AI for DevOps Engineers - Part 1: The Building Blocks of DevOps AI
DevOps is a key success factor for modern software development and we have most definitely come across AI in one way or another. The intersection of AI and
In today's fast-paced digital landscape, ensuring compliance with various frameworks is crucial for companies to maintain the security and integrity of their infrastructure and applications. Mondoo is a powerful security and compliance platform that offers numerous benefits for managing compliance across various frameworks, reducing manual effort and human error, and enabling real-time monitoring as well as alert options for prompt corrective actions. It offers customizable prominent compliance frameworks like ISO 27001, CIS or NIST and provides real-time insights and reporting. Find out more in our blog about Mondoo.
This blog post will explore how Mondoo can help companies achieve automated compliance across different frameworks, and provide a step-by-step guide on how to do so. We will also cover how to manage frameworks using Terraform automation.
Compliance is essential for companies to ensure that their infrastructure and applications adhere to regulatory and internal standards, as failure to comply can result in significant financial losses, reputational damage, or even legal consequences. The NIS-2 Directive mandates that by October 2024, all EU member states must transpose the directive into national law, enforcing stricter security requirements. Digital signatures play a crucial role in this context by providing a reliable method for verifying the authenticity and integrity of digital documents and transactions, thereby enhancing cybersecurity. Incorporating digital signatures into your company's cybersecurity strategy helps ensure compliance with regulatory standards, protects against cyber threats, and supports a verifiable audit trail.
The NIS-2 Directive is scheduled for completion by October 2024.
This blog will therefore provide an overview of the key aspects of NIS-2 in a timely manner.
The NIS-2 Directive (Network and Information Security) is an EU regulation designed to enhance cybersecurity across member states by introducing more rigorous security requirements for companies. It requires the implementation of enhanced measures for the protection of critical infrastructure, thereby enhancing preparedness and response to potential cyber threats. The directive significantly broadens its scope compared to its predecessor, now encompassing new sectors, making compliance a more comprehensive and complex task. Under NIS-2, essential and important entities are also required to implement industry-accepted and state-of-the-art cybersecurity measures across several domains, including incident prevention, detection, and response, as well as business continuity and crisis management.
The NIS-2 Directive extends its scope to include more sectors such as healthcare, digital infrastructure, public administration, and transport. It mandates comprehensive risk management measures and regular security assessments, along with stricter reporting requirements for security incidents within tight deadlines. Entities must report cyber incidents swiftly and with detailed information, helping standardize incident reporting across the EU. This improved reporting process allows for a more proactive and informed approach to managing and safeguarding digital infrastructure.
Digital signatures are crucial for meeting NIS-2 requirements by enhancing security and reducing cybercrime risks. They ensure the authenticity and integrity of documents, offer a legally binding way to authenticate transactions, and aid in compliance by providing traceability and security for data, facilitating audits and regulatory adherence.
Mondoo's compliance framework is built on the principles of continuous monitoring and assurance. It provides a structured approach to compliance management, enabling organisations to automate evidence collection and reporting. A framework contains and is based on industry-recognized standards and guidelines, such as CIS Controls, ISO 27001 and already NIS 2, which are mapped to specific controls and checks.
Note that not all checks of a policy have to be included in a control.
Enable a Framework: Organisations select the compliance frameworks they want to comply with, such as CIS Controls or NIS-2. This enables Mondoo to collect data for the controls in the selected framework. A compliance framework can be enabled for a whole space within a Mondoo organisation. We can do so by navigating to the Compliance Framework tab within the Mondoo dashboard and selecting the desired framework or by using Mondoo’s Terraform provider. Mondoo also allows us to upload our own custom frameworks.
Enable Policies: Mondoo identifies the policies and checks required to evaluate compliance for the selected framework. These policies must be enabled to collect evidence for compliance assessment and complete compliance.
Continuous Monitoring: Mondoo continuously collects evidence from the enabled checks, providing real-time insights into compliance status. Mapped checks can be reviewed at anytime for linked assets.
Reporting and Alerts: Mondoo generates reports and alerts based on the collected evidence, enabling organizations to track their compliance progress and address any issues. These reports can be generated by visiting an enabled framework. Reports can then be downloaded from the Reports tab.
Mondoo is a robust security and compliance platform that offers a wide range of features to help companies manage and monitor their infrastructure and applications. Terraform, on the other hand, is a popular infrastructure-as-code tool that allows companies to define and manage their infrastructure using a human-readable configuration file. By integrating Mondoo with Terraform automation, companies can leverage the strengths of both tools to achieve compliance across various frameworks.
To achieve compliance easily, you can take advantage of several Terraform Mondoo features:
1provider "mondoo" {
2 region = "eu"
3}
4variable "mondoo_org" {
5 description = "The Mondoo Organization ID"
6 type = string
7 default = "my-org-1234567"
8}
9# Create a new space
10resource "mondoo_space" "my_space" {
11 name = "Framework Space"
12 org_id = var.mondoo_org
13}
1data "mondoo_frameworks" "frameworks_data" {
2 space_id = "your-space-1234567"
3}
4
5output "framework_mrn" {
6 value = [for framework in data.mondoo_frameworks.frameworks_data.frameworks : framework.mrn]
7 description = "The MRN of the frameworks in the space."
8}
1resource "mondoo_compliance_framework" "compliance_framework_example" {
2 space_id = mondoo_space.my_space.id
3 framework_mrn = [
4 # example frameworks
5 "//policy.api.mondoo.app/frameworks/cis-controls-8",
6 "//policy.api.mondoo.app/frameworks/iso-27001-2022"
7 ]
8 enabled = true
9}
1variable "my_custom_framework" {
2 description = "Path to the custom policy file. The file must be in MQL format."
3 type = string
4 default = "framework.mql.yaml"
5}
6
7resource "mondoo_custom_compliance_framework" "compliance_framework_example" {
8 space_id = mondoo_space.my_space.id
9 data_url = var.my_custom_framework
10}
Note that compliance framework config files must be of type .mql.yaml. You can refer to the structure by downloading and viewing predefined frameworks.
1resource "mondoo_policy_assignment" "policy_assignment" {
2 space_id = mondoo_space.my_space.id
3
4 policies = [
5 "//policy.api.mondoo.app/policies/mondoo-aws-security",
6 ]
7
8 state = "enabled" # default is enabled, we also support preview and disabled
9}
Achieving compliance across various frameworks is crucial for companies to maintain the security and integrity of their infrastructure and applications. Mondoo offers compliance frameworks to assess your assets against. With Terraform, this set-up process can be made more straightforward. By following the steps outlined in this blog post, companies can leverage the strengths of both tools to ensure compliance and maintain the security and integrity of their infrastructure and applications. If you are interested in learning more about Mondoo’s possibilities, we recommend checking out our Infralovers Blog, where we introduce and discuss Mondoo and its far-reaching capabilities and development as well as other interesting topics.
With Mondoo and Infralovers at your side, you're perfectly positioned to meet and surpass compliance requirements across all frameworks. At Infralovers, we are committed to keeping you at the cutting edge of the tech landscape.
You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.
Contact us