Compliance Scoring¶
CertifyClouds provides automated compliance assessments against industry frameworks to help you understand and improve your Key Vault security posture.
Overview¶
Compliance scoring evaluates your Key Vault configuration and contents against security best practices:
- Automated assessments: Continuous evaluation against 5+ frameworks
- Pre-built rules: 20+ automated compliance checks
- Score tracking: 0-100% compliance score with trend history
- Evidence collection: Automatic evidence for audit documentation
- Remediation guidance: Clear recommendations for violations
Supported Frameworks¶
CertifyClouds includes pre-built compliance rules for these frameworks:
CIS Azure Key Vault Benchmark¶
7 controls covering Key Vault security best practices:
| Control | Description |
|---|---|
| CIS-KV-1 | Ensure soft delete is enabled |
| CIS-KV-2 | Ensure purge protection is enabled |
| CIS-KV-3 | Ensure RBAC is used for authorization |
| CIS-KV-4 | Ensure diagnostic logging is enabled |
| CIS-KV-5 | Ensure secrets have expiration dates |
| CIS-KV-6 | Ensure keys have expiration dates |
| CIS-KV-7 | Ensure certificates have expiration dates |
SOC 2 Type II¶
5 controls related to security and availability:
| Control | Description |
|---|---|
| SOC2-CC6.1 | Logical access controls |
| SOC2-CC6.6 | Encryption key management |
| SOC2-CC6.7 | Transmission security |
| SOC2-CC7.2 | System monitoring |
| SOC2-CC7.5 | Incident response |
ISO 27001¶
3 controls from Annex A:
| Control | Description |
|---|---|
| ISO-A.10.1.1 | Policy on cryptographic controls |
| ISO-A.10.1.2 | Key management |
| ISO-A.12.4.1 | Event logging |
NIST 800-53 Rev. 5¶
6 controls from SC and AU families:
| Control | Description |
|---|---|
| NIST-SC-12 | Cryptographic key establishment |
| NIST-SC-13 | Cryptographic protection |
| NIST-SC-17 | PKI certificates |
| NIST-AU-2 | Auditable events |
| NIST-AU-6 | Audit review |
| NIST-AU-12 | Audit generation |
Azure Security Benchmark v3¶
11 controls from DP (Data Protection) and IM (Identity Management):
| Control | Description |
|---|---|
| ASB-DP-5 | Use customer-managed keys |
| ASB-DP-6 | Use secure key management |
| ASB-DP-7 | Use secure certificate management |
| ASB-IM-1 | Use centralized identity management |
| + 7 more | See full documentation |
Compliance Rules¶
Secret Rules (P001-P014)¶
| Rule ID | Name | Severity | Description |
|---|---|---|---|
| P001 | Expiring soon | High | Secret expires within 30 days |
| P002 | Expired | Critical | Secret has already expired |
| P003 | No expiry set | Medium | Secret has no expiration date |
| P004 | Long-lived | Low | Secret older than 365 days |
| P005 | Disabled | Low | Secret is disabled |
| P006 | No content type | Low | Missing content type metadata |
| P007 | Weak naming | Low | Non-descriptive secret name |
| P008-P014 | Additional rules | Various | Framework-specific checks |
Certificate Rules (C001-C006)¶
| Rule ID | Name | Severity | Description |
|---|---|---|---|
| C001 | Expiring soon | High | Certificate expires within 30 days |
| C002 | Expired | Critical | Certificate has already expired |
| C003 | Weak key | High | RSA key <2048 bits |
| C004 | Self-signed | Medium | Self-signed in production |
| C005 | Short validity | Medium | Validity >398 days (browser limit) |
| C006 | No auto-renewal | Low | Auto-renewal disabled |
Key Rules (K001-K006)¶
| Rule ID | Name | Severity | Description |
|---|---|---|---|
| K001 | Expiring soon | High | Key expires within 30 days |
| K002 | Expired | Critical | Key has already expired |
| K003 | No expiry set | Medium | Key has no expiration date |
| K004 | Weak key size | High | RSA key <2048 bits or EC <256 bits |
