Some applications have compliance requirements such as workload isolation, ensuring developers cannot access production environment and implementing security zones (e.g., microservices in the DMZ can communicate with the public Internet, but not directly with your backend databases). More advanced controls are sometimes required, like building a moat around PCI-DSS workloads, or logging all HIPAA data transactions.
Auditors need proof that you are enforcing these controls, generating the necessary documentation as proof can be challenging. Auditors will want to know:
- What security controls are currently implemented?
- How do you detect when your security controls change?
- Can you prove me that you were compliant at any given date and time?
Calico Enterprise and Calico Cloud continuously monitor security compliance and retain a daily history of your compliance status. This information can be exported and shared for auditing purposes.
Calico Enterprise and Calico Cloud install a GlobalReport resource that can be used to define custom compliance reports. Predefined compliance report formats are also included:
- Inventory Report: identifies which in-scope workloads are protected by your security controls and those which are not
- Network Access Report: What each microservice has access to
- Policy Audit: shows the change history of your security policies
- Configuration Auditing: Reports on configuration compliance using CIS Level 1 and 2 benchmarks
Reports are run periodically, and default to daily runs. A history of all reports is maintained that you can query to get the compliance status of your cluster for any historical point in time.
All compliance data can be exported as spreadsheets that are ready for auditor review.