Fugue, the company helping organisations innovate faster and more securely in the Cloud, announced a 1.0 release for Regula, an open source policy engine for infrastructure as code (IaC) security. The release includes comprehensive support for common IaC tools, such as Terraform and AWS CloudFormation, pre-built libraries with hundreds of policies that validate Amazon Web Services (AWS), Microsoft Azure, and Google Cloud resources, and new developer tooling to support custom rules development and testing with Open Policy Agent. This latest release further advances Fugue’s leadership in innovating on policy as code for IaC and the cloud infrastructure runtime. Regula, open source engine for IaC security Regula supports a broad set of IaC inputs, including Terraform HCL, Terraform plan JSON, AWS CloudFormation, and Serverless Application Model templates. Extensive rule libraries check for common security and compliance violations and advanced, multi-resource misconfigurations, and can detect when required resources are missing. Regula supports standardised output formats, such as JUnit, Test Anything Protocol (TAP), and JSON, allowing it to integrate seamlessly with CI/CD tools and testing frameworks, including Jenkins, CircleCI, Travis CI, and Conftest. Infrastructure as code (IaC) Infrastructure as code presents cloud teams with the opportunity to shift left on cloud security pre-deployment" Cloud and security engineers can use their Regula policies in the Fugue SaaS platform to check their AWS, Microsoft Azure, and Google Cloud environments, giving them a unified policy engine for securing the entire cloud development lifecycle (CDLC) from IaC through deployment and runtime. “Infrastructure as code presents cloud teams with the opportunity to shift left on cloud security pre-deployment, and they need better tooling to develop and test policies, integrate them into their CI/CD workflows, and apply those same rules to their cloud runtime environments,” said Josh Stella, Co-Founder and CEO of Fugue. Open policy agent framework Josh adds, “These new Regula capabilities and policies make it easier than ever for cloud teams to secure their IaC and apply policy consistently across the CDLC and across cloud platforms, and avoid the overhead of maintaining and reconciling different policy frameworks.” Regula utilises the Cloud Native Computing Foundation’s Open Policy Agent framework, with expressive and powerful rules written in the Rego language. Developers can create their own custom rules to meet organisational requirements, and Regula includes additional tooling for running tests on these rules. Rules can be waived to designate exceptions for specific resources or disabled entirely to fit an organisation's needs. Out-of-the-box support Regula provides out-of-the-box support for the CIS Foundations Benchmarks and additional Regula policies check for cloud vulnerabilities that compliance frameworks can miss, such as dangerously permissive AWS IAM policies, Lambda function policies allowing global access, EBS volumes with encryption disabled, and untagged cloud resources.
Fugue, the company helping organisations innovate faster and more securely in the cloud, announced support for AWS CloudFormation in Regula, the open-source infrastructure as code (IaC) policy engine. Cloud engineering and security teams can now use Regula to secure their AWS CloudFormation and Terraform configurations before deployment and apply those same rules to running cloud environments using the Fugue platform to secure the entire cloud development lifecycle. Expanding Regula capabilities represents Fugue’s continued leadership in innovating on the policy as code for IaC and running cloud infrastructure since 2015. Ideal for multi-cloud environments Regula is ideal for organisations with DevOps teams that use both AWS CloudFormation and Terraform and those operating multi-cloud environments. Regula is the only AWS CloudFormation security tool that can address vulnerabilities involving multiple resources, and the only one that helps teams meet the CIS AWS Foundations Benchmarks 1.2.0 and 1.3.0. Regula easily integrates into CI/CD pipelines and enables pre-commit IaC checks and provides pull request feedback Regula easily integrates into CI/CD pipelines and enables pre-commit IaC checks and provides pull request feedback. Fugue provides examples of Regula working with GitHub Actions for CI/CD. Code security requirements “At Cadwell, we needed an effective way to check our infrastructure as code to ensure our cloud infrastructure deployments are secure so we can move faster in the cloud with confidence,” said Sawyer Ward, Enterprise Support Specialist at Cadwell Industries, Inc. “Regula is ideal for our infrastructure as code security requirements, and the ability to apply those same rules to our cloud environment with Fugue means we can keep our infrastructure in continuous compliance and avoid the risks and overhead of maintaining multiple policy frameworks.” Independent working software While Regula works independently of Fugue, teams can use Fugue to apply the same Regula rules to assess the security posture of their running AWS, Azure, and Google Cloud cloud infrastructure environments, eliminating the investment and cloud risk associated with using and reconciling different policy frameworks for different stages of the cloud development lifecycle and different cloud platforms. Unified cloud policy framework Regula can be used across cloud platforms at every stage of the cloud development lifecycle “Companies operating at scale in the cloud need a policy as code framework that’s flexible, works with the leading infrastructure as code tools, and can be used across cloud platforms at every stage of the cloud development lifecycle,” said Josh Stella, co-founder, and CEO of Fugue. “By extending Regula support to AWS CloudFormation, cloud engineering and security teams now have a unified cloud policy framework that works with their tools and workflows, giving them the confidence to move faster in the cloud—without breaking the rules needed to keep cloud infrastructure secure and in compliance.” Rules are user-defined Regula’s rule library checks for a wide variety of cloud misconfiguration vulnerabilities, such as dangerously permissive AWS IAM policies and security group rules, S3 buckets without “block public access” options enabled, Lambda function policies allowing global access, VPCs with flow logs disabled, EBS volumes with encryption disabled, and untagged cloud resources. Regula supports user-defined rules using the Rego query language developed by the Open Policy Agent project and includes helper libraries that enable users to easily build their own rules that conform to enterprise policies. Fugue created and open-sourced Fregot, a tool that enables developers to easily evaluate Rego expressions, debug code, and test policies.
