icon-zcspm.svg
ZCSPM

Release Upgrade Summary (2021)

This article provides a summary of all new features and enhancements for Zscaler Cloud Security Posture Management (ZCSPM), formely known as Cloudneeti.


The following service updates were deployed to app.cloudneeti.com on the following dates.

December 20, 2021
  • Release Available
    • ZCSPM Security Policy Additions

      Security Policies & Benchmark Updates

      Added 10 new security policy for Amazon Web Services (AWS).

      Security Policy Category Security Policy Title
      AWS - Data Protection Ensure that Amazon Backup vaults are using AWS CMKs for encryption of backup data
      AWS - Data Protection Ensure data at rest encryption is enabled for AWS EFS file systems
      AWS - Data Protection Ensure that encryption is done with KMS CMKs for each AWS Windows FSx
      AWS - Data Protection Ensure that node-to-node encryption is enabled for AWS Elasticsearch Domain
      AWS - Data Protection Ensure that data-at-rest encryption is enabled for AWS Elasticsearch Domain
      AWS - Data Protection Ensure Amazon Kinesis Firehose delivery streams have Server-Side Encryption (SSE) enabled
      AWS - Data Protection Ensure that in-transit encryption is enabled for AWS ElastiCache clusters
      AWS - Data Protection Ensure that at-rest encryption is enabled for AWS ElastiCache clusters
      AWS - Data Protection Ensure that Amazon Glue Data Catalogs enforce data-at-rest encryption using KMS CMKs
      AWS - Data Protection Ensure that Amazon Glue Data Catalog objects and connection passwords are encrypted
November 22, 2021
  • Release Available
    • ZCSPM Viewer Roles and Enhancements

      New Features & Enhancements

      ZCSPM now offers two new user roles:

      • License Viewer: License Viewers can view all ZCSPM features and configurations for a license but cannot make any changes.
      • Account Viewer: Account Readers can view all ZCSPM features and settings for a single cloud account but cannot make any changes.

      Security Policies & Benchmark Updates

      Added one new security policy for Amazon Web Services (AWS).

      Security Policy Category Security Policy Title
      AWS - Identity and Access Management Ensure that there are no IAM users in the AWS account
November 01, 2021
  • Release Available
    • ZCSPM Release 3.16.0 Enhancements and Fixes

      Security Policies & Benchmark Updates

      Added 49 security policies for Google Cloud Platform across the following services:

      • Security Policy Category Security Policy Title
        GCP - Compute (PaaS and Serverless) Ensure that maximum instances in autoscaling is set for Cloud Functions
        GCP - Networking Ensure that 'Route all traffic through the VPC connector' is enabled for the Cloud Functions
        Close
      • Security Policy Category Security Policy Title
        GCP - Key Management Ensure that Asymmetric Key is signed with RSA_SIGN_PSS_3072_SHA256 or EC_SIGN_P256_SHA256 algorithm
        GCP - Key Management Ensure that Asymmetric Key is encrypted with RSA_DECRYPT_OAEP_3072_SHA256 algorithm
        Close
      • Security Policy Category Security Policy Title
        GCP - Storage and Database Ensure that maintenance window is set for Cloud SQL MySQL instance
        Close
      • Security Policy Category Security Policy Title
        GCP - Data Analytics Ensure that Cloud TPU Node is not created within default VPC
        GCP - Data Analytics Ensure that Cloud TPU Node is not configured to use the default service account
        Close
      • Security Policy Category Security Policy Title
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 4505 (SaltStack Master)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 4506 (SaltStack Master)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 9090
        Close
      • Security Policy Category Security Policy Title
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 4505 (SaltStack Master)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 4506 (SaltStack Master)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 9090
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 636 (LDAP SSL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 27018 (Mongo Web Portal)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 139 (NetBios Session Service)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 8140 (Puppet Master)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 2383 (SQL Server Analysis Services)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 9042 (Cassandra Client)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 7000 (Cassandra Internode Communication)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 1434 (MSSQL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 7199 (Cassandra Monitoring)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 61620 (Cassandra OpsCenter Monitoring)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 8888 (Cassandra OpsCenter Website)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 9160 (Cassandra Thrift)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 2483 (Oracle DB)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 2483 (Oracle DB)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 1434 (MSSQL)
        Close
      • Security Policy Category Security Policy Title
        GCP - Networking Ensure that Internal UDP load balancers are not created within default VPC Network
        GCP - Networking Ensure that Packet Mirroring is enabled for TCP load balancer
        GCP - Networking Ensure that Internal HTTP(S) load balancer is not created within default VPC
        GCP - Networking Ensure Packet Mirroring is enabled for Internal UDP load balancer Forwarding Rule
        GCP - Networking Ensure that Internal TCP load balancers are not launched within default VPC
        GCP - Networking Ensure that the regional HTTP(S) load balancer forwarding rule accepts only HTTPS traffic
        Close
      • Security Policy Category Security Policy Title
        GCP - Networking Ensure that the global HTTP(S) load balancer forwarding rule accepts only HTTPS traffic
        Close
      • Security Policy Category Security Policy Title
        GCP - Data Analytics Ensure that autoscaling enabled for Sole-tenant Node Group
        Close
      • Security Policy Category Security Policy Title
        GCP - Networking Ensure that global HTTP(S) load balancer target proxy is using QUIC protocol
        Close
      • Security Policy Category Security Policy Title
        GCP - Data in Transit Ensure that VPN tunnel is configured with IKEv2
        Close
      • Security Policy Category Security Policy Title
        GCP - Data Analytics Ensure that 'Delete on a fixed time schedule' is enabled for Dataproc Cluster
        GCP - Data Analytics Ensure that 'Delete after a cluster idle time period without submitted jobs' is selected for Dataproc Cluster
        GCP - Data Analytics Ensure that Secure Multi Tenancy is enabled for Dataproc Cluster
        Close
      • Security Policy Category Security Policy Title
        GCP - Kubernetes and Container Ensure that Alpha clusters are not used for production workloads
        GCP - Kubernetes and Container Ensure that Workload Identity is enabled on Kubernetes Engine Clusters
        GCP - Kubernetes and Container Ensure to automate GKE version management using Release Channels on Kubernetes Engine Clusters
        GCP - Kubernetes and Container Ensure that Binary Authorization is enabled on the Kubernetes Engine Clusters
        GCP - Kubernetes and Container Consider GKE Sandbox for running untrusted workloads
        GCP - Kubernetes and Container Ensure the GKE Metadata Server is Enabled
        Close
      • Security Policy Category Security Policy Title
        GCP - Networking Ensure that Redis instance uses private services access using a dedicated VPC network
        Close
      • Security Policy Category Security Policy Title
        GCP - Business Continuity Ensure that replication policy for Secrets is set to Automatic
        Close

      Added the Cloud Security Alliance's Cloud Control Matrix benchmark for all cloud service providers.

