Compliance report

IMPORTANT:
The previous Clumio Compliance report only checked if an asset was successfully backed up per the protection policy attached to it. An asset was ‘In compliance’ if backups were successful and ‘Out of compliance’ if it experienced one or more backup failures or a backup exceeded the backup window once in the last 7 days.

Backup status information is now available as a separate indicator on the AWS Inventory page and the M365 dashboard.
The old Compliance report status corresponded to the Compliance status column on the inventory page for an asset (EC2, EBS, RDS, S3 etc). The Compliance status column was a combination of whether assets were in compliance with an attached policy and if the assets had a policy attached or not that was activated or deactivated. The old Compliance report will be retired shortly and customers who want to retain any previously generated reports should download them.


Use Clumio’s new Compliance Report to evaluate your asset backup and retention policy implementation to meet compliance requirements. You can use controls to define your compliance requirements. A control is a procedure designed to audit the compliance of a backup requirement for example, backup frequency or backup retention period. You can define one or more controls to evaluate compliance.

The report currently provides the following controls:

  • Policy control: Evaluates whether a policy has minimum backup and retention periods.
  • Asset control (Policy coverage): Evaluates whether selected assets are covered by a backup policy.
  • Asset control (Recoverability): Evaluates whether there are available recovery points (backups) with the required duration (backup retention) for the specified compliance window (look back period).

Your backup policies and assets are audited against these controls.

In addition to the controls, you can further filter the items selected for evaluation. You can filter to

  • select policies and assets from a specific organizational unit (OU)
  • select asset type(s) and evaluate policies for the selected asset type(s)

For example, if a policy is under OU1 and it contains multiple asset types, you select OU1 + S3, then the controls will evaluate only S3 policies under OU1.

You can also select additional filters to apply the controls to assets in specific accounts and optionally regions, and to assets with specific tags.

To create the new compliance report, you first need to create a report plan in which you define your compliance requirements using controls and specify a schedule. After you have saved your report plan, you can generate an on-demand report based on the plan you just created.

An item is in compliance with a control only if all conditions for the control are met. For example, if you define an Asset control for policy coverage and another Asset control for recoverability, the items you select to be evaluated may show up as fully compliant for the policy coverage control but non-compliant for the recoverability control.

If you have data that needs to be backed up every day and retained for 5 weeks, you can define controls as follows:

  • Policy control: If policies have a minimum backup frequency of 1 day(s) and backup retention is at least 5 weeks.
  • Asset control (policy coverage): If a set of assets is protected by a backup policy (treat deactivated policy as non-compliant)
  • Asset control (recoverability): If a set of assets is backed up every 1 day(s) and retained for 5 weeks evaluated over the course of the last 30 days.

Additionally, you can set the organizational unit filter to a child OU and set the asset type filter to EBS volumes and RDS assets.

In this case, Clumio evaluates,

  • if the selected policies in OU1 are set to back up the selected asset types (EBS and RDS in our example) every day and retain them for 5 weeks to conform to the policy control settings.
  • if the selected assets are covered by an active protection policy.
  • if the selected assets are backed up every day and and retained for at least 5 weeks over the last 30 days.

Note:

The backup frequency and look back period are always the same unit of time. For example if backup frequency is defined in days, then the look back period is also defined in days, if the backup frequency is in weeks, the look back period is also defined in weeks.

  • The look back period must be a multiple of the backup frequency.
  • The look back period and retention period must be longer than the backup frequency period.
  • The look back period (30 days in the example), must be shorter than the retention period so as to ensure that backups are still available. If the look back period is longer than the retention period, you may not find any backups as they will have expired after the retention period is complete.
  • To view the details about the look back period, hover over the unit of time.

Create a Compliance report plan

Report plans are only stored for 30 days.

  1. On the Reports > Compliance page, click Create report plan. The Create Compliance report plan wizard displays.
  2. Type a name for the report and an optional description.
  3. Define a report schedule by selecting the report generation frequency and the time at which the report should be generated.
  4. Select the notification check box if you want to email the report. Type the recipient’s email address. Separate multiple email addresses with a space. Click Next.
  5. On the Compliance controls screen, all three controls are selected by default. You can choose to use all the controls, just one control, or a combination of controls per your requirements.
    When selecting policy control settings, keep in mind the asset types you want this control to evaluate–different assets have different backup and retention frequencies.
    When selecting asset control recoverability settings, the look back period must be shorter than the retention period to ensure that backups are available.
    Click Next.
  6. On the Items to evaluate screen, optionally select the OU and/or asset type filters to further refine asset or policy selection. Click Next.
  7. Review and then confirm or edit your selections on the Review and create screen. Click Create.
  8. A confirmation dialog displays. Click Generate report to create a report immediately, or Done to finish the report plan creation.

A report is generated per the schedule you defined.

Create an on-demand Compliance report plan

You can also generate an on-demand report plan.

  1. On the Reports > Compliance page, click Create report plan. The Create Compliance report plan wizard displays.
  2. Type a name for the report and an optional description.
  3. Select On-demand from the Report schedule options to generate a one-time report.
  4. Select the notification check box if you want to email the report. Type the recipient’s email address. Separate multiple email addresses with a space. Click Next.
  5. On the Compliance controls screen, all three controls are selected by default. You can choose to use all the controls, just one control, or a combination of controls per your requirements.
    When selecting policy control settings, keep in mind the asset types you want this control to evaluate–different assets have different backup and retention frequencies.
    When selecting asset control recoverability settings, the look back period must be shorter than the retention period so as to ensure that backups are available.
    Click Next.
  6. On the Items to evaluate screen, optionally select the OU and/or asset type filters to further refine asset and policy selection. Click Next.
  7. Review and then confirm or edit your selections on the Review and create screen. Click Create.
  8. A confirmation dialog displays. Click Generate report to create a report immediately, or Done to finish the report plan creation.

Generate an on-demand report from an existing report plan

  1. On the Compliance report page, select the Action column in the row that contains the report plan you want to generate immediately and click the Create on-demand report option.
    Or click the name of the report for which you want to generate an on-demand report and click Create on-demand report.
  2. On the Create on-demand report screen that displays, optionally edit the report name, the default name is the report name with a timestamp appended.
    Click Create.
  3. To view an on-demand report generated from an existing report plan, click the report plan name. This displays the report plan details page where you can find the on-demand report you generated from the plan.

Compliance report actions

You can edit, duplicate, or delete the report plan from the options available in the Actions column of the table on the Compliance report page.
You can also find action options on the individual report plan pages. Click a report plan name from the table on the Compliance report page. A page with a detailed view of the report plan displays. You can download, email, or delete the report plan from the options available in the Actions column of the table.

When you delete a report plan, all reports generated based on that report plan are also deleted.