mondoo generates reports and alerts based on the collected evidence, enabling organizations to track their compliance progress and address any issues. These reports can be generated by visiting an enabled framework. Reports can then be downloaded from the Reports tab.

Mondoo and Terraform: A Powerful Combination

Mondoo is a robust security and compliance platform that offers a wide range of features to help companies manage and monitor their infrastructure and applications. Terraform, on the other hand, is a popular infrastructure-as-code tool that allows companies to define and manage their infrastructure using a human-readable configuration file. By integrating Mondoo with Terraform automation, companies can leverage the strengths of both tools to achieve compliance across various frameworks.

Step-by-Step Guide to Achieving Compliance with Mondoo and Terraform

To achieve compliance easily, you can take advantage of several Terraform Mondoo features:

• Create a space and add assets to it. To obtain detailed insights of your assets' compliance, you will first need to create a space and populate it with assets you need. For further information, check out our blog about adding assets to Mondoo using Terraform.

 1provider "mondoo" {
 2  region = "eu"
 3}
 4variable "mondoo_org" {
 5  description = "The Mondoo Organization ID"
 6  type        = string
 7  default     = "my-org-1234567"
 8}
 9# Create a new space
10resource "mondoo_space" "my_space" {
11  name   = "Framework Space"
12  org_id = var.mondoo_org
13}

• Get a list of available compliance frameworks. Use Mondoo’s mondoo_frameworks data source to retrieve available frameworks into your Terraform configuration for automated compliance checks.

1data "mondoo_frameworks" "frameworks_data" {
2  space_id = "your-space-1234567"
3}
4
5output "framework_mrn" {
6  value       = [for framework in data.mondoo_frameworks.frameworks_data.frameworks : framework.mrn]
7  description = "The MRN of the frameworks in the space."
8}

• Enable a compliance framework. You can use Mondoo’s mondoo_compliance_framework Terraform resource to enable or disable any compliance framework. Make sure to add the Mondoo resource name (MRN) which we received through the data source.

1resource "mondoo_compliance_framework" "compliance_framework_example" {
2  space_id = mondoo_space.my_space.id
3  framework_mrn = [
4    # example frameworks
5    "//policy.api.mondoo.app/frameworks/cis-controls-8",
6    "//policy.api.mondoo.app/frameworks/iso-27001-2022"
7  ]
8  enabled = true
9}

• Upload your own custom compliance framework. Mondoo allows you to customize your compliance. You can even download available compliance framework configuration files, customize them to your needs and upload them again, or create your own files from scratch.

 1variable "my_custom_framework" {
 2  description = "Path to the custom policy file. The file must be in MQL format."
 3  type        = string
 4  default     = "framework.mql.yaml"
 5}
 6
 7resource "mondoo_custom_compliance_framework" "compliance_framework_example" {
 8  space_id = mondoo_space.my_space.id
 9  data_url = var.my_custom_framework
10}

Note that compliance framework config files must be of type .mql.yaml. You can refer to the structure by downloading and viewing predefined frameworks.

• The Mondoo Terraform Provider also allows to create and manage policies, which can be enabled or disabled for a given Space.

1resource "mondoo_policy_assignment" "policy_assignment" {
2  space_id = mondoo_space.my_space.id
3
4  policies = [
5    "//policy.api.mondoo.app/policies/mondoo-aws-security",
6  ]
7
8  state = "enabled" # default is enabled, we also support preview and disabled
9}

Conclusion

Achieving compliance across various frameworks is crucial for companies to maintain the security and integrity of their infrastructure and applications. Mondoo offers compliance frameworks to assess your assets against. With Terraform, this set-up process can be made more straightforward. By following the steps outlined in this blog post, companies can leverage the strengths of both tools to ensure compliance and maintain the security and integrity of their infrastructure and applications. If you are interested in learning more about Mondoo’s possibilities, we recommend checking out our Infralovers Blog, where we introduce and discuss Mondoo and its far-reaching capabilities and development as well as other interesting topics.

With Mondoo and Infralovers at your side, you're perfectly positioned to meet and surpass compliance requirements across all frameworks. At Infralovers, we are committed to keeping you at the cutting edge of the tech landscape.