Fugue, the company transforming cloud security to help organisations innovate faster, announces it has added support for Google cloud to its multi-cloud security platform. With Fugue, cloud engineering and security teams can secure their entire cloud development lifecycle (CDLC)—from infrastructure as code to production—across their Amazon Web Services (AWS), Microsoft Azure, and now Google cloud environments using the same Cloud Security Posture Management (CSPM) solution. Multiple cloud platforms Fugue automates immediate and continuous security visibility and compliance reporting for cloud development and operations to prevent misconfiguration vulnerabilities and streamline previously time-consuming and resource-intensive tasks. Fugue support for Google cloud initially includes 59 resource types and audit and reporting capabilities for the CIS Google cloud computing platform foundations benchmark, CIS Controls, CSA CCM, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, SOC 2, and custom enterprise policies. Fugue provides us with the ability to conduct comprehensive cloud security audits fast" “Fugue provides us with the ability to conduct comprehensive cloud security audits fast, and now with Google cloud support, we can apply the same rules consistently across multiple cloud platforms,” said Alfonso Cabrera, Director of Platform Engineering at Red Ventures. Dynamic cloud environments “Keeping cloud infrastructure secure and measuring adherence to security standards used to be time-consuming and highly manual. Fugue has automated these processes to provide immediate and continuous visibility into highly dynamic cloud environments, helping ensure that we continue to innovate at a fast pace without compromising on security.” Fugue covers security and compliance at every stage of the CDLC—from Terraform and AWS CloudFormation infrastructure as code checks to continuous runtime protection and compliance auditing and reporting. Fugue provides deeper protection against the kinds of advanced multi-resource misconfigurations that are playing a larger role in modern cloud attacks and are often overlooked by other tools and compliance frameworks. Deploying cloud infrastructure More enterprise organisations are using multiple cloud service providers as code tools" “More enterprise organisations are using multiple cloud service providers and infrastructure as code tools, and their teams need a way to move faster and more securely, regardless of which clouds they’re using, or how they’re developing and deploying cloud infrastructure,” said Josh Stella, Co-Founder and CEO of Fugue. “With the addition of Google cloud support, teams can now use Fugue to apply the same compliance rules and custom security policies consistently across their entire cloud footprint and cloud development lifecycle—without slowing down the pace of innovation.” Inspecting configuration details With Fugue, every team—from developers to ops to security and compliance—shares a single source of trust in what’s allowed in their cloud environment using the Fugue Rules Engine, built with Open Policy Agent, the open standard for a policy as code. Because Fugue takes continuous snapshots of cloud configuration state, all teams operate under a single source of truth in what’s running in their environment at all times. Fugue’s interactive cloud infrastructure maps enable teams to zoom in to inspect configuration details and compliance violations and zoom out to see the big picture of their environment, and export diagrams to include with audits.
