Feature Release 19.1: GCP Billing Visibility and More

DivvyCloud is a way to deploy policy, minimize blast radius and give developers the freedom to operate within the guide rails of safety.

Thomas Martin

AppSec/API Security 2022

Head of Application Modernization, GE Digital

Feature Release: 19.1 – Event Driven Harvesting & Billing Visibility for GCP, Compliance Data Exporter, & More


We are excited to announce our first release of 2019! Collaboration with our customers and the broader community help shape our releases with improvements to core capabilities around discovery, analysis, and automated remediation of cloud and container infrastructure. Each release also includes several new features and support for the ever-expanding portfolio of services from the major cloud providers.

This release focuses on data and visibility, and we’ve introduced some fantastic capabilities including event-driven harvesting for Google Cloud, to deliver an additional layer of monitoring and improve our real-time automated remediation capabilities. Also in GCP, customers can retrieve the billing information for their Google Cloud footprint by interconnecting DivvyCloud with their billing bucket where that monthly data is stored. Our support for Amazon Web Services, Microsoft Azure, and Google Cloud Platform has increased with more than 100 new filters, actions, and general enhancements, and finally, customers now can export compliance information from insight packs.



1. GCP Billing Visibility
DivvyCloud has added the ability to ingest billing information from Google Cloud. This makes it easy to analyze historical spend, but more importantly you can use this data to drive action inside the DivvyCloud platform. Each of the line items in your bill is a resource, which means you can use any line item to build an insight. For example, you might configure an alert if any member of your developer account(s) spends more than $500 in a given period, enabling proactive visibility when developers start experimenting with new and novel cloud services that might unintentionally run up your bill.

DivvyCloud GCP Billing Visibility

Cloud costs are operational expenditures as opposed to capital expenditures, so they should be treated like a utility bill. If you went on vacation for two weeks, you wouldn’t leave your lights or your television on the whole time because there would be huge, unwanted costs at the end of the month. The problem with cloud expenditure is, without visibility into your total cost you’re going to receive a bill at the end of the month without any sense of whether the expenditure is better or worse. More often than not, your bill is going to get worse.

Resource Filters: Cloud Service Cost

Many customers are concerned about developers experimenting with a new Google Cloud service that may be extremely expensive. All too often, a well-intentioned person starts up a service to experiment, gets distracted, forgets about the service, and a month later a massive bill comes due. These types of cost overruns are a nightmare scenario that we can now prevent in Google Cloud.


2. Data Exporter – Compliance Exporting
Our product effectively works with a lot of scanning of resources in the cloud, pervasively harvesting them down. We have a collection of approximately 250 native checks/policies and users are free to add their own. While the native checks refresh every hour to provide a snapshot of potential problems, several of our customers requested the ability to consume the data outside of the platform. For example, an organization may have a group of data scientists who want to digest the data, apply heuristics to it, and generate a specific type of report. DivvyCloud provides a big piece of that puzzle.

Insights Library

Customers can configure any of DivvyCloud’s compliance packs which focus on specific insights, instead of dealing with all 250. For example, by selecting the “(CIS) – Microsoft Azure” pack you can narrow the focus to 51 specific insights.

Customers can then export that to a designated AWS or GCP storage bucket using the credentials of an organization service account. The contents of the report provide low-level data mapping of resources to compliance issues. The content is intended for teams wanting to use the data for custom reports and integrations with external business intelligence and analytics tools. For more information, see Compliance Exporting.


3. Event-Driven Harvesting for GCP
In this release, we introduce event driven harvesting for GCP resources. Before this release we exclusively used an API-driven polling based approach to discover resources and monitor their configuration relative to policies. With the addition of event driven harvesting, we now offer a best in class dual layer approach for discovering and monitoring resources. Harvesting can now be triggered based upon events in your cloud, as opposed to solely relying on a polling based approach. This dual layer approach provides the best of both worlds – the full immutable discoverability of API harvesting with the speed and richness of event driven harvesting.

Imagine in every account you have, you have to make 30,000 API calls and even if an API call is less than a second (which it’s not), it would take about half a day to scan the data. That’s a daunting task. Most of our customers have 500+ clouds. Event-driven harvesting allows us to get the data much more intelligently in real-time.

Three Main Benefits of Event Driven Harvesting:

  • Fast Identification & Remediation of Issues with Key Resources – Faster identification, and reaction/remediation to change. In GCP you can identify changes within 2 seconds for key resources, allowing DivvyCloud to collect the information from this event stream. This approach speeds up our ability to identify a change, evaluate it against policy, and then take action to remediate policy violations.
  • Specific Data About Any Changes – Event driven harvesting provides rich contextual information and full visibility into who did what, where, and when. DivvyCloud can take the user name and make it a property in the system, which results in a fix in that system in perpetuity. Customers can now auto-tag resources, and if anything is wrong, the data will point to a specific, impacted individual. This helps enrich the data we have with the user.
  • Audit Global Changes Via Event Stream – Imagine you have 300+ projects. Using DivvyCloud badges you could ask the system to: “show me all production changes,” and then across all of your projects that are badge production, get a full, uniform feed of all production changes.


4. Additional Cloud Support/Enhancements

  • Amazon Web Services
    • Support for DocumentDB
    • Support for Neptune
    • Support for Secrets Manager
    • Support for FSx
  • Google Cloud Platform
    • Support for BigQuery
    • Support for Billing
    • Support for Load Balancing
  • Microsoft Azure
    • Capture Azure Key Vault information for Storage Accounts
    • Add visibility to the encryption configuration for Blob Storage

Interested in learning more? View the full release notes associated with our 19.1 release, or get your free trial and see our features in action.

DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

The post Feature Release 19.1: GCP Billing Visibility and More appeared first on DivvyCloud.

*** This is a Security Bloggers Network syndicated blog from DivvyCloud authored by David Mundy. Read the original post at: