Introducing Datadog Compliance Monitoring | Datadog

Introducing Datadog Compliance Monitoring

Author Michael Yamnitsky
Author Jonathan Epstein

Published: August 11, 2020

Governance, risk, and compliance (GRC) are major inhibitors for organizations moving to the cloud—and for good reason. Cloud environments are complex, and even a single misconfigured security group can result in a serious data breach. In fact, asset misconfigurations were the leading cause of cloud security breaches in 2019. This puts a lot of pressure on developer and operations teams to properly secure their services and maintain regulatory compliance. And to add fuel to the fire, these tasks are becoming increasingly arduous, as safe and compliant configurations must be enforced across multiple cloud platforms, consoles, and cloud security tools. It’s not unusual for site reliability engineers to lose hundreds of hours cataloguing asset inventory data and collecting relevant logs for third-party audits.

We’re excited to announce the beta release of Compliance Monitoring, a new offering within the Datadog security platform that makes it easy to track the compliance posture of your production environment, automate audit evidence collection, and catch misconfigurations that leave your organization vulnerable to attacks. With support for industry-standard compliance frameworks like PCI DSS, SOC 2, and CIS, Compliance Monitoring lets developers and security engineers detect misconfigurations in the context of other threats and application performance, and prevent security issues—all from within the same Datadog platform they use every day.

Compliance Monitoring collects data from across your cloud environment to give you deep visibility into the posturing of your cloud assets.

Continuously check the configurations of cloud resources and workloads

When it comes to production cloud environments, evidence for audits and compliance findings is often spread across endless streams of system and application logs, network traffic, live process telemetry, configurations, and vulnerability assessments.

As a centralized observability platform with comprehensive access to telemetry across every level of your environment, Datadog is uniquely positioned to meet this challenge. In addition to Datadog’s more than 400 technology integrations, Compliance Monitoring enhances security visibility in two crucial ways:

  1. We’re continuously assessing the state of your cloud environment, such as security groups, storage buckets, load balancers, databases, and several other popular cloud services.
  2. We’ve enhanced our Datadog Agent to review local configuration information from servers, containers, and Kubernetes clusters, as well as to monitor the integrity of their files and folders.
Compliance Monitoring analyzes the posturing of all of your AWS assets.
Compliance Monitoring analyzes the posturing of all of your AWS assets.

Monitoring the configuration of cloud resources

Misconfigurations in your cloud environment, such as an asset with unrestricted access from the public internet, can lead to major security breaches if left unaddressed. It’s critical that the teams responsible for securing cloud services can identify and address them right as they occur. Datadog Compliance Monitoring continuously assesses the configuration of cloud services, giving your team immediate visibility into compliance failures across your cloud accounts.

Monitoring container and Kubernetes configurations

With the move towards containerized environments, compliance teams are expected to demonstrate that the configuration baselines for their container runtime (e.g., Docker) and orchestrator (e.g., Kubernetes) are managed securely. A popular solution is to enforce configuration checks in continuous build and integration pipelines. While this approach provides a valuable point-in-time guardrail, it also assumes that your production environment will never change. To provide a holistic solution, we’ve expanded the Datadog Agent to continuously check the configuration of your Docker containers and Kubernetes control plane against Center for Internet Security (CIS) leading practices.

You can track your container and Kubernetes misconfigurations in the Security Explorer.

Production-ready file integrity monitoring

File integrity monitoring (FIM) is an invaluable tool for meeting regulatory frameworks that require routine file access auditing, like SOC 2 and PCI, and it’s a key capability for compliance teams. While traditional runtime security solutions are known to be too resource-intensive and lack support for containerized environments, our FIM solution—based on a modern eBPF implementation—works in production and at scale across your cloud-native infrastructure.

Compliance Monitoring creates real-time compliance violation alerts when a sensitive file is accessed or modified.
Compliance Monitoring creates real-time compliance violation alerts when a sensitive file is accessed or modified.

Detect drift from critical compliance controls

Compliance Monitoring comes with over 200 out-of-the-box rules to check for PCI and CIS compliance against your servers, containers, Kubernetes clusters, and AWS assets, with support for GCP and Azure on the way. These rulesets are customizable, and you can extend each rule to your specific needs with just a few clicks.

You can write your own compliance rules without learning a proprietary query language.

We’ve added a new customizable Cloud Configuration rule type that allows you to specify noncompliant or discouraged configurations for your cloud resources (security group rule settings, storage bucket permissions, etc.) against in-house and standardized CIS rules.

Beyond Datadog’s turn-key rules, Compliance Monitoring’s rule editor lets anyone in your organization write their own configuration policies without learning a new query language. For instance, in order to ensure tagging compliance, CloudOps teams might create a rule that prevents tag values from being left empty. Now, whenever someone spins up an improperly tagged resource, the custom rule triggers a warning and a notification is sent to all relevant parties (compliance teams, engineers, etc.).

Prioritize and remediate potential misconfigurations

Whether from within your cloud resources or your hosts and containers, when Datadog detects a compliance violation it records:

  • the state of the misconfigured asset
  • the configuration rule that was broken
  • the relative severity of the failure

This allows you to quickly assess the scope of potential compliance violations in terms of teams, services, and environments that might be affected. In turn, this means you can assess the potential risk of each violation to accurately prioritize their remediation.

Correlate compliance findings with security issues

You can view all of your compliance violations in the Security Explorer, alongside any other security issue that might have resulted from a misconfiguration. For example, a security signal might tell you that Datadog detected traffic from an external IP address to an internal service, while a compliance violation alerts you to a recently misconfigured AWS security group that allowed public internet access. From there, you can check your AWS CloudTrail logs to determine how the offending changes occurred and, using Datadog’s collaboration integrations with services like Slack and PagerDuty, notify the right people to get the problem fixed.

Expert-built compliance dashboards

Out-of-the-box compliance dashboards let all of your teams track issues from the same pane of glass.

Datadog Compliance Monitoring includes out-of-the-box dashboards based on industry-standard compliance frameworks so that anyone in your company, including GRC and information security teams, can review your compliance posture at a glance. These dashboards display the number of tracked resources in your cloud environment, the types of compliance violations detected (grouped by severity, control, and resource type), variations in detected compliance findings over time, and the relevant logs related to configuration changes that contextualize each finding.

Compliance frameworks that Datadog tracks out of the box include PCI and CIS, and more will be provided in the coming months.

Get started with Compliance Monitoring today

Datadog Compliance Monitoring expands the scope of your security operations and makes it easy to keep up with a rapidly evolving compliance landscape. If you already use Datadog, you can request to join the Compliance Monitoring beta now. Otherwise, get started with a .