Announcing The Birth of Software-Defined Governance

Last September, Dome9 announced the availability of the new Dome9 Compliance Engine that radically simplifies tracking, reporting and enforcement of compliance and security best practices in the public cloud. The Compliance Engine automates data gathering and assessment and simplifies reporting for compliance standards such as PCI DSS as well as security best practices such as the CIS AWS Foundations Benchmark.

Figure 1: Dome9 Compliance Engine, now with Software-Defined Governance


Today, we’re excited to announce the availability of new functionality in the Dome9 Compliance Engine that allows our customers to specify and enforce custom governance policies that are tailored to their business needs using the same automation framework.

Here’s a quick summary of what the product offers.

  1. The Dome9 Compliance Engine announced last year allows businesses to assess their compliance posture, identify risks and gaps, fix issues, and report on compliance status in preparation for audits.
  2. The Compliance Engine allows users to run tests against bundles of rules, called test suites. So you’d have a bundle for PCI DSS and another for the CIS AWS Foundations Benchmark. The bundles can be for AWS as well as Microsoft Azure.

Figure 2: Dome9 Compliance Engine Dashboard

  1. With this release, administrators can customize pre-created bundles or create new bundles of rules that reflect their organizational needs.
  2. The rules are specified using a new innovative policy language called the Governance Specification Language (GSL). Unlike other comparable products, rules written in GSL can be easily read and understood by anyone.

For example, here’s a rule in GSL:

RDS should have isStorageEncrypted = true

What do you think that rule specifies? If you guessed that RDS storage should be encrypted, you’d be right.

Here’s another example:

Instance should not have inboundRules with [port = 22 and protocol in (‘TCP’,’All’) and scope numberOfHosts() > 32]

This simply says that an instance with an open SSH port (22) should not be exposed to a wide network scope. These rules would’ve taken a hundred-plus lines of code to capture in other systems. With GSL, it’s less than a hundred characters. This simplicity and expressive power of GSL also means that there are no “lost in translation” errors where business logic and governance is not accurately captured by the underlying policies. GSL speeds up policy creation and minimizes errors.

  1. In multi-cloud environments, the Dome9 Compliance Engine with GSL can be used to specify custom rules for AWS and Azure environments in a single location using a common framework.

Figure 3: Dome9 Compliance Engine with GSL


The Compliance Engine with GSL for custom rules was created to address requests from Dome9 customers who were looking for automated compliance and governance management within the Dome9 platform. Organizations can now bring an unprecedented level of automation and one-click repeatability into the way they manage compliance and governance in their public cloud environments.

These capabilities are available today to all Dome9 customers. If you are a customer, log into your Dome9 account and give the Compliance Engine a try, and let us know what you think. If you’re interested in learning more about the Dome9 Arc platform and pricing, drop us a note or reach out to schedule a demo.

The Compliance Engine is the foundation on which we are building continuous compliance monitoring, governance and remediation capabilities. Stay tuned for exciting updates from Dome9!

Dome9 will be at RSA this year (booth #4429, North Hall), and we have a lot of exciting activities planned. If you’re at the show, swing by and check out new product demos. You can also sign up for a meeting with the exec team.