Phillip Merrick

Sonatype, the globally renowned provider of innovation-friendly open source security tools, has announced entering into a strategic partnership with Fugue, the company putting engineers in command of cloud security, to deliver the first Infrastructure-as-code (IaC) solution that shifts cloud security left into the developer workflow. Sonatype and Fugue partnership The partnership further advances the missions of Sonatype and Fugue to empower software developers with best-in-class tools so they can accelerate innovation and simultaneously improve application security, cloud infrastructure security, and continuous compliance with defined policy. The combined capabilities of Sonatype and Fugue enable developers to find and fix security vulnerabilities when actively developing cloud applications, while at the same time preventing security vulnerabilities and compliance issues from surfacing in production due to misconfigured cloud infrastructure. Out-of-the-box guidance for developers The joint solution includes out-of-the-box guidance to assist developers when configuring IaC The joint solution includes out-of-the-box guidance to assist developers when configuring IaC and automatically foster compliance with privacy and security standards, including CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, SOC 2, and custom rules.   “Sonatype has a long and successful history of providing front-line software developers with friendly feedback pertaining to the health of open source libraries, making it easy for them to identify and remediate security risk, without slowing down innovation,” said Wayne Jackson, the Chief Executive Officer (CEO) of Sonatype. Configuring secure cloud infrastructure Wayne adds, “In the cloud-native world, developers are not just responsible for building secure applications, they’re also responsible for configuring and provisioning secure cloud infrastructure using tools like Terraform.” He further said, “By working with Fugue, we’re equipping developers with the right information at the right time so they can always make healthy decisions when configuring IaC.” Nexus IaC capabilities In Q1 2021, Sonatype will offer new Nexus IaC capabilities as an add-on to its Nexus Lifecycle product that incorporates Fugue's cloud infrastructure security and compliance technology. This will make it possible for developers using Nexus Lifecycle to find and easily fix misconfigurations in Terraform plans before being applied to production infrastructure, and use those same policies with Fugue to ensure continuous compliance in production. Additionally, Sonatype and Fugue will collaborate to bring the Fugue runtime SaaS continuous compliance solution to Sonatype customers. Addressing cloud vulnerabilities The mutable nature of cloud APIs brings serious risk of post-deployment misconfiguration" “Sonatype and Fugue have a strong history of leadership in empowering developers to securely build and operate in order to keep their data safe. We’re proud to partner with them to deliver a single solution to address the full breadth of cloud security and compliance challenges,” said Phillip Merrick, the Chief Executive Officer (CEO) of Fugue. Phillip adds, “The mutable nature of cloud APIs brings serious risk of post-deployment misconfiguration, and Sonatype and Fugue are making it possible for the first time to address all relevant cloud vulnerability surfaces, from initial development to runtime production environments, with a single solution using the same policies.”  Unified cloud security and compliance solution Sonatype and Fugue are delivering a unified cloud security and compliance solution that empowers software developers to address the entire cloud threat landscape with: Open-source governance with Sonatype’s Nexus platform to shift security of software applications left to address open source risk and known vulnerabilities automatically at every phase of the CI/CD pipeline. Infrastructure-as-code governance with Sonatype’s new IaC capabilities, which integrate Fugue’s cloud infrastructure security and compliance technology for Terraform. Continuous cloud compliance with Fugue to ensure cloud environments remain in compliance and free of misconfiguration vulnerabilities post-deployment, and demonstrate it at all times with automated reporting.