Fugue, the company putting engineers in command of cloud security and compliance, announces new capabilities for bringing public cloud container resources into compliance and ensuring the continuous security of container runtime configurations. The new capabilities deliver security and compliance visibility and reporting for managed container services offered by Amazon Web Services and Microsoft Azure and turnkey support for the CIS Docker Benchmark. The new Fugue features provide continuous configuration visibility, security checks, and compliance reporting for AWS Elastic Container Service (ECS) with Fargate, AWS Elastic Kubernetes Service (EKS), Azure Container Instances, and Azure Container Registry. Managed container resources Developers can run policy checks on their infrastructure-as-code to ensure their managed container resources are configured securely according to the CIS Docker Benchmark and their custom rules, and use those same rules to ensure continuous container runtime security in production. “Fugue has simplified the task of establishing compliance visibility and reporting across our entire cloud footprint and ensuring our environment stays secure,” said Ben Carter, Vice President of Enterprise Architecture at Red Ventures. “As Red Ventures leverages more cloud-native services, Fugue’s new container runtime security capabilities empower our teams to innovate fast while streamlining cloud security and compliance at every stage of development and operations.” Cloud security coverage Our customers are increasingly taking advantage of the managed container services offered by cloud providers" “Our customers are increasingly taking advantage of the managed container services offered by cloud providers such as AWS and Microsoft Azure, and they need an efficient and effective way to ensure those resources are configured securely and stay that way,” said Josh Stella, co-founder and CEO of Fugue. “We’re excited to extend Fugue’s next-generation cloud security coverage to include public cloud container runtime security so our customers can keep moving fast and know their infrastructure and data remains secure and in compliance.” Fugue recently introduced next-generation Cloud Security Posture Management (CSPM) capabilities that leverage its cloud state machine and OPA-based policy-as-code engine to provide customers with continuous visibility into the full configuration state and security posture of their entire environment. Streamlining cloud compliance With Fugue’s data warehouse, teams can analyse their data using Fugue’s native tools or their third party business intelligence (BI) and security information and event management (SIEM) tools. Fugue radically streamlines cloud compliance with full historical audit evidence and out-of-the-box support for industry standards, including CIS Foundations Benchmarks, CIS Docker Benchmark, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2. Fugue supports custom enterprise policies using OPA and provides the Fugue Best Practices framework to protect against advanced misconfiguration exploits that compliance frameworks can miss, including complex Identity and Access Management (IAM) vulnerabilities. Fugue offers Enterprise and Team plans under a 30-day free trial, and the free Fugue Developer plan for individual engineers. Fugue is available in the AWS Marketplace. It takes just 15 minutes to get up and running with Fugue.
Fugue, the company empowering engineers to build and operate secure cloud systems, cites product innovation, growing awareness of cloud misconfiguration risk, and the engineer-led movement to address cloud security with engineering solutions as its primary drivers for growth in 2019. In the past year, the company introduced several innovations to its award-winning cloud security product, gained significant new customers, and contributed two new open source projects for cloud infrastructure policy as code tooling. Engineer empowerment and education will continue to serve as the pillars of the company’s product roadmap and growth strategy in 2020. Engineering Solutions for Cloud Security The number one cause of cloud data breaches is infrastructure misconfiguration The number one cause of cloud data breaches is infrastructure misconfiguration, whether due to human error or a lack of effective controls. Since engineers build and operate their cloud infrastructure, they own the security of that infrastructure. Fugue empowers cloud engineers to identify and remediate misconfiguration vulnerabilities in their AWS (Amazon Web Services) and Microsoft Azure environments before malicious actors can find and exploit them. In 2019, the company merged its two products—Fugue Platform and Fugue Risk Manager—into a unified Software as a Service (SaaS) solution that delivers dynamic cloud infrastructure visualisation tools and advanced cloud security and compliance capabilities. Fugue helps developers “shift left” to incorporate security early in the software development life cycle (SDLC), and access robust compliance assurance and reporting capabilities for custom enterprise rules and out-of-the-box compliance standards such as CIS Foundations Benchmark for AWS and Azure, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI-DSS, SOC 2, and Fugue Best Practices. Fugue Developer At AWS re:Invent 2019, the company launched Fugue Developer, a free tier that provides individual engineers with the tools they need to build and operate securely in highly dynamic and regulated cloud environments. Unlike most cloud security solutions that can require weeks of implementation time, engineers can get up and running with Fugue rapidly, often in about 15 minutes. Fugue won the 2019 CyberSecurity Breakthrough Award for IaaS Security Solution of the Year for the second year in a row. Adoption of Open Policy Agent (OPA) Fugue strongly supports the open source community by promoting the adoption of Open Policy Agent Fugue continued to demonstrate its strong support of the open source community by promoting the adoption of Open Policy Agent (OPA) and Rego language for validating cloud infrastructure for policy compliance. Fugue announced OPA as the policy as code engine for its SaaS solution