Compliance UI
In Yandex Security Deck, the CSPM and KSPM modules check your controlled infrastructure for compliance with security-related industry standards and regulations. For each standard and regulation, there is an individual set of requirements.
Note
The total of industry standards and regulations your infrastructure is checked against is configured separately for each workspace.
The compliance UI shows what industry standards and regulations to the workspace infrastructure is checked against, and how well its resources comply with these standards and regulations.
With the compliance UI, you can also view the lists of control rules that belong to the sets of requirements corresponding to particular industry standards and regulations. On the UI dashboard, there is a summary for each industry standard (set of requirements), which highlights the most common violations, and a diagram for severity of identified violations.
In the compliance UI, you can view the key info about each individual rule within the set of requirements and your cloud resources violating that rule. Also, you can set up exceptions for individual control rules and view recommendations on how to fix the detected violations.
Sets of security requirements
Security Deck comes with sets of security requirements aligned with the following industry standards and regulations in the field of information security:
-
Yandex Cloud basic security rules: Minimum set of security requirements ensuring basic protection of cloud infrastructure and applications deployed on the Yandex Cloud platform. -
Yandex Cloud cloud infrastructure protection standard: Standard providing comprehensive security requirements and best practices for protection of the cloud infrastructure and applications deployed on the Yandex Cloud platform. These elements help ensure security policy compliance and protection against common threats and vulnerabilities in the cloud environment.
-
Kubernetes Pod Security Standards (Restricted): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Restricted profile. A restricted profile is the most secure and provides the highest detection efficiency for container-based attacks. It applies strict security policies that may require modifying applications to ensure compliance. A restricted profile is recommended for security-critical applications and environments where maximum security is required. -
Kubernetes Pod Security Standards (Baseline): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Baseline profile. A baseline profile is designed for easy implementation and provides common best practices for container security. It prevents the most common security issues in containers while maintaining compatibility with most applications. The baseline profile is a good starting point for organizations just getting started with container security. -
Microsoft Threat Matrix for Kubernetes: This standard contains security controls based on the Microsoft Threat Matrix for Kubernetes, which is a framework that helps security teams understand and fend off threats specific to Kubernetes environments. It provides a comprehensive approach to attack methods and defensive strategies tailored for container orchestration platforms.
Tip
In the compliance UI, you can turn compliance checks for particular requirements on or off for your current workspace. First, make sure you are in the right workspace. Click next to the set of requirements and select Enable verification or Disable verification.
Control rules
You can view the list of control rules included in any given set of requirements. Do it by clicking the row corresponding to the set in the compliance UI. This will open a list containing the following info on each control rule in the set:
-
: Rule criticality level; this icon indicates how security-critical the rule is:
- : Remark
- : Low severity.
- : Medium severity.
- : High severity.
- Control rule: Control rule name.
- Module of control: Security Deck module to check your infrastructure for compliance with that rule:
Configuration Monitoring (CSPM)orKubernetes Security Posture Management® (KSPM). - Violations: Number of rule violations detected in the selected workspace.
Click the row with the rule for additional info, including violation details and fixing recommendations.