Security at Fugue

Bulletins

2021/12/13, updated 2021/12/17
Fugue is aware of the security issues affecting the Apache Log4j library, CVE-2021-44228 and CVE-2021-45046. The Fugue Platform, including its engine, API, client, and Regula, are not written with Java components and are therefore not affected by this issue. Fugue's reporting components are operated by Google Looker and were patched on December 13th, 2021 for CVE-2021-44228 and on December 16, 2021 for CVE-2021-45046. Fugue customers do not need to perform any remediating actions at this time. We are actively tracking AWS's remediation for the services Fugue is built on. For more information please see the AWS response.

Attestation and Certifications

Fugue is SSAE-18/SOC 2 Type II Compliant
Fugue is CIS Certified

Our Security Philosophy

Security is a first-class citizen at Fugue, and we are committed to ensuring the security of our customers and their data.

Securing Your Data

The following technical and organizational measures are performed on the processes taken by Fugue:

Physical access controls:

• Fugue is built on Amazon Web Services and leverages all the platform's available security, privacy, and redundancy features
• AWS maintains controls regarding physical and environmental security according to the shared responsibility model
• Fugue is serverless by design to reduce attack surface and decrease operational overhead

Logical access controls:

• Access to production data systems is denied by default
• Audits are performed quarterly to ensure appropriate levels of access are authorized and commensurate with employee job function
• Fugue's data stores are private with a number of restrictions to ensure they are not publicly accessible
• Fugue scans itself to continuously monitor for security and compliance issues
• Fugue employs security automations backed by AWS WAF
• Fugue employs AWS services for IDS/IPS functionality across all production accounts

Operational controls:

• All Fugue employees undergo a thorough background check before hire
• All employees sign a proprietary information and inventions assignment (PIIA) at time of hire
• All employees undergo security training at time of hire and annually thereafter
• Fugue's critical vendors are reviewed annually
• Fugue exercises incident response policies and procedures annually
• Fugue undergoes annual risk discovery exercises followed by semiannual check-ins
• Device security is audited quarterly
• Third party packages are checked for vulnerabilities on each commit, including in Javascript, Go, and Python code and audited quarterly
• Fugue follows the latest NIST guidelines regarding password and MFA requirements
• Fugue leverages third parties to conduct penetration and vulnerability testing
• Fugue conducts application vulnerability scans quarterly using industry standard tools

Storage controls:

• All data is encrypted at rest
• All data is stored using highly available and durable services

Transmission controls:

• All data is encrypted in transit using TLS 1.2 and above protocols
• Removable storage is not used

Availability controls:

• Fugue maintains business continuity and disaster recovery plans
• Disaster recovery is tested annually or when significant changes occur to the infrastructure
• Disaster recovery is conducted in a separate AWS account to ensure no production disruptions
• Backups occur continuously and are stored in a separate AWS account with restricted access
• Backups are encrypted at rest and in transit to the backup account

Separation controls:

• Fugue maintains separate accounts for development, staging, and production
• Data is segmented such that no production data can be moved to non-production environments

Report an Issue

Security belongs to everyone, including you. Fugue highly values and encourages participation from our community using our responsible reporting process.

We're very appreciative when members of the security community report vulnerabilities to us.

Report these issues directly to security@fugue.co

Please use these guidelines:

• Use our PGP key (available below) to encrypt your report
• Do not submit vulnerabilities through the Fugue UI via Receptive
• Give us enough detail to reproduce the vulnerability

Responsible Disclosure

Fugue will investigate all reports and act to remediate vulnerabilities as quickly as possible. We will not take legal action against you provided you comply with the following:

• Do not access or modify data that does not belong to you
• Do not attempt to DOS the UI or API
• Allow us a reasonable amount of time to respond to, evaluate, and resolve security incidents before making any information public