Fugue, the company putting engineers in command of cloud security, announced next-generation cloud security posture management (CSPM) capabilities to help customers bring their cloud infrastructure into compliance and demonstrate that cloud environments adhere to enterprise security policies. The new features leverage Fugue’s cloud state machine, which captures every resource configuration over time in a cloud environment, and Fugue’s policy engine based on Open Policy Agent (OPA), the open source standard for policy-as-code. Fugue’s cloud state machine and OPA-based policy engine provide customers with continuous visibility into the full configuration state and security posture of their entire cloud footprint. Third party business intelligence With Fugue’s new data warehouse, teams can leverage this data to use with their third party business intelligence (BI) and security information and event management (SIEM) tools to gain better insights into their cloud environments. New integrations with Google Cloud’s Looker Business Intelligence Platform access data from the data warehouse to deliver advanced out-of-the-box reporting and data analytics capabilities that help teams understand their cloud security posture in full context while radically streamlining compliance audits. Enterprise cloud environments With Fugue, we now have access to the full configuration and compliance history of our cloud" “Fugue has simplified the process of maintaining and demonstrating compliance for our cloud environment, a task that now requires fewer resources and a fraction of the time,” said Dale Courtney, IT Manager at Emsi. “With Fugue, we now have access to the full configuration and compliance history of our cloud and can analyze that data and create our own custom reports in ways we haven’t been able to before.” “Today’s dynamic and complex enterprise cloud environments - and the modern attacks that put them at risk  - have far outpaced the ability of repurposed datacenter tools to keep data secure,” said Phillip Merrick, CEO of Fugue. Demonstrated cloud compliance “Cloud is 100% software-defined, making cloud security a software engineering problem, not a traditional security analysis one. Fugue’s next-generation CSPM takes a software engineering approach to cloud security so our customers can get their cloud configurations into compliance quickly and ensure they stay that way - without ever slowing them down.” Fugue’s next-generation CSPM capabilities empower teams to continuously demonstrate compliance using: The data warehouse that provides access to the complete configuration and compliance history of their cloud infrastructure environments for use with third party BI and SIEM tools. Advanced reporting with Google Looker that makes it easy to demonstrate cloud compliance to management and auditors - including historical audits. Configuration state modeling of every resource, relationship, and configuration attribute to understand cloud security in full context and over time. Policy-as-code analysis using OPA that automatically assesses the security posture of cloud infrastructure environments and delivers a detailed and prioritized path to bring them into compliance. Interactive, exportable visual maps that create a shared understanding across teams of what’s running in a cloud environment, including all resource relationships and security vulnerabilities. Eliminate cloud misconfiguration Fugue identifies cloud misconfiguration and compliance violations and helps teams eliminate it with: Cloud configuration baselining and drift detection to understand every change made to a cloud environment and whether those changes violate policy or introduce misconfiguration vulnerabilities. Configuration drift reporting that includes detailed remediation feedback and API-based integrations so teams can get the notifications they need, when they need them. Baseline enforcement that makes security-critical configurations self-healing by automatically remediating unauthorized change - without the need for automation scripts or the risk of unintended destructive events. Software development lifecycle Fugue empowers engineers to find and fix cloud security and compliance issues early in the software development lifecycle with: On-demand policy checks for dev environments to identify security issues and get the feedback needed to remediate them and move forward. An API to integrate cloud security in CI/CD pipelines that automatically run policy checks on cloud infrastructure configurations prior to deploying to production. Infrastructure-as-code validation with Regula, Fugue’s open source tool that applies the same OPA policy-as-code rules used to assess running cloud environments. Industry compliance standards Fugue provides turnkey support for industry compliance standards including CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2. Fugue supports custom enterprise policies using OPA and provides the Fugue Best Practices framework to protect against advanced misconfiguration exploits that compliance standards miss. Fugue offers Enterprise and Team plans under a 30-day free trial, and the free Fugue Developer plan for individual engineers. It takes 15 minutes to get up and running with Fugue.

As a vast majority of companies make the rapid shift to work-from-home to stem the spread of COVID-19, a significant percentage of IT and cloud professionals are concerned about maintaining the security of their cloud environments during the transition. The findings are a part of the State of Cloud Security survey conducted by Fugue, the company putting engineers in command of cloud security. The survey found that 96% of cloud engineering teams are now 100% distributed and working from home in response to the crisis, with 83% having completed the transition or in the process of doing so. Managing cloud infrastructure remotely Of those that are making the shift, 84% are concerned about new security vulnerabilities created during the swift adoption of new access policies, networks, and devices used for managing cloud infrastructure remotely. Knowing your cloud infrastructure is secure at all times is already a major challenge" “What our survey reveals is that cloud misconfiguration not only remains the number one cause of data breaches in the cloud, the rapid global shift to 100% distributed teams is creating new risks for organizations and opportunities for malicious actors,” said Phillip Merrick, CEO of Fugue. “Knowing your cloud infrastructure is secure at all times is already a major challenge for even the most sophisticated cloud customers, and the current crisis is compounding the problem.” Traditional security analysis tools Because cloud misconfiguration exploits can be so difficult to detect using traditional security analysis tools, even after the fact, 84% of IT professionals are concerned that their organization has already suffered a major cloud breach that they have yet to discover (39.7% highly concerned; 44.3% somewhat concerned). 