Dmitry Nikolaev - stock.adobe.co
Choosing a compliance-as-code tool for DevSecOps can be almost as complex as getting developers, IT ops and security pros to collaborate. One company that serves security-conscious federal agencies cut through the confusion to pick a tool that covers all the bases with an easy interface.
When New Light Technologies (NLT) in Washington, D.C. sought to establish DevSecOps practices for its cloud computing environments in 2018, it had a plethora of choices for a compliance-as-code tool. Among them were native cloud service provider tools such as CloudFormation and Azure Resource Manager; infrastructure-as-code vendor HashiCorp's Sentinel compliance-as-code tool for Terraform; configuration management tool products, such as Chef, Puppet and Ansible, which can create recipes, modules and runbooks to inspect infrastructure configurations against compliance requirements; code security testing tools including SonarQube, Veracode, Contrast Security and others; and compliance policy enforcement tools such as Alcide and Twistlock that automatically create web application firewall rules. The list goes on, with security-as-code tools such as Alert Logic, CloudPassage and Illumio.
Any of these tools, or a combination thereof, offered the ability to automate the creation and enforcement of security and compliance policies. But Dave Williams, cloud architect at NLT, drew on previous experience as cloud architect at the Federal Reserve, which struggled with complex accreditations, to prioritize simplicity for NLT's DevOps tool selection.
"If we'd had the ability to point a tool at an environment, let's say a region in AWS or Azure, and say, 'Compare what's deployed to a control set' – NIST, CIS [Center for Internet Security], SOC [System and Organization Controls] or GDPR – that would have saved us lot of time," Williams said. He was hired to beef up NLT's cloud strategy in mid-2018, and brought in Fugue for compliance as code shortly thereafter.
"With the amount of change in our industry and with so much out there, it's important to me that I can quickly understand how software works and that I can quickly see how it brings me value," Williams said. "I may spend half a day standing up a new product, and it's still sort of opaque about what direct value they offer. But five minutes after I signed up for Fugue, I could scan an account and see what was not in compliance and what had drifted."
Dave WilliamsCloud architect, New Light Technologies
Fugue differs from compliance and security monitoring tools that alert security or IT ops pros to configuration drift and offer tips on how to fix it, such as Alcide Advisor. NLT works with complex geospatial mapping apps for federal customers such as Mapbox and Esri, competing on its ability to quickly roll out new application environments. Thus, Fugue's automated remediation of compliance drift was a better fit for NLT, which doesn't want to wait for human staff to correct non-compliant resources and configurations.
"Because everything we do is code, we're able to roll it out in hours or minutes, as opposed to days, in some very complex Esri environments, without having to write all kinds of CloudWatch alarms or custom Lambda functions," Williams said. "Fugue acts as a massive safety net since I can immediately know if something changes, and it can self-enforce the [desired] configuration."
NLT also values Fugue's recently added support for Azure in addition to AWS, as multi-cloud support is increasingly important to both public and private-sector clients.
With great DevSecOps speed comes great responsibility
Fugue allowed NLT to quickly implement compliance as code, but the company still must flesh out an end-to-end DevSecOps practice that incorporates CI/CD pipelines in addition to production infrastructure. Fugue can integrate with the CI/CD process, but NLT still does that work, which could create some conflict between rapid application development and Fugue's commitment to block configuration drift, if not done properly.
"We're improving our internal customer management, working on a CI process combining Terraform, Ansible and we need to plug Fugue into that," Williams said. "If we make a change to an environment and don't let Fugue know, it's going to see drift and roll it back."
Fugue's APIs are easy to work with to create such integration, Williams said. For example, NLT has also used Fugue to determine "common denominator" compliance configuration practices that span multiple regulatory frameworks from FedRAMP to HIPAA, and create a default baseline template for its managed services platform. It also plans to use Fugue as customers move Kubernetes clusters from development and sandbox environments to production.
"A lot of it's common sense, but we've used Fugue to call out that set of controls, so that customers are protected independent of whether they're beholden to a certain control set or not," Williams said.
Further down the road, Williams doesn't rule out working with more policy enforcement automation tools such as Open Policy Agent (OPA) to augment Fugue's features.
"Maybe Fugue keeps telling me that my developers keep deploying risky security group patterns," Williams said. "This is where I use a tool like OPA to set a policy so that it cannot be done."