Skip to main content

Compliance Gaps

Compliance gaps are defined as deficiencies in the security framework of your organization between fulfilled compliance requirements and outstanding remediation.

JupiterOne provides a compliance gaps table for a direct view into the gaps across your environment that impact your compliance posture. The gaps table offers immediate insights into all gaps, across all frameworks, accounts, and assets in your environment, removing the need to look at various separate gaps in each individual framework.

When working within a framework, you have compliance gaps when:

  • There is no external evidence (such as notes, links, file uploads) that you have completed a framework requirement.
  • There are J1QL question queries whose results show there is no evidence that a framework requirement is complete.

Accessing the Gaps table

By default, the gaps table is enabled in your environment, and if you have access to JupiterOne Compliance, you can view and interact with the gaps table.

If you do not have access to JupiterOne Compliance, you can have the gaps-only role, which provides access to the gaps table. JupiterOne administrator should add this role to an existing group, instead of creating a new group for gaps-only access. Gaps-only access enables you to perform open searches and queries for gaps without interacting with the rest of JupiterOne Compliance.

Filtering results

The gaps table displays all deficiencies and weaknesses within your environment, as well the total count of affected assets, enabling you to identify and address specific gaps. You can filter the gaps on one or more of the following:

  • Affected frameworks: displays only the frameworks within your environment that have deficiencies.
  • Integration accounts: accounts that are linked to the one with gaps.
  • AWS account ID: the AWS accounts in your environment with gaps.
  • Azure subscription ID: the Azure accounts in your environment with gaps.
  • GCP project ID: Google Cloud Platform accounts in your environment with gaps.

Find affected assets

The gaps view helps you identify affected assets so that you can take corrective action. For each gap, the affected assets are shown in the Gaps Detail tabs. There are two methods to finding all impacted assets:

Click Run query to see all assets that have gaps. The query opens the search page with the query prepopulated. If you apply all filters, such as affected frameworks or account IDs, they are included in the query. After the query loads, you can save the findings file to view all assets.

Export assets for a single gap. When, clicking in to a gap, you can select the affected entities tab to view all assets impacted by that gap. From this tab, click Download CSV to download the list of affected assets for the gap (such as approved software).

Viewing Gaps in the Graph

For a specific gap, you can view the gap and the associated problems in the JupiterOne graph. There are two options to open the graph. Running the gaps query from the main gaps table opens all gaps, from which you can drill down on certain gaps you want to open in the graph. Alternatively, you can open a single gap from the Gaps details by clicking View in Graph.

Gap analysis and queries

Each query in a saved question has a property to indicate whether the results from the query are good, bad, unknown, or informative. You can configure this property in the J1Query Language UI or via the JupiterOne API.

At the API level, this value is set with the resultsAre property. For example:

- id: managed-question-access-password-policy
title: Show me the current password policy and compliance status.
- name: Compliant policies
resultsAre: GOOD
query: |
Find PasswordPolicy with
minLength >= 8 and
requireLowercase = true and
requireUppercase = true and
requireSymbols = true and
maxAgeDays <= 90 and
historyCount >= 12
- name: Non-compliant policies
resultsAre: BAD
query: |
Find PasswordPolicy with
minLength < 8 or
requireLowercase != true or
requireUppercase != true or
requireSymbols != true or
maxAgeDays > 90 or
historyCount < 12

Gap Analysis Queries

Queries with the resultsAre property in a question that is mapped to a compliance requirement trigger automated gap analysis, as follows:

  • GOOD:

    Results from a "good" query indicates expected configuration is present.

    For example, a list of critical data stores that are encrypted.

    Find DataStore with classification='critical' and encrypted=true
  • BAD:

    Results from a "bad" query indicates gaps or misconfigurations.

    For example, a list of critical data stores that are not encrypted.

    Find DataStore with classification='critical' and encrypted!=true

    Results from an "unknown" query indicates resources with an unknown scope or state.

    For example, a list of data stores that do not have classification tags.

    Find DataStore with classification=undefined

INFORMATIVE queries are not used in compliance gap analysis. A question can have one or all of the above named queries.