28% state that they’ve already suffered a critical cloud data breach that they are aware of. In addition, 92% are worried that their organization is vulnerable to a major cloud misconfiguration-related data breach (47.3% highly concerned; 44.3% somewhat concerned). Over the next year, 33% believe cloud misconfigurations will increase and 43% believe the rate of misconfiguration will stay the same. Only 24% believe cloud misconfigurations will decrease at their organization. Preventing cloud misconfiguration Preventing cloud misconfiguration remains a significant challenge for cloud engineering and security teams. Every team operating on cloud has a misconfiguration problem, with 73% citing more than 10 incidents per day, 36% experiencing more than 100 per day, and 10% suffering more than 500 per day. 3% had no idea what their misconfiguration rate is. The top causes of cloud misconfiguration cited are a lack of awareness of cloud security and policies The top causes of cloud misconfiguration cited are a lack of awareness of cloud security and policies (52%), a lack of adequate controls and oversight (49%), too many cloud APIs and interfaces to adequately govern (43%), and negligent insider behavior (32%). Only 31% of teams are using open source policy-as-code tooling to prevent misconfiguration from happening, while 39% still rely on manual reviews before deployment. Identity and access management permissions Respondents cited a number of critical misconfiguration events they’ve suffered, including object storage breaches (32%), unauthorized traffic to a virtual server instance (28%), unauthorized access to database services (24%), overly-broad Identity and Access Management permissions (24%), unauthorized user logins (24%), and unauthorized API calls (25%). Cloud misconfiguration was also cited as the cause of system downtime events (39%) and compliance violation events (34%). While malicious actors use automation tools to scan the internet to find cloud misconfigurations within minutes of their inception, most cloud teams still rely on slow, manual processes to address the problem. 73% use manual remediation once alerting or log analysis tools identify potential issues, and only 39% have put some automated remediation in place. 40% of cloud teams conduct manual audits of cloud environments to identify misconfiguration. A reliance on manual approaches to managing cloud misconfiguration creates new problems, including human error in missing or miscategorizing critical misconfigurations (46%) and when remediating them (45%). 43% cite difficulties in training team members to correctly identify and remediate misconfiguration, and 39% face challenges in hiring enough cloud security experts. Issues such as false positives (31%) and alert fatigue (27%) were also listed as problems teams have encountered. Effectiveness of cloud misconfiguration The metric for measuring the effectiveness of cloud misconfiguration management is MTTR The metric for measuring the effectiveness of cloud misconfiguration management is Mean Time to Remediation (MTTR), and 55% think their ideal MTTR should be under one hour, with 20% saying it should be under 15 minutes. However, 33% cited an actual MTTR of up to one day, and 15% said their MTTR is between one day and one week. 3% said their MTTR is longer than one week. With cloud misconfiguration rates at such high levels and a widespread reliance on manual processes to manage it, the costs are predictably high for cloud customers. 49% of cloud engineering and security teams are devoting more than 50 man hours per week managing cloud misconfiguration, with 20% investing more than 100 hours on the problem. Helping prioritize remediation efforts When asked what they need to more effectively and efficiently manage cloud misconfiguration, 95% said tooling to automatically detect and remediate misconfiguration events would be valuable (72% very valuable; 23% somewhat valuable). Others cited the need for better visibility into cloud infrastructure (30%), timely notifications on dangerous changes (i.e., “drift”) and misconfiguration (28%), and improved reporting to help prioritize remediation efforts (8%). Cloud security is about preventing the misconfiguration of cloud resources such as virtual servers, networks, and Identity and Access Management (IAM) services. Malicious actors exploit cloud misconfiguration to gain access to cloud environments, discover resources, and extract data. The National Security Agency states that “misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services.” Potentially risky misconfigurations Fugue partnered with Propeller Insights to survey 300 IT, cloud, and security professionals With the cloud, there’s no perimeter that can be defended, exploits typically don’t traverse traditional networks, and legacy security tools generally aren’t effective. Because developers continuously build and modify their cloud infrastructure, the attack surface is highly fluid and expanding rapidly. Organizations widely recognized as cloud security pioneers can fall victim to their own cloud misconfiguration mistakes. With the Shared Responsibility Model, cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform are responsible for the ‘security of the cloud,’ and the customer is responsible for the ‘security in the cloud.’ While cloud providers can educate and alert their customers about potentially risky misconfigurations and good security practices, they can’t prevent their customers from making misconfiguration mistakes. Fugue partnered with Propeller Insights to survey 300 IT, cloud, and security professionals, including DevOps engineers, cloud architects, security engineers, site reliability engineers (SREs), DevSecOps engineers, and application developers. Professionals from companies representing a variety of industries that use Amazon Web Services, Microsoft Azure, and Google Cloud Platform for cloud computing were surveyed.