October 04, 2021
  • Release Available
    • ZCSPM Release 3.15.0 Enhancements and Fixes

      New Features & Enhancements

      • Custom Security Policies Enhancement: You can now map a custom security policy to a any compliance benchmark, including private benchmarks.To learn more, see Creating Custom Policies.
      • Cloud Accounts Enhancement: You can now delete a cloud account from your ZCSPM License. To learn more, see About Cloud Accounts.
      • ZCSPM now supports version 2.2 of the Kubernetes agents for all cloud service providers. To learn how to upgrade your agent, see Configuring the ZCSPM Agent for Google Kubernetes Engine.

      Security Policies & Benchmark Updates

      • Security Policy Category Security Policy Title
        GCP - Compute Ensure that static contents are cached for Backend Bucket
        GCP - Compute Ensure that 'stale content' serving is set to 1 day period for Backend Bucket
        GCP - Compute Ensure that security patches for Red Hat Enterprise Linux (RHEL) and Centos are configured in Patch Deployment
        GCP - Compute Ensure that security patches for Windows are configured in Patch Deployment
        GCP - Compute Ensure that reboot is enabled for OS Patch Deployment
        GCP - Compute Ensure that security patches for SUSE Linux Enterprise Server (SLES) are configured in Patch Deployment
        GCP - Compute Ensure that HTTPs Target Proxy configured with Google-managed SSL certificate
        GCP - Compute Ensure that SSL Target Proxy configured with Google-managed SSL certificate
        GCP - Compute Ensure that Health Checks for autohealing in managed instance groups have unhealthy-threshold value more than 1
        GCP - Compute Ensure that regional forwarding rule is created with reserved IP address
        GCP - Compute Ensure that global forwarding rule is created with reserved IP address
        GCP - Compute Ensure no HTTPS proxy load balancers permit SSL policies with weak cipher suites
        GCP - Compute Ensure no SSL proxy load balancers permit SSL policies with weak cipher suites
        GCP - Compute (PaaS and Serverless) Ensure that Secret is used for Cloud Run Revisions
        GCP - Compute (PaaS and Serverless) Ensure that Boot disk for Instance Templates are encrypted with Customer-Managed Encryption Keys
        GCP - Compute (PaaS and Serverless) Ensure that Instance Templates are not configured to use the default service account
        GCP - Data Analytics Ensure that Component Gateway is enabled for Dataproc Clusters
        GCP - Data Analytics Ensure that Dataproc Clusters have minimum 1TB storage capacity for PD-Standard without local SSDs
        GCP - Data in Transit Ensure that Instance Templates have Confidential Computing enabled
        GCP - Governance Ensure that Cloud PubSub Topics are allowed to store messages in any region
        GCP - Identity and Access Management Ensure that Forest trust type is used when creating a relationship trust with Active directory
        GCP - Identity and Access Management Ensure that Selective authentication is enabled on outbound trusts in the resource forest of Active directory
        GCP - Identity and Access Management Ensure that Managed Service for Microsoft Active Directory Domain is not launched within default VPC Network
        GCP - Kubernetes and Container Ensure legacy Compute Engine instance metadata APIs are Disabled
        GCP - Kubernetes and Container Enable VPC Flow Logs and Intranode Visibility
        GCP - Kubernetes and Container Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
        GCP - Kubernetes and Container Ensure authentication using Client Certificates is Disabled
        GCP - Kubernetes and Container Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS
        GCP - Kubernetes and Container Ensure Secure Boot for Shielded GKE Nodes is Enabled
        GCP - Kubernetes and Container Ensure Shielded GKE Nodes are Enabled
        GCP - Logging and Monitoring Ensure that Query Insights are enabled for Cloud SQL PostgreSQL instance
        GCP - Logging and Monitoring Ensure that 'pgaudit.log_catalog' database flag for Cloud SQL PostgreSQL instance is set to 'off'
        GCP - Logging and Monitoring Ensure that 'Store client IP addresses' is enabled for Cloud SQL PostgreSQL instance
        GCP - Logging and Monitoring Ensure that 'Store application tags' is enabled for Cloud SQL PostgreSQL instance
        GCP - Networking Ensure that 'Allow internal traffic and traffic from Cloud Load Balancing' is selected for Cloud Function
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to port 9300 (Elasticsearch)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 389 (LDAP)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 11211 (Memcached)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 11211 (Memcached)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 6379 (Redis)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 11214 (Memcached SSL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 11214 (Memcached SSL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 11215 (Memcached SSL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 11215 (Memcached SSL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 137 (NetBIOS)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 138 (NetBIOS Datagram Service)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 139 (NetBios Session Service)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 2484 (Oracle DB SSL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 2484 (Oracle DB SSL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 5432 (PostgreSQL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 2382 (SQL Server Analysis Service browser)
        Close
      • Security Policy Title
        Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
        Close
      • Security Policy Category Security Policy Title
        M365-Identity Ensure Security Defaults is disabled on Azure Active Directory
        M365-Identity Ensure that collaboration invitations are sent to allowed domains only
        M365-Identity Ensure that 'Expiration' settings are configured for temporary groups
        M365-Identity Ensure that LinkedIn contact synchronization is disabled
        M365 - Application Permissions Ensure user consent to apps accessing company data on their behalf is not allowed
        M365 - Application Permissions Ensure the admin consent workflow is enabled
        M365 - Application Permissions Ensure users installing Outlook add-ins is not allowed
        M365 - Application Permissions Ensure users installing Word, Excel, and PowerPoint add-ins is not allowed
        M365 - Application Permissions Ensure internal phishing protection for Forms is enabled
        M365 - Application Permissions Ensure that Sways cannot be shared with people outside of your organization
        M365 - Email Security / Exchange Online Ensure automatic forwarding options are disabled
        Close
September 06, 2021
  • Release Available
    • ZCSPM Release 3.14.0 Enhancements and Fixes

      New Features and Enhancements

      • ServiceNow Incident Management Enhancement: ZCSPM now sends the cloud account name and ID when creating ServiceNow tickets.
      • SAML based Single-Sign-On (SSO) Enhancement: ZCSPM now supports updating role for exisiting ZCSPM users via Just in Time (JIT) provisioning.
      • Custom Security Policies Enhancement: You can now delete custom security policies for all cloud service providers.
      • End User Subscription Agreement (EUSA): ZCSPM now requires you to accept the EUSA before activating a ZCSPM license. 
      • SIEM Integration with Splunk: You can now configure ZCSPM to send asset metadata for all failed assets or high risk failed assets to Splunk.

