Cloud infrastructure security and compliance engine provider Fugue has added the Docker benchmark from the Center of Internet Security (CIS) to its list of supported guidelines, as well as support for managed container services by both Amazon Web Services and Microsoft Azure. Much like other compliance solutions, Fugue looks at a company’s infrastructure-as-code and cloud configurations to ensure they are in agreement with best practices and regulations, such as GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2, but Fugue CEO Josh Stella says that his company takes that one step further to put it into a larger context.
“Fugue will look across all of your cloud accounts, and examine your infrastructure as code and your container configurations, to look for dangerous misconfigurations. We do that in part by visualizing your entire environment. It’s somewhat like a Google Maps of your cloud infrastructure, if you will,” said Stella. “In our opinion, if you’re only looking at the container security, you’re not going to catch the misconfigurations and vulnerabilities that are due to a combination of the container and the environment that it’s running in. One thing we do that’s unique versus any of the other players in our space is, Fugue actually captures a complete in-memory model of every aspect of your cloud configuration, and then we can analyze everything in context.”
With the addition of the CIS Docker benchmark, Fugue now checks for things like memory limits and invalid mounts, whether or not root is used, that the root filesystem is read-only, and so on, automating a process that would otherwise be done by manually comparing your settings to those in a long list. After running its checks, Fugue will offer direction on how to fix your configurations to meet compliance regulations. At the same time, Fugue can also continuously monitor your environment, making sure the infrastructure doesn’t mutate away from a baseline.
In addition to the CIS Docker benchmark, Fugue now also includes continuous configuration visibility, security checks, and compliance reporting for AWS Elastic Container Service (ECS) with Fargate, AWS Elastic Kubernetes Service (EKS), Azure Container Instances, and Azure Container Registry. According to Stella, Google Cloud Platform (GCP) is slated to be added sometime in the next month.
When we first looked at Fugue in 2016, the company used a YAML-esque language of its own creation to build its policies, but has since moved to adopt the open source Open Policy Agent (OPA) to serve as the basis for all of its rules, both those offered by the platform and those created by end-users.
“Our customers can write their own OPA and have their policy-as-code expressed in an open source way, rather than a proprietary kind of pseudo-language, which is what a lot of folks do. Everything can consume an API, and the beauty of that is, because we can check all the way back to your infrastructure-as-code templates and run all the way through to in-production, you can use a single policy all the way through the lifecycle,” said Stella. “That’s really important, because otherwise you’ll have different checks in runtime than you do in development, and they’re not going to agree.”
Amazon Web Services is a sponsor of The New Stack.