Fugue, the company delivering autonomous cloud infrastructure security and compliance, has announced the release of the Fugue Best Practices Framework to help cloud engineering and security teams identify and remediate dangerous cloud resource misconfigurations that aren’t addressed by common compliance frameworks. Users can deploy the Fugue Best Practices Framework within minutes to improve the security posture of their Amazon Web Service (AWS) cloud environments. Cloud misconfiguration, primary cause of data breaches Cloud misconfiguration is the number one cause of data breaches involving public cloud services Cloud misconfiguration is the number one cause of data breaches involving public cloud services such as those offered by AWS. The scale, complexity, and dynamic nature of cloud infrastructure environments often leads to significant misconfiguration events that traditional security analysis tools fail to prevent or detect. According to Neil MacDonald at Gartner, “Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes.” While compliance frameworks such as the CIS Foundations Benchmarks address a number of cloud misconfiguration risks, recent major cloud-based data breaches were possible due to misconfigurations not necessarily covered by these standards. The Fugue Best Practices Framework is designed to complement standards such as the CIS Foundations Benchmark to provide additional protection against today’s advanced misconfiguration attacks. Fugue Best Practices Framework “Enterprise cloud and security teams are recognizing that their current cloud security posture leaves them vulnerable to newer and more sophisticated misconfiguration attacks,” said Phillip Merrick, CEO of Fugue. “The Fugue Best Practices Framework gives cloud teams a simple tool to quickly identify these misconfigurations in their cloud environment and the most comprehensive security against cloud misconfiguration risk when used in combination with a framework like the CIS Foundations Benchmark.” The Fugue Best Practices Framework includes rules covering the following cloud vulnerabilities: Identity and Access Management (IAM) misconfigurations that can provide bad actors, including malicious insiders, with the ability to move laterally and discover resources to exploit S3 bucket policy misconfigurations that can be exploited in order to take data exfiltration actions VPC Security Group rule misconfigurations that can enable malicious access via Elasticsearch, etcd, and MongoDB services Enhancing cloud infrastructure security Fugue will continue to add new rules to the Fugue Best Practices FrameworkFugue will continue to add new rules to the Fugue Best Practices Framework as new misconfiguration attack vectors are identified. The Fugue Best Practices Framework joins a growing number of out-of-the-box cloud compliance frameworks Fugue provides, including CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC2. Fugue also supports custom rules using Open Policy Agent, an open source policy as code engine, making it easy for enterprise cloud teams to create cloud infrastructure policies tailored to meet their specific use cases and security requirements. The Fugue Best Practices Framework is available now for all Fugue customers and can be used with a 30-day free trial.

Fugue, the company delivering autonomous cloud infrastructure security and compliance, has announced its support for Open Policy Agent (OPA), an open source general-purpose policy engine and language for cloud infrastructure. Fugue is leveraging OPA and Rego, OPA’s declarative policy language, for cloud infrastructure policy-as-code to provide customers with maximum flexibility when implementing their custom enterprise policies. The Cloud Native Computing Foundation (CNCF) accepted OPA as an incubation-level hosted project in April 2019. Focus of OPA has been on developing access policies for Kubernetes, while Fugue is driving the adoption of OPA Open Policy Agent on access policies While much of the focus of OPA has been on developing access policies for Kubernetes, Fugue is driving the adoption of OPA to address a wider variety of use cases for securing cloud environments on Amazon Web Services (AWS) and Microsoft Azure, including the application of common compliance frameworks to full cloud infrastructure stacks. The Fugue team has developed tools and enhancements to improve OPA’s developer experience. Fugue has provided many of these enhancements to the OPA open source project, and will continue to do so. Enhancing enterprise security Fugue has also added support to its product for customer-defined rules written using OPA and Rego. This sets Fugue apart from all other cloud infrastructure policy management solutions that rely on proprietary and inflexible rule languages that lock-in customers and are incompatible with other policy languages used elsewhere in the enterprise. Fugue also uses OPA to provide out-of-the-box support for commonly used compliance frameworks including CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2.  Cloud infrastructure policies Fugue has been developing policy-as-code solutions for some time, and now we’re offering an open source solution" “It’s very simple to build custom policies for our cloud infrastructure environments and validate those configurations pre-deployment using OPA and Fugue,” said Dave Williams, cloud architect and senior consultant at New Light Technologies. “Fugue simplifies the implementation and enforcement of custom cloud infrastructure policies we’ve written using OPA and helps us prove compliance at all times.” “Fugue has been developing policy-as-code solutions for some time, and now we’re offering an easy-to-use, open source solution for writing policies for cloud infrastructure,” said Phillip Merrick, CEO of Fugue. Cloud security He adds, “Our customers can use the same open language for defining their cloud infrastructure policies in Fugue that they are using for other enterprise policy needs. This eliminates the need to learn other vendors’ proprietary, inflexible policy languages.”  Fugue’s custom rules capabilities that leverage OPA enable users to: Build and manage custom, user-defined cloud infrastructure rules in OPA Rego via the Fugue API, CLI, and web interface Validate and test custom rules while they are being written with helpful errors that save time Continuously validate and report on compliance for custom rules and out-of-the-box policy frameworks Security rule evaluations “Fugue is running millions of security rule evaluations every day using OPA, so we've put a lot of work into improving performance and developer tooling and will be contributing all of that back to the open source community,” said Josh Stella, co-founder and CTO of Fugue. Josh said, “OPA is a significant development for policy-as-code, and Fugue is fully committed to supporting and contributing to it.”