      Security Policy & Benchmark Updates

      • Security Policy Category Security Policy Title
        Ensure that VHD's are encrypted Azure - Compute (IaaS)
        Ensure FTP deployments are disabled for Web app Azure - Compute (PaaS and Serverless)
        Ensure FTP deployments are disabled for Function app Azure - Compute (PaaS and Serverless)
        Ensure FTP deployments are disabled for API app Azure - Compute (PaaS and Serverless)
        Ensure FTP deployments are disabled for Mobile app Azure - Compute (PaaS and Serverless)
        Ensure that '.Net Framework' version is the latest, if used as a part of the web app Azure - Compute (PaaS and Serverless)
        Ensure that 'PHP version' is the latest, if used to run the web app Azure - Compute (PaaS and Serverless)
        Ensure that 'Python version' is the latest, if used to run the web app Azure - Compute (PaaS and Serverless)
        Ensure that 'Java version' is the latest, if used to run the web app Azure - Compute (PaaS and Serverless)
        Ensure Azure Keyvaults are used to store secrets Azure - Compute (PaaS and Serverless)
        Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' Azure - Identity and Access
        Ensure Security Defaults is enabled on Azure Active Directory Azure - Identity and Access
        Ensure Custom Role is assigned for Administering Resource Locks Azure - Identity and Access
        Ensure that multi-factor authentication is enabled for all non-privileged users Azure - Identity and Access
        Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Azure - Identity and Access
        Ensure Diagnostic Setting captures appropriate categories Azure - Logging and Auditing
        Ensure that Activity Log Alert exists for Delete Policy Assignment Azure - Logging and Auditing
        Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Azure - Networking
        Ensure that UDP Services are restricted from the Internet Azure - Networking
        Ensure that Azure Defender is set to On for Servers Azure - Security Center
        Ensure that Azure Defender is set to On for App Service Azure - Security Center
        Ensure that Azure Defender is set to On for Azure SQL database servers Azure - Security Center
        Ensure that Azure Defender is set to On for Storage Azure - Security Center
        Ensure that Azure Defender is set to On for Kubernetes Azure - Security Center
        Ensure that Azure Defender is set to On for Key Vault Azure - Security Center
        Ensure that Azure Defender is set to On for SQL servers on machines Azure - Security Center
        Ensure that Azure Defender is set to On for Container Registries Azure - Security Center
        Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Azure - Security Center
        Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Azure - Security Center
        Ensure any of the ASC Default policy setting is not set to "Disabled" Azure - Security Center
        Ensure that ADS - Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Azure - Storage and Databases
        Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Azure - Storage and Databases
        Ensure soft delete is enabled for Azure Storage Azure - Storage and Databases
        Ensure storage for critical data are encrypted with Customer Managed Key Azure - Storage and Databases
        Ensure Storage logging is enabled for Table service for read, write, and delete requests Azure - Storage and Databases
        Ensure Storage logging is enabled for Blob service for read, write, and delete requests Azure - Storage and Databases
        Close
      • Security Policy Category Security Policy Title
        Ensure that Restriced profile is selected for SSL Policy GCP - Compute
        Ensure that the latest TLS version is in use for SSL Policy GCP - Compute
        Ensure that Health Check is configured for Target Pool GCP - Compute
        Ensure that 'session affinity' is configured for Target Pool GCP - Compute
        Ensure that Compute Disks are attached with 'Snapshot Schedule' for automated backups GCP - Compute
        Ensure that 'Require HTTPS' is selected for HTTP Cloud Functions GCP - Compute (PaaS and Serverless)
        Ensure that Cloud Run Service uses Customer-managed encryption key (CMEK) for encryption GCP - Compute (PaaS and Serverless)
        Ensure that HTTP/2 connections for cloud run revision is enabled GCP - Compute (PaaS and Serverless)
        Ensure that 'Verify container deployment with Binary Authorization' configuration is enbaled for Cloud Run Service GCP - Compute (PaaS and Serverless)
        Ensure that ingress setting is not set to 'Allow all traffic' for Cloud Run Service GCP - Compute (PaaS and Serverless)
        Ensure that Dataproc Cluster Nodes have Shielded VM enabled GCP - Data Analytics
        Ensure that OS Login is enabled while creating a Dataproc cluster GCP - Data Analytics
        Ensure that Kerberos and Hadoop Secure Mode for a cluster are enabled GCP - Data Analytics
        Ensure that "Personal Cluster Authentication" for Dataproc cluster should be enabled GCP - Data Analytics
        Ensure that Dataproc Clusters are not configured to use the default service account with full access to all Cloud APIs GCP - Data Analytics
        Ensure that in-transit encryption is enabled for Redis instance GCP - Data in Transit
        Ensure that 'Disable Source Code Download' constraint is set to enforce GCP - Governance
        Ensure that 'Require VPC Connector (Cloud Functions)' constraint is set to enforce GCP - Governance
        Ensure that 'Disable Guest Attributes of Compute Engine metadata' constraint is set to enforce GCP - Governance
        Ensure that 'Disable Internet Network Endpoint Groups' constraint is set to enforce GCP - Governance
        Ensure that 'Disable VM nested virtualization' constraint is set to enforce GCP - Governance
        Ensure that 'Skip default network creation' constraint is set to enforce GCP - Governance
        Ensure that 'Disable Cloud Logging' constraint is set to enforce GCP - Governance
        Ensure that 'Disable Workload Identity Cluster Creation' constraint is set to enforce GCP - Governance
        Ensure that 'Restrict shared VPC project lien removal' constraint is set to enforce GCP - Governance
        Ensure that 'Disable Automatic IAM Grants for Default Service Accounts' constraint is set to enforce GCP - Governance
        Ensure that 'Google Cloud Platform - Detailed Audit Logging Mode' constraint is set to enforce GCP - Governance
        Ensure that 'Enforce uniform bucket-level access' constraint is set to enforce GCP - Governance
        Ensure that editor role is not assigned to Compute Engine Default Service Account GCP - Identity and Access Management
        Ensure that editor role is not assigned to App Engine Default Service Account GCP - Identity and Access Management
        Ensure that Cloud Functions Invoker role is not assigned to 'allUsers' for Cloud Function GCP - Identity and Access Management
        Ensure that Cloud Functions Viewer role is not assigned to 'allUsers' for Cloud Function GCP - Identity and Access Management
        Ensure that Cloud Functions Developer role is not assigned to 'allUsers' for Cloud Function GCP - Identity and Access Management
        Ensure that Cloud Functions Admin role is not assigned to 'allUsers' for Cloud Function GCP - Identity and Access Management
        Ensure that default VPC Network is not in use for Memorystore Memcached Instance GCP - Networking
        Ensure that 'Allow internal traffic and traffic from Cloud Load Balancing' configuration is enabled for Cloud Run Service GCP - Networking
        Ensure that 'Automatically distribute' or multiple zones are selected for Memorystore Memcached Instance GCP - Storage and Database
        Ensure that 'track_sizes' configuration for Memorystore Memcached Instance is set to 'false' GCP - Storage and Database
        Ensure that 'maxconns_fast' configuration for Memorystore Memcached Instance is set to 'false' GCP - Storage and Database
        Ensure that Standard Tier is selected for Redis instance GCP - Storage and Database
        Ensure that Enable AUTH is check marked for Redis instance GCP - Storage and Database
        Close
      • Security Policy Category Security Policy Title
        Ensure enable sign out inactive users M365 - Account / Authentication
        Ensure control access to SharePoint Online and OneDrive data based on network location M365 - Application Permissions
        Set default link permission to view-only when users get links for sharing at the site level M365 - Application Permissions
        Set default link permission to view-only when users get links for sharing M365 - Application Permissions
        Ensure set default link type to Internal when users get links for sharing at Organization level M365 - Application Permissions
        Ensure default link permission to view-only when users get links for sharing M365 - Application Permissions
        Ensure set default link type to Internal when users get links for sharing at Site level M365 - Application Permissions
        Permission to add and customize pages should be denied to all sites M365 - Application Permissions
        Sharing in SharePoint and OneDrive should be restricted at the tenant level to specific domains M365 - Data
        Ensure sharing in SharePoint and OneDrive should be restricted at the site level to specific domains M365 - Data
        Option to edit, copy, and paste files outside the browser for documents should be disabled at the tenant level M365 - Data
        Option to edit, copy and paste files outside the browser for documents should be disabled at the site level. M365 - Data
        Close
      • Added the following benchmarks for Microsoft Azure:

