A standalone SaaS product drawn from their Fugue Platform, Risk Manager is