Common Fugue terms and concepts are defined below.
A snapshot of a “known-good” configuration of cloud infrastructure. It is a complete picture of a cloud environment and defines every resource with all of its attributes. A baseline acts as a “contract” between different stakeholders such as DevOps and Security.
- CIS AWS
CIS AWS Foundations Benchmark v. 1.2.0 is a set of configuration guidelines created by the Center for Internet Security (CIS) for various technology groups to safeguard their AWS systems against today’s evolving cyber threats. Abbreviated as
CISin Fugue. See Compliance.
- CIS Azure
CIS Azure Foundations Benchmark is a set of configuration guidelines created by the Center for Internet Security (CIS) to help organizations safeguard their Azure infrastructure against today’s evolving cyber threats. Abbreviated as
CISAZUREin Fugue. See Compliance.
- compliance control
- compliance standard
A group of compliance controls that Fugue evaluates infrastructure against. For example, Fugue supports the following standards: CIS AWS, CIS Azure, GDPR, HIPAA, ISO 27001, NIST SP 800-53, PCI-DSS, and SOC 2. Also called
- custom rule
Any change made to the configuration of a resource, or the deletion of existing resources or the creation of new resources that deviate from a baseline. Drift is typically an inadvertent change made outside of official change control process and can cause security or operational issues. See Drift Detection.
- drift detection
- baseline enforcement
An action taken without human intervention by Fugue to revert any configuration drift back to the established baseline without the need for external remediation scripts or “bots.” See Enabling Enforcement.
A collection of cloud resources within a single cloud account and region that Fugue uses as a “unit” to manage security and compliance assessments as well as baseline configuration drift and enforcement. An environment represents not just cloud infrastructure but the state of its compliance and whether it has changed (drifted) from its ideal configuration. See Environment Configuration.
- Fugue Best Practices
The Fugue Best Practices Framework complements the CIS Benchmarks by providing guidance and recommendations to secure cloud resources against advanced misconfiguration exploits. For a list of rules, see Fugue Best Practices.
GDPR (2016/679) refers to the European General Data Protection Regulation, or standards that were introduced for data protection and privacy for individuals within the EU and EEA. Abbreviated as
GDPRin Fugue. See Compliance.
HIPAA (2013) regulations protect the privacy and security of certain health information. HIPAA is short for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Abbreviated as
HIPAAin Fugue. See Compliance.
Also referred to as Infrastructure as a Service (IaaS). The set of virtualized computing resources generally divided into compute, networking, and storage functions but can also be applied to new functions such as serverless computing, stream processing, or container orchestration. Cloud infrastructure configurations are typically exposed and configured via APIs.
- ISO 27001
ISO 27001(2013) is a specification for information security management systems. It also includes controls for information risk management processes. Abbreviated as
ISO27001in Fugue. See Compliance.
- NIST SP 800-53
NIST SP 800-53 Rev. 4. provides standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST is short for National Institute of Standards and Technology. Abbreviated as
NISTin Fugue. See Compliance.
PCI-DSS v. 3.2.1. is a set of standards that emphasizes data security for companies that process credit cards. PCI-DSS is short for Payment Card Industry Data Security Standard. Abbreviated as
PCIin Fugue. See Compliance.
A resource is any configuration item that needs to be tracked and analyzed from a policy or drift perspective. Examples of AWS resources include EC2 instances, ELB listeners, customer-managed IAM policies, KMS keys, and S3 bucket policies. Examples of Azure resources include managed disks, SQL servers, storage accounts, and virtual networks. See Service Coverage for a full list of resource types.
Resources Under Management (RUM). For billing purposes, Fugue calculates RUM. RUM excludes all AWS-managed IAM policies (e.g.,
SecurityAudit), and duplicate resources are excluded, so if multiple environments include the same resources, Fugue will only count those resources once. See Service Coverage.
A scan is a comprehensive survey of a Fugue environment to retrieve resource configuration state, assess compliance, and identify potential misconfigurations.
- self-healing infrastructure
Cloud resources that use baseline enforcement to revert drift back to the baseline and “heal” itself of misconfigurations. The baseline provides the necessary context to perform self-healing safely and without code.
A public cloud provider “product,” usually with its own API, such as storage, servers, networking, etc. Examples: AWS EC2, AWS IAM, AWS S3, Azure Virtual Machines, Azure Blob Storage
- SOC 2
SOC 2 (2017) is a compliance report for Statement on Standards for Attestation Engagements (SSAE). SOC 2 reports apply to service organizations that hold, store, or process customer data in the cloud. Abbreviated as
SOC2in Fugue. See Compliance.