and continues to introduce additional open source tools that use OPA, including Regula, which validates Terraform infrastructure as code for policy compliance, and Fregot, which improves the developer experience working with Rego. Policies developed for Regula are portable with Fugue’s custom policy capabilities. Significant New Customers and Growth “It’s only January, but we know that 2020 will bring more of the same cloud misconfiguration threats and security challenges to organisations across all industries,” said Josh Stella, co-founder and CTO of Fugue. “They must contend with an ever-growing number of increasingly sophisticated misconfiguration attacks, but as we’ve been seeing, when cloud engineers understand misconfiguration risk and are empowered with innovative tools to address them, these challenges can be overcome.” In 2019, Fugue, attracted a significant number of industry-leading new customers to its unified SaaS solution, including AT&T, SAP, Manitoba Blue Cross, A+E Networks, TravelBank, RedVentures, SparkPost, GlobalGiving, A|L Media, TurningTechnologies, EMSI, GoGuardian, New Light Technologies, PublicRelay, and a large financial services institution. “Fugue dramatically shortened the amount of time the customer needed to enable developers to provision AWS infrastructure as well as to ensure compliance to policy.”- SAP "Fugue is helping us achieve better integration and collaboration between our development, security, and compliance teams to ensure compliance and shift left on enforcing additional compliance standards."- Manuel Solis, Senior Security Infrastructure Engineer, TrueCar "I may spend half a day standing up a new product, and it's still sort of opaque about what direct value they offer. But five minutes after I signed up for Fugue, I could scan an account and see what was not in compliance and what had drifted."- Dave Williams, Cloud Architect, New Light Technologies Building awareness of cloud misconfiguration attacks 2019 was the year that cloud exploits graduated from simple misconfiguration attacks to significantly more advanced methods, resulting in high profile breaches against organisations widely recognised as cloud security leaders. The Fugue team invested in creating educational resources and programs to help engineers and organisations understand cloud misconfiguration risk and address their cloud security and compliance challenges. For example, the Fugue Best Practices Framework helps cloud engineering and security teams identify and remediate dangerous cloud resource misconfigurations that aren’t addressed by common compliance frameworks.
Fugue, the company delivering autonomous cloud infrastructure security and compliance, has announced its support for Open Policy Agent (OPA), an open source general-purpose policy engine and language for cloud infrastructure. Fugue is leveraging OPA and Rego, OPA’s declarative policy language, for cloud infrastructure policy-as-code to provide customers with maximum flexibility when implementing their custom enterprise policies. The Cloud Native Computing Foundation (CNCF) accepted OPA as an incubation-level hosted project in April 2019. Focus of OPA has been on developing access policies for Kubernetes, while Fugue is driving the adoption of OPA Open Policy Agent on access policies While much of the focus of OPA has been on developing access policies for Kubernetes, Fugue is driving the adoption of OPA to address a wider variety of use cases for securing cloud environments on Amazon Web Services (AWS) and Microsoft Azure, including the application of common compliance frameworks to full cloud infrastructure stacks. The Fugue team has developed tools and enhancements to improve OPA’s developer experience. Fugue has provided many of these enhancements to the OPA open source project, and will continue to do so. Enhancing enterprise security Fugue has also added support to its product for customer-defined rules written using OPA and Rego. This sets Fugue apart from all other cloud infrastructure policy management solutions that rely on proprietary and inflexible rule languages that lock-in customers and are incompatible with other policy languages used elsewhere in the enterprise. Fugue also uses OPA to provide out-of-the-box support for commonly used compliance frameworks including CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2. Cloud infrastructure policies Fugue has been developing policy-as-code solutions for some time, and now we’re offering an open source solution"“It’s very simple to build custom policies for our cloud infrastructure environments and validate those configurations pre-deployment using OPA and Fugue,” said Dave Williams, cloud architect and senior consultant at New Light Technologies. “Fugue simplifies the implementation and enforcement of custom cloud infrastructure policies we’ve written using OPA and helps us prove compliance at all times.” “Fugue has been developing policy-as-code solutions for some time, and now we’re offering an easy-to-use, open source solution for writing policies for cloud infrastructure,” said Phillip Merrick, CEO of Fugue. Cloud security He adds, “Our customers can use the same open language for defining their cloud infrastructure policies in Fugue that they are using for other enterprise policy needs. This eliminates the need to learn other vendors’ proprietary, inflexible policy languages.” Fugue’s custom rules capabilities that leverage OPA enable users to: Build and manage custom, user-defined cloud infrastructure rules in OPA Rego via the Fugue API, CLI, and web interface Validate and test custom rules while they are being written with helpful errors that save time Continuously validate and report on compliance for custom rules and out-of-the-box policy frameworks Security rule evaluations “Fugue is running millions of security rule evaluations every day using OPA, so we've put a lot of work into improving performance and developer tooling and will be contributing all of that back to the open source community,” said Josh Stella, co-founder and CTO of Fugue. Josh said, “OPA is a significant development for policy-as-code, and Fugue is fully committed to supporting and contributing to it.”