        • Center for Internet Security Microsoft Azure Foundations Benchmark v1.2.0
        • Center for Internet Security Microsoft Azure Foundations Benchmark v1.3.1
        Close
August 02, 2021
  • Release Available
    • ZCSPM Release 3.13.0 Enhancements and Fixes

      New Features and Enhancements

      • Cloud Identity Dashboard: You can now view all identities which are entitled to access to your cloud assets and services.
      • Asset Details enhancement: You can now view an access graph for an asset. The access graph displays all identities which have access to a specific asset and the path taken by the identity to access the asset. To learn more, see About Asset Details.
      • SAML based Single-Sign-On (SSO) enhancements:
        • IdP initated SAML based SSO: ZCSPM now supports Identity Provider (IdP) initiated SAML based SSO. A guest user in your organization can now access ZCSPM once it is provisioned. To learn more, see About SAML.
        • Just in Time (JIT) user provisioning: ZCSPM now supports JIT user provisioning to automatically retrieve user information such as first name or role name from the SAML response. To learn more, see Configuring SAML.
        • IdP certificate expiry email notification: ZCSPM will now send out an email notification 15 days before your IdP certificate expires on ZCSPM.
      • GCP organization auto-sync: ZCSPM will now automatically onboard new projects added to your GCP organization.
      • Determine GCP resources in your organization: You can now estimate the number of resources in your GCP organization which are protected by ZCSPM. To learn more, see Estimating Assets Count.
      • ZCSPM will now scan for the most recent 40,000 EBS snapshots for configuration metadata collection.

      Security Policy & Benchmark Updates

      • Security Policy Category Security Policy Title
        AWS - Networking Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 5500 (VNC Listener)
        AWS - Networking Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 5900 (VNC Server)
        AWS - Identity and Access Management Ensure there are no IAM users with full administrator permissions within your AWS account
        AWS - Identity and Access Management Ensure that the AWS Account does not have a single IAM Admin
        AWS - Identity and Access Management Ensure that custom IAM policies grant least privileges on the AWS Account
        AWS - Identity and Access Management Ensure credentials unused for 45 days or greater are disabled
        AWS - Networking Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (SSH Port: 22)
        AWS - Networking Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (RDP Port: 3389)
        AWS - Monitoring Ensure a log metric filter and alarm exists for AWS Organizations changes
        Close
      • Old Security Policy Title New Security Policy Title
        Ensure that data-tier security group(s) are configured for RDS Aurora Clusters Ensure that default security group(s) are not configured for RDS Aurora Clusters
        Ensure that data-tier security group(s) are configured for RDS Aurora SQL Instances Ensure that default security group(s) are not configured for RDS Aurora SQL Instances
        Ensure that data-tier security group(s) are configured for RDS Aurora MySQL Serverless Clusters Ensure that default security group(s) are not configured for RDS Aurora MySQL Serverless Clusters
        Ensure that data-tier security group(s) are configured for RDS Aurora PostgreSQL Serverless Clusters Ensure that default security group(s) are not configured for RDS Aurora PostgreSQL Serverless Clusters
        Ensure that data-tier security group(s) are configured for RDS MariaDB Instances Ensure that default security group(s) are not configured for RDS MariaDB Instances
        Ensure that data-tier security group(s) are configured for RDS MySQL Instances Ensure that default security group(s) are not configured for RDS MySQL Instances
        Ensure that data-tier security group(s) are configured for RDS Oracle Instances Ensure that default security group(s) are not configured for RDS Oracle Instances
        Ensure that data-tier security group(s) are configured for RDS PostgreSQL Instances Ensure that default security group(s) are not configured for RDS PostgreSQL Instances
        Ensure that data-tier security group(s) are configured for RDS SQL Server Instances Ensure that default security group(s) are not configured for RDS SQL Server Instances
        Ensure there are no running AWS EC2 instances older than 180 days available within your AWS account Ensure there are no running AWS EC2 instances older than 30 days available within your AWS account
        Close
      • Security Policy Category Security Policy Service Security Policy Title
        Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to HTTPS (TCP:443) is restricted from the public internet on NSG's
        Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to HTTP (TCP:80) is restricted from the public internet on NSG's
        Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to CIFS (TCP:445) is restricted from the public internet on NSG's
        Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to DNS (TCP:53) is restricted from the public internet on NSG's
        Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to FTP (TCP:21) is restricted from the public internet on NSG's
        Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to RPC (TCP:135) is restricted from the public internet on NSG's
        Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to VNCListener (TCP:5500) is restricted from the public internet on NSG's
        Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to VNCServer (TCP:5900) is restricted from the public internet on NSG's
        Azure - Security Center Azure Security Center (ASC) Ensure that Java version is the latest if used as a part of API App is enabled in ASC
        Azure - Security Center Azure Security Center (ASC) Ensure that Java version is the latest if used as a part of Function App is enabled in ASC
        Azure - Security Center Azure Security Center (ASC) Ensure that Java version is the latest if used as a part of Web App is enabled in ASC
        Azure - Security Center Azure Security Center (ASC) Ensure that PHP version is the latest if used as a part of API App is enabled in ASC
        Azure - Security Center Azure Security Center (ASC) Ensure that PHP version is the latest if used as a part of Web App is enabled in ASC
        Azure - Security Center Azure Security Center (ASC) Ensure that Python version is the latest if used as a part of API App is enabled in ASC
        Azure - Security Center Azure Security Center (ASC) Ensure that Python version is the latest if used as a part of Function App is enabled in ASC
        Azure - Security Center Azure Security Center (ASC) Ensure that Python version is the latest if used as a part of Web App is enabled in ASC
        Close
      • Security Policy Category Security Policy Service Security Policy Title
        GCP - Compute Cloud OS Config Ensure that OS Patch Deployment configured with a recurring schedule
        GCP - Compute Cloud OS Config Ensure that OS Patch Deployment not targeted to all VMs
        GCP - Business Continuity CloudSQL Ensure that Cloud SQL Mysql instances have 'point-in-time recovery' enabled
        GCP - Business Continuity CloudSQL Ensure that Cloud SQL PostgreSQL instances have 'point-in-time recovery' enabled
        GCP - Logging and Monitoring CloudSQL Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
        GCP - Business Continuity Compute Engine - Disk Ensure that "Enable regional disk replication" feature is enabled for Compute Disk
        GCP - Networking Compute Engine - Firewall Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses
        GCP - Logging and Monitoring Compute Engine - Health Check Ensure that Cloud Logging is enabled for Compute Health Check
        GCP - Data in Transit Compute Engine - Instance Ensure that Compute instances have Confidential Computing enabled
        GCP - Compute Compute Engine - Instance Group Ensure that Instance Groups have 'Scale In Controls' enabled
        GCP - Data Analytics Compute Engine - TargetVpn Gateway Ensure that Classic VPN Gateway is not created within a default VPC Network
        GCP - Data Analytics Compute Engine - Vpn Gateway Ensure that High-availability VPN Gateway is not created within default VPC Network
        GCP - Networking DataFusion Ensure that Data Fusion Instances are not using default Dataproc service account
        GCP - Data Analytics DataFusion Ensure that Data Fusion Instances are not launched within default VPC Network
        GCP - Storage and Database DataFusion Ensure that Data Fusion Instances do not have public IP addresses.
        GCP - Business Continuity CloudSQL Ensure that Cloud SQL Mysql instances have 'point-in-time recovery' enabled
        GCP - Business Continuity CloudSQL Ensure that Cloud SQL PostgreSQL instances have 'point-in-time recovery' enabled
        GCP - Logging and Monitoring CloudSQL Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
        GCP - Data in Transit Compute Engine - Instance Ensure that Compute instances have Confidential Computing enabled
        GCP - Networking Compute Engine - Firewall Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses
        GCP - Logging and Monitoring DNS Ensure that Cloud DNS logging is enabled for all VPC networks
        Close
      • Security Policy Category Security Policy Title
        M365 - Application Permissions Ensure BCC of external sharing invitations is enabled
        M365 - Application Permissions Ensure company-wide link sharing are disabled
        M365 - Application Permissions Ensure external services in SharePoint Online is diabled
        M365 - Application Permissions Ensure ShowAllUsersClaim to restrict users from broadly sharing within the organisation and to users with previously accepted sharing invitations is disabled
        M365 - Application Permissions Ensure disable ShowEveryoneClaim to restrict users from broadly sharing within the organisation and to external users
        M365 - Application Permissions Ensure disable ShowEveryoneExceptExternalUsersClaim to restrict users from broadly sharing within the organization
        M365 - Application Permissions Ensure users from downloading files that are detected as malicious is disabled
        M365 - Application Permissions Enable notifications in SharePoint Online.
        M365 - Application Permissions Enforce only OneDrive for Business owner for sharing.
        M365 - Application Permissions Ensure Limit access to SharePoint and OneDrive content at Organization level.
        M365 - Application Permissions Notify OneDrive for Business owner about anonymous access link creation or change
        M365 - Application Permissions Ensure anonymous links to expire after some days is enabled
        Close
      • Cloud Service Provider Benchmark Title
        AWS Center for Internet Security AWS Foundations Benchmark v1.4.0, Center for Internet Security Kubernetes Benchmark [for EKS and EC2 Instance Hosted clusters] v1.6.1
        Microsoft Azure Center for Internet Security Kubernetes Benchmark [for AKS, VM Hosted and AKS-Engine clusters] v1.6.1
        GCP Center for Internet Security Google Cloud Platform Foundation Benchmark v1.2.0, Center for Internet Security Kubernetes Benchmark [for GKE] v1.6.1
        Close
June 28, 2021
  • Release Available
    • ZCSPM Release 3.12.0 Enhancements and Fixes

      New Features & Enhancements

      ZCSPM Access Enhancements

      • Zscaler Login: You can now log in to the ZCSPM Admin Portal using your Zscaler login credentials. To learn more, see Accessing ZCSPM.
      • SAML based Single Sign-On (SSO): ZCSPM now supports Service Provider (SP) initiated SAML based SSO. To learn how to configure SAML for your organization, see Configuring SAML

      Security Policy & Benchmark Updates

        • Security Policy Category Security Policy Title
          AWS - Identity and Access Management Ensure that conditions for IAM role are in place to define how and when trusted entities can assume the role
          AWS - Identity and Access Management Ensure that there are no IAM roles in the account with Admin privileges
          Close
        • Security Policy Category Security Policy Title
          AWS - Identity and Access Management Ensure that IAM Access Analyzer is enabled and active
          Close
        • Security Policy Category Security Policy Title
          AWS - Compute Ensure that all EC2 instances in the AWS account are using Instance Metadata Service Version 2
          Close
        Close
        • Security Policy Category Security Policy Title
          Azure - Identity and Access Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
          Close
        • Security Policy Category Security Policy Title
          Azure - Compute (IaaS) Ensure there are no running Azure Virtual Machine older than 30 days available within your Azure Subscription
          Close
        Close
        • Security Policy Category Security Policy Title
          GCP - Storage and Database Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets
          Close
        • Security Policy Category Security Policy Title
          GCP - Azure - Key Management Ensure that primary key version should be enabled for Symmetric Key
          GCP - Azure - Key Management Ensure that primary key version should be enabled for Symmetric Key
          Close
        • Security Policy Category Security Policy Title
          GCP - Identity and Access Management Ensure that Cloud Spanner Database is encrypted using Customer Managed Encryption Key
          GCP - Networking Ensure that Cloud Spanner Database Backup is encrypted using Customer Managed Encryption Key
          Close
        • Security Policy Category Security Policy Title
          GCP - Networking Ensure that no Cloud Armor Policy allows unrestricted access to internet
          GCP - Networking Ensure that Adaptive protection is enabled for Cloud Armor Policy
          Close
        • Security Policy Category Security Policy Title
          GCP - Storage and Database Ensure that Bigtable Instance Cluster is encrypted using Customer Managed Encryption Key
          Close
        • Security Policy Category Security Policy Title
          GCP - Identity and Access Management Ensure that Cloud Router is created within non-default VPC Network
          Close
        • Security Policy Category Security Policy Title
          GCP - Compute Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
          GCP - Storage and Database Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
          GCP - Storage and Database Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
          GCP - Storage and Database Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
          GCP - Storage and Database Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
          GCP - Storage and Database Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
          GCP - Storage and Database Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately
          GCP - Storage and Database Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'
          GCP - Storage and Database Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
          GCP - Storage and Database Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate
          GCP - Storage and Database Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
          GCP - Storage and Database Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
          GCP - Storage and Database Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
          GCP - Storage and Database Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'
          Close
        • Security Policy Category Security Policy Title
          GCP - Compute Ensure that Instance Templates are not configured to use the default service account with full access to all Cloud APIs
          GCP - Compute Ensure that Instance Templates are configured with Shielded VM
          GCP - Compute Ensure that “Block Project-wide SSH keys” is enabled for Instance Templates
          GCP - Compute Ensure that IP forwarding is not enabled on Instance Templates
          GCP - Compute Ensure "Enable connecting to serial ports" is not enabled for Instance Templates
          GCP - Compute Ensure that Instance Templates are not launched within default VPC
          GCP - Compute Ensure that Instance Templates do not have Public IP Addresses
          Close
        • Security Policy Category Security Policy Title
          GCP - Storage and Database Ensure there are no running VM instances older than 180 days available within your GCP project
          Close
        • Security Policy Category Security Policy Title
          GCP - Storage and Database Ensure that vulnerability scanning is enabled for Container Registry
          Close
        • Security Policy Category Security Policy Title
          GCP - Data Analytics Ensure that Dataproc jobs will restart on failure
          Close
        • Security Policy Category Security Policy Title
          GCP - Identity and Access Management Ensure that IAM users are restricted to use the KMS Admin permissions on a project
          GCP - Identity and Access Management Ensure that IAM users are restricted to use the Owner/ Writer/ Reader roles at project level
          Close
        Close
      • Cloud Service Provider Benchmark Title
        AWS, GCP Government of Canada Cloud Guardrails
        Close
      • Security Policy Category Security Policy Title
        Windows 2019 Windows 2019 - Ensure 'Specify the interval to check for definition updates' is set to 'Enabled:1'
        Ubuntu 18.04 Ubuntu 18.04 - Ensure rsyslog Service is enabled
        CentOS 7 CentOS 7 - Ensure rsyslog Service is enabled
        Close
May 26, 2021
  • Release Available
    • ZCSPM Release 3.11.0 Enhancements and Fixes

      New Features and Enhancements

      • ServiceNow Integration Enhancements: You can now configure custom fields on ZCSPM to add additional parameters which ZCSPM sends to ServiceNow when creating tickets. To learn more, see Integrating with ServiceNow.
      • The Risk Dashboard and Cloud Security Best Practices page now display widgets and information aggregated at all cloud accounts in your cloud deployment.
      • ZCSPM now supports version 2.3 of the auto remediation framework. ZCSPM will no longer remediate AWS assets when you exclude assets from security policy evaluation. To learn more, see Auto Remediation of AWS Resources
      • ZCSPM now supports gathering Azure OS Baseline configuration metadata from multiple subscriptions on a shared log analytics workspace. To learn more, see Configuring OS Baselines for Azure.
      • ZCSPM now supports version 1.8 of the IAM data collector agent which sends configuration metadata from multiple accounts in your tenant to ZCSPM. To learn how to upgrade your agent, see Advanced Security Configurations for Azure.

      Security Policy & Benchmark Updates

        • Security Policy Category Security Policy Title
          Compute Ensure that Compute Snapshot is created within multi-region
          Compute Ensure that Compute Disk is encrypted with Customer-managed key
          Compute Ensure that Compute Image is encrypted with Customer-managed key
          Compute Ensure that Compute Image is not publicly accessible
          Networking Ensure logging and monitoring is enabled for each global HTTPS load balancer Backend Service
          Networking Ensure that signed URLs are in use for global HTTP(S) load balancer Backend Service
          Networking Ensure cloud CDN is enabled for global HTTP(S) load balancer Backend Service
          Networking Ensure that Cloud Armor security policy is configured for each Backend Service of global HTTP(S) load balancer
          Close
        • Security Policy Category Security Policy Title
          Data Analytics Ensure that Pub/Sub Topic is encrypted using Customer-Managed Encryption Key (CMEK)
          Identity and Access Management Ensure that 'allUsers' is not allowed to publish to Pub/Sub Topic
          Identity and Access Management Ensure that Pub/Sub Topic is not exposed to everyone
          Identity and Access Management Ensure that 'allUsers' is not allowed to subscribe to Pub/Sub Topic
          Identity and Access Management Ensure that 'allUsers' is not allowed to edit Pub/Sub Topic
          Identity and Access Management Ensure that Admin/Owner role is not assigned to 'allUsers' for Pub/Sub Topic
          Close
        Close
      • Security Policy Category Security Policy Title
        Data in Transit Ensure that TLS version 1.2 should be enabled for SQL managed instance service
        Networking Ensure that public endpoint should be disabled for SQL managed instance service
        Networking Ensure that diagnostics setting should be enabled for SQL managed instance service
        Logging and Auditing Ensure that 'Also send email notification to admin and subscription owners' is enabled in Advanced Threat Protection Settings for SQL managed instance service
        Logging and Auditing Ensure that periodic recurring vulnerability scans is enabled for SQL managed instance service
        Logging and Auditing Ensure that 'Send scan reports to' is set for SQL managed instance service
        Storage and Databases Ensure SQL managed instance's TDE protector is encrypted with customer-managed key (BYOK)
        Close
      • Cloud Service Provider Benchmark Title
        Microsoft Azure Government of Canada Cloud Guardrails
        Microsoft Azure, AWS, GCP, Microsoft 365 NIST - National Institute of Standards and Technology SP 800-53 Rev. 5
        Close
      • Security Policy Service Security Policy Title
        Windows 2016 Windows 2016 - Specify the interval to check for definition updates
        Ubuntu 18.04 Ubuntu 18.04 -  Ensure cron daemon is enabled
        Ubuntu 18.04 Ubuntu 18.04 -  Ensure logrotate is configured
        Ubuntu 18.04 Ubuntu 18.04 -   Ensure IP forwarding is disabled
        CentOS 7 CentOS 7 -  Ensure cron daemon is enabled
        CentOS 7 CentOS 7 -  Ensure logrotate is configured
        CentOS 7 CentOS 7 -   Ensure IP forwarding is disabled
        SQL Server Ensure no SQL Server allow ingress 0.0.0.0/0 (ANY IP)
        Close
      • Security Policy Service Security Policy Title
        Identity and Access Management Ensure IAM instance roles are used for AWS resource access from instances
        Close
May 03, 2021
  • Release Available
    • ZCSPM Release 3.10.0 Enhancements and Fixes

      New Features and Enhancements

      • Asset Exclusion: ZCSPM now allows you to exclude assets from being evaluated by a specific set of security policies. To learn more, see Managing Assets.
      • Alerts: ZCSPM now allows you to configure email alerts whenever ZCSPM notices a drift in your cloud deployment's risk posture. To learn more, see About Alerts.
      • GCP Asset Metadata Collection: ZCSPM now collects and display the metadata for the following GCP Services:
        • bigquery.googleapis.com/Dataset
        • compute.googleapis.com/Network
        • iam.googleapis.com/ServiceAccountKey
        • sqladmin.googleapis.com/Instance
        • storage.googleapis.com/Bucket
        • compute.googleapis.com/Firewall
        • compute.googleapis.com/Instance
      • AWS Auto Remediation Framework Update:
        • ZCSPM now supports version 2.2 of the auto remediation framework.
        • ZCSPM remediation framework now allows you to easily deploy and configure AWS auto remediation for multiple accounts present in an AWS organization.
        • ZCSPM remediation framework now allows you to opt-in or opt-out IAM policies from the auto remediation framework depending on your organization's compliance requirements.
        To learn more, see Auto Remediation of AWS Resources.

      Security Policy & Benchmark Updates

      • Added 2 new security policies for Microsoft Office 365:
      Security Policy Category Security Policy Title
      M365 - Device Create a Microsoft Endpoint Manager Compliance Policy for Windows 8.1
      M365 - Device Create a Microsoft Endpoint Manager Configuration Profile for Windows 8.1
      • Added a new Microsoft Office 365 Benchmark - Government of Canada Cloud Guardrails.
March 31, 2021
  • Release Available
    • ZCSPM Release 3.09.0 Enhancements and Fixes

      New Features and Enhancements

      • Asset Exclusion: ZCSPM now allows you to exclude an asset from all current and future security policies.
      • Reporting Enhancements:
        • You can now schedule reports as PDF, Word, or CSV files.
        • ZCSPM now sends scheduled report emails with deep links.
      • AWS Asset Metadata Collection: ZCSPM will now collect and display the metadata for the following AWS services:
        • AWS::EC2::Instance
        • AWS::EC2::VPC
        • AWS::ElasticLoadBalancing::LoadBalancer- Classic
        • AWS::ElasticLoadBalancingV2::LoadBalancer App
        • AWS::ElasticLoadBalancingV2::LoadBalancer Network
        • AWS::KMS::Key
        • AWS::IAM::User

      Security Policy & Benchmark Updates

      Added 72 new security policies for Google Cloud Platform across the following cloud services:

      • Security Policy Category Security Policy Title
        GCP - Compute Ensure that Cloud Function is not using default service account
        GCP - Compute Ensure that ingress setting is not set to 'Allow all traffic' for Cloud Function
        GCP - Compute Ensure that access to VPC- PRIVATE RANGES ONLY is used for your Cloud Function
        GCP - Compute Ensure that all the deployed Cloud Functions are in 'active' mode
        Close
      • Security Policy Category Security Policy Title
        GCP - Compute Ensure that Cloud Run revision is not configured to use the default service account
        Close
      • Security Policy Category Security Policy Title
        GCP - Storage and Database Ensure that the 'password history' database flag is configured for Cloud SQL MySQL instance
        GCP - Storage and Database Ensure that the 'password reuse interval' database flag is configured for Cloud SQL MySQL instance
        GCP - Storage and Database Ensure that IAM database authentication flag is configured for Cloud SQL PostgreSQL Instance
        GCP - Storage and Database Ensure that 'cloudsql.enable_pgaudit' database flag for Cloud SQL PostgreSQL instance is set to 'on'
        GCP - Storage and Database Ensure that 'ssl_min_protocol_version' flag for Cloud SQL PostgreSQL instance is configured to utilize latest version
        GCP - Storage and Database Ensure that 'remote login timeout (s)' database flag for CloudSQL SQL Server Instance is configured
        GCP - Storage and Database Ensure that Cloud SQL database instance is not using expired SSL/TLS server certificate(s)
        GCP - Storage and Database Ensure that Cloud SQL database instances are encrypted with Customer-Managed key
        GCP - Storage and Database Ensure that High Availability feature is enabled for CloudSQL Database Instance
        Close
      • Security Policy Category Security Policy Title
        GCP - Storage and Database Ensure that Storage Buckets are deployed in multi-region
        GCP - Storage and Database Ensure that Storage Bucket is encrypted with Customer-Managed Encryption Key
        GCP - Storage and Database Ensures that object versioning is enabled on Storage Buckets
        Close
      • Security Policy Category Security Policy Title
        GCP - Compute Ensure that deletion protection is enabled for VM Instances
        GCP - Compute Ensure that Virtual Trusted Platform Module is enabled for VM Instance
        GCP - Compute Ensure that VM Instances are not launched within default VPC
        GCP - Networking Ensure that logging should be enabled on Firewall Rule
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 23 (Telnet)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 25 (SMTP)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP and UDP port 53 (DNS)
        GCP - Networking  
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 139 and UDP ports 137 and 138 (NetBIOS)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 4333 or 3306 (MySQL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 1521 (Oracle)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 5432 (PostgreSQL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 445 (CIFS)
        GCP - Networking Ensure that no firewall Rule allows unrestricted ingress access to TCP port 5601 (Kibana)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 135 (RPC)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to port 443 (HTTPS)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 110 (Pop3 Database)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP ports 8332 and 8333 (Bitcoin)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 8545 (Ethereum)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to all UDP traffic
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to all TCP traffic
        GCP - Networking Ensure that no Firewall Rules allows unrestricted egress access
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP ports 20 and 21 (FTP)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 1433 (MSSQL)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to Internet Control Message Protocol (ICMP)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 27017 (MongoDB)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to port 80 (HTTP)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 445 (SMB)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to port 9200 (Elasticsearch)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 389 (LDAP)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 5500 (VNC Client)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 5900 (VNC Server)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 3020 (CIFS/SMB)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 61621 (Cassandra OpsCenter agent)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 7001 (Cassandra)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 9000 (Hadoop Name Node)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 8000 (Internal web port)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 3000 (Prevalent known internal port)
        GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 161 (SNMP)
        Close
      • Security Policy Category Security Policy Title
        GCP - Data Analytics Ensure that Admin role is not assigned to Default Service Account for Dataproc Cluster
        GCP - Data Analytics Ensure that Editor role is not assigned to Default Service Account for Dataproc Cluster
        Close
      • Security Policy Category Security Policy Title
        GCP - Kuberenetes Service Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
        GCP - Kuberenetes Service Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
        GCP - Kuberenetes Service Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
        GCP - Kuberenetes Service Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
        GCP - Kuberenetes Service Ensure Kubernetes Clusters are configured with Labels
        GCP - Kuberenetes Service Ensure Kubernetes web UI / Dashboard is disabled
        GCP - Kuberenetes Service Ensure 'Automatic node repair' is enabled for Kubernetes Clusters
        GCP - Kuberenetes Service Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
        GCP - Kuberenetes Service Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
        GCP - Kuberenetes Service Ensure Network policy is enabled on Kubernetes Engine Clusters
        GCP - Kuberenetes Service Ensure Kubernetes Cluster is created with Alias IP ranges enabled
        GCP - Kuberenetes Service Ensure Kubernetes Cluster is created with Private cluster enabled
        GCP - Kuberenetes Service Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets
        GCP - Kuberenetes Service Ensure default Service account is not used for Project access in Kubernetes Clusters
        GCP - Kuberenetes Service Ensure GKE Clusters use specific purpose-designed networks instead of the default network
        Close

      Added 1 new security policy for Amazon Web Services for the AWS IAM service:

      Security Policy Category Security Policy Title
      Identity and Access Management (IAM) Eliminate use of the root user for administrative and daily tasks [last 90 days]
February 25, 2021
  • Release Available
    • ZCSPM Release 3.08.0 Enhancements and Fixes

      New Features and Enhancements

      • Scheduling Reports: ZCSPM now allows you to schedule and manage summary reports for all benchmarks. To learn more, see Scheduling Reports.
      • Asset Security Dashboard Enhancements:
        • ZCSPM now offers superior integration with Asset Inventory enabling you to easily secure your cloud deployment.
        • You can now view the top regions where you have protected cloud assets and the regions with the highest risk.
        • You can now view and manage the top 10 assets with highest failed security policies.
        To learn more, see About Asset Security Dashboard.
      • Drift Notifications: ZCSPM now offers you the ability to configure email notifications for high or moderate drift in your cloud security posture. To learn more, see Drift Notifications.
      • You can now provide AWS Config details when creating custom security policies for AWS. To learn more, see Creating Custom Security Policies for AWS.
      • Azure Advanced Security Configurations agent's Active Directory (AD) scanning is now refined. Use the new version 1.5 when upgrading or creating the Azure Advanced Security Configurations agent. To learn more, see Advanced Security Configurations for Azure.
      • M365 Advanced Security Configurations agent no longer scans the Active Directory (AD) for user information. Use the new version 1.9 when upgrading or creating the M365 Advanced Security Configurations agent. To learn more, see Upgrading the Microsoft 365 Advanced Security Configuration Agent.

      Security Policy & Benchmark Updates

      Added 14 new security policies for Google Cloud Platform across the following cloud services:

      • Security Policy Category Security Policy Title
        GCP - Data Analytics Ensure that Customer-Managed Encryption Key (CMEK) is used for BigQuery Dataset Tables encryption
        GCP - Data Analytics Ensure that retention period is set on BigQuery tables
        Close
      • Security Policy Category Security Policy Title
        GCP - Data Analytics Ensure that Cluster replication feature is enabled for Bigtable Instance
        GCP - Data Analytics Ensure that Backup is configured with expiration date for Bigtable Table
        Close
      • Security Policy Category Security Policy Title
        GCP - Data Analytics Ensure that Stackdriver Logging is enabled for Data Fusion instances
        GCP - Data Analytics Ensure that Stackdriver monitoring is enabled for Data Fusion instances
        Close
      • Security Policy Category Security Policy Title
        GCP - Storage and Database Ensure that Cloud Spanner Instance is deployed with multi-region configuration
        GCP - Storage and Database Ensure that Backup is configured with expiration date for cloud Spanner Database
        Close
      • Security Policy Category Security Policy Title
        GCP - Compute Ensure that instance groups have autoscale enabled for high availability
        GCP - Compute Ensure that instance groups have Health checks defined
        Close
      • Security Policy Category Security Policy Title
        GCP - Data Analytics Ensure that Dataproc Cluster is not launched within default VPC Network
        GCP - Data Analytics Ensure that autoscaling policy is configured for Dataproc Clusters
        GCP - Data Analytics Ensure that Dataproc Cluster is encrypted using Customer-Supplied Encryption Keys
        GCP - Data Analytics Ensure that Dataproc Cluster is launched in High Availability mode
        Close
February 01, 2021
  • Release Available
    • ZCSPM Release 3.07.0 Enhancements and Fixes

      New Features and Enhancements

      Security Policy & Benchmark Updates

      Added 2 new security policies for Microsoft Azure:

      Security Policy Category Security Policy Title
      Azure - Business continuity and DR Ensure that Virtual network links should be configured in Private DNS Zone
      Azure - Business continuity and DR Ensure that Private Endpoint connection status should be in Approved state

      Automated 17 manual security policies for GCP:

      Security Policy Category Security Policy Title
      Logging and Monitoring "Ensure log metric filter and alerts exist for project ownership assignments/changes"
      Logging and Monitoring Ensure that the log metric filter and alerts exist for Audit Configuration changes
      Logging and Monitoring Ensure that the log metric filter and alerts exist for Custom Role changes
      Logging and Monitoring "Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes"
      Logging and Monitoring Ensure that the log metric filter and alerts exist for VPC network route changes
      Logging and Monitoring Ensure that the log metric filter and alerts exist for VPC network changes
      Logging and Monitoring "Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes"
      Logging and Monitoring Ensure that the log metric filter and alerts exist for SQL instance configuration changes
      Logging and Monitoring Ensure that sinks are configured for all log entries
      IAM Ensure that corporate login credentials are used
      IAM(KMS) Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
      IAM(KMS) Ensure KMS encryption keys are rotated within a period of 90 days
      Networking(LoadBalancer) Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
      Storage IAM Ensure that Cloud Storage bucket is not anonymously or publicly accessible
      IAMAuditConfig(IAM) Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
      Log sink Ensure that retention policies on log buckets are configured using Bucket Lock
      Storage Ensure that Cloud Storage buckets have uniform bucket-level access enabled

      Added 2 security policies for M365:

      Security Policy Category Security Policy Title
      M365 - Device Ensure that users cannot connect from android devices that are jailbroken
      M365 - Device Ensure that users cannot connect from iOS devices that are jailbroken

      Deprecated 2 security policies for M365:

      Security Policy Category Security Policy Title
      M365 - Device Enable Microsoft Intune Mobile Device Management
      M365 - Device Ensure that users cannot connect from devices that are jail broken or rooted
Related Articles
Release Upgrade Summary (2021)Release Upgrade Summary (2020)Release Upgrade Summary (2019)