| K005 | Unused | Low | Key not used in 90+ days |
| K006 | Over-permissioned | Medium | Too many operations enabled |
Compliance Score¶
How Scoring Works¶
The compliance score is calculated as:
Example:
- 50 total rules apply to your environment
- 45 rules pass
- Score = 45/50 × 100 = 90%
Severity Weighting¶
Violations are weighted by severity:
| Severity | Weight | Impact on Score |
|---|---|---|
| Critical | 3× | High impact |
| High | 2× | Moderate impact |
| Medium | 1× | Standard impact |
| Low | 0.5× | Minor impact |
Score Interpretation¶
| Score Range | Rating | Interpretation |
|---|---|---|
| 90-100% | Excellent | Strong security posture |
| 75-89% | Good | Minor improvements needed |
| 50-74% | Fair | Significant issues to address |
| <50% | Poor | Critical remediation required |
Viewing Compliance¶
Dashboard¶
The Compliance tab shows:
- Overall Score: Current compliance percentage
- Score Trend: Historical score over time
- Framework Breakdown: Score per framework
- Top Violations: Most common issues to fix
Violation Details¶
For each violation, view:
- Rule ID: Unique identifier (e.g., P001)
- Severity: Critical, High, Medium, Low
- Affected Assets: List of secrets/keys/certificates
- Evidence: Specific details (expiry date, key size, etc.)
- Remediation: Steps to resolve the violation
Running Compliance Checks¶
Automatic¶
Compliance is evaluated automatically:
- After each discovery scan
- When new assets are detected
- When asset properties change
Manual¶
Trigger a compliance check manually:
# Via API
curl -X POST http://localhost:8080/compliance/evaluate \
-H "Authorization: Bearer $TOKEN"
Remediation¶
View Recommendations¶
Each violation includes remediation guidance:
- Go to Compliance tab
- Click on a violation
- View Remediation Steps
- Follow instructions to resolve
Common Remediations¶
| Violation | Remediation |
|---|---|
| No expiry set | Set expiration date in Key Vault |
| Expired secret | Rotate to new secret value |
| Weak key | Regenerate with stronger parameters |
| Soft delete disabled | Enable soft delete on vault |
| No diagnostic logging | Enable diagnostic settings |
Bulk Remediation¶
For large-scale remediation:
- Export violations to CSV
- Use Azure CLI/PowerShell scripts
- Re-run compliance after fixes
- Verify improved score
Reports¶
Generate Report¶
Create a compliance report for auditors:
- Go to Compliance tab
- Click Generate Report
- Select frameworks to include
- Choose format (PDF, JSON, CSV)
- Download report
Report Contents¶
Reports include:
- Executive summary with overall score
- Framework-by-framework breakdown
- Complete violation list with evidence
- Remediation recommendations
- Historical trend data
- Audit timestamp and scope
Custom Rules (PRO)¶
PRO tier allows creating custom compliance rules:
Create Custom Rule¶
- Go to Settings > Compliance Rules
- Click Add Rule
- Define:
- Rule name and description
- Asset type (secret, key, certificate)
- Condition (expression)
- Severity level
- Save and enable
Example Custom Rules¶
Secret naming convention:
Maximum secret age:
Required tags:
API Reference¶
Get Compliance Score¶
Response:
{
"score": 87.5,
"passed": 42,
"failed": 6,
"total": 48,
"by_severity": {
"critical": 0,
"high": 2,
"medium": 3,
"low": 1
}
}
Get Violations¶
Get Framework Details¶
Best Practices¶
- Monitor Continuously: Review compliance score after each scan
- Prioritize Critical: Address critical violations immediately
- Set Targets: Aim for 90%+ compliance score
- Document Exceptions: Record accepted risks with justification
- Track Trends: Use historical data to show improvement
- Automate Remediation: Use alerts to trigger fix workflows