Fugue Extends IaC Security Reach to Cloud-Native Runtimes

Fugue today announced it has extended the reach of its platform for securing infrastructure-as-code (IaC) used to deploy cloud-native applications to now include runtime environments.

Company CEO Josh Stella says DevOps teams can now make use of the unified policy engine software, based on the open source Open Policy Agent and Fugue’s Regula, an open source implementation of OPA, that is at the core of its namesake IaC tool to ensure consistent policy enforcement to platforms both when they are initially configured as well as after applications are deployed and continuously updated in a production environment. OPA provides IT teams with a general purpose tool for declaratively applying policies to cloud-native applications and is being advanced under the auspices of the Cloud Native Computing Foundation (CNCF).

Fugue IaC supports pre-deployment security checks for Terraform, AWS CloudFormation, Kubernetes manifests and Dockerfiles. Fugue also enables IT teams to create and test custom policies using Rego, the programming language created for OPA. Finally, Fugue also provides access to interactive visual maps of IaC templates and the ability to export IaC diagrams that IT teams can use for planning and approval processes.

Fugue provides hundreds of out-of-the-box rules for IaC and cloud runtime security that are mapped to SOC 2, NIST 800-53, GDPR, PCI, HIPAA, ISO 27001, CSA CCM, CIS Controls, CIS Docker, CIS Benchmarks for AWS, Microsoft Azure, Google Cloud, Docker and Kubernetes. There is also a Fugue best practices framework that provides additional guidance for discovering vulnerabilities that compliance standards can miss.

Fugue’s goal with the latest extension is to reduce the number tools a DevOps team might otherwise need to ensure the security of an infrastructure platform that is being continuously updated as both new applications and upgrades to existing applications are deployed, says Stella.

This extension to the Fugue platform can reduce the engineering resources required to secure an IT environment by as much as 50%, Stella claims.

Interest in tools such as Fugue is on the rise because IT organizations are discovering the cloud platforms that they deploy applications on today are often rife with misconfigurations. Developers today often use tools like Terraform to provision infrastructure themselves with no guidance from IT operations or security teams. The issue is that most of those developers have little to no security expertise, so the odds that cloud infrastructure will be misconfigured are high.

Many IT teams and cybersecurity specialists are now being asked to find ways to reduce those misconfigurations without slowing down the rate at which applications can be deployed. Achieving that goal requires increased reliance on tools such as Fugue that not only surface issues but also provide the guidance needed to remediate them, says Stella.

Most IT teams are not going to want a platform to automatically remediate those issues on their behalf without first understanding these issues, adds Stella. Instead, they are looking for self-healing capabilities that can be easily approved and implemented, he notes.

It may be a while before best DevSecOps practices eventually make IaC security a routine process. In the meantime, however, IT teams that are looking to secure their software supply chains should be focusing now on configuration issues that today are clearly the weakest link in that chain.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1614 posts and counting. See all posts by Mike Vizard