Common Fugue terms and concepts are defined below.
A snapshot of a “known-good” configuration of cloud infrastructure. It is a complete picture of a cloud environment and defines every resource with all of its attributes. A baseline acts as a “contract” between different stakeholders such as DevOps and Security.
- CIS AWS
CIS AWS Foundations Benchmark v. 1.2.0 is a set of configuration guidelines created by the Center for Internet Security (CIS) for various technology groups to safeguard their AWS systems against today’s evolving cyber threats. Abbreviated as
- CIS Azure
CIS Azure Foundations Benchmark is a set of configuration guidelines created by the Center for Internet Security (CIS) to help organizations safeguard their Azure infrastructure against today’s evolving cyber threats. Abbreviated as
- compliance control
An individual recommendation within a compliance standard. For example, CIS AWS 2-9, “Ensure VPC flow logging is enabled in all VPCs,” is a control in the CIS AWS compliance standard.
- compliance standard
A group of compliance controls that Fugue evaluates infrastructure against. For example, Fugue supports the following standards: CIS AWS, CIS Azure, GDPR, HIPAA, ISO 27001, NIST SP 800-53, PCI-DSS, and SOC 2. Also called
Describes a resource configuration that adheres to a compliance control from standards such as SOC 2, ISO 27001, PCI, HIPAA, CIS, or NIST 800-53.
- custom rule
Any change made to the configuration of a resource, or the deletion of existing resources or the creation of new resources - that deviate from a baseline. Drift is typically an inadvertent change made outside of official change control process and can cause security or operational issues.
- drift detection
Fugue detects any configuration changes that deviate from a baseline.
An action taken without human intervention by Fugue to revert any configuration drift back to the established baseline without the need for external remediation scripts or “bots.” Also called auto-remediation.
An environment represents not just cloud infrastructure but the state of its compliance and whether it has changed (drifted) from its ideal configuration. Through this concept of an environment, Fugue is able to provide you with a comprehensive snapshot of your compliance state at any given moment. Once you set a baseline – a known-good configuration – Fugue monitors your resources for drift.
A collection of cloud resources within a single cloud account and region that Fugue uses as a “unit” to manage security and compliance assessments as well as baseline configuration drift/enforcement.
GDPR (2016/679) refers to the European General Data Protection Regulation, or standards that were introduced for data protection and privacy for individuals within the EU and EEA. Abbreviated as
HIPAA (2013) regulations protect the privacy and security of certain health information. HIPAA is short for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Abbreviated as
Also referred to as Infrastructure as a Service (IaaS). The set of virtualized computing resources generally divided into compute, networking, and storage functions but can also be applied to new functions such as serverless computing, stream processing, or container orchestration. Cloud infrastructure configurations are typically exposed and configured via APIs.
- ISO 27001
ISO 27001(2013) is a specification for information security management systems. It also includes controls for information risk management processes. Abbreviated as
- NIST SP 800-53
NIST SP 800-53 Rev. 4. provides standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST is short for National Institute of Standards and Technology. Abbreviated as
Describes a resource configuration that violates a compliance control from standards such as SOC 2, ISO 27001, PCI, HIPAA, CIS, or NIST 800-53.
PCI-DSS v. 3.2.1. is a set of standards that emphasizes data security for companies that process credit cards. PCI-DSS is short for Payment Card Industry Data Security Standard. Abbreviated as
An entity you can work with in the cloud that has a unique resource ID for a cloud provider (example: AWS EC2 instance, VPC Flow Log, Security Group)
- self-healing infrastructure
Cloud resources that use baseline enforcement to revert drift back to the baseline and “heal” itself of misconfigurations. The baseline provides the necessary context to perform self-healing safely and without code.
A public cloud provider “product”, usually with its own API, such as storage, servers, networking, etc.. Examples: AWS EC2, AWS IAM, AWS S3, Azure Virtual Machines, Azure Blob Storage
- SOC 2
SOC 2 (2017) is a compliance report for Statement on Standards for Attestation Engagements (SSAE). SOC 2 reports apply to service organizations that hold, store, or process customer data in the cloud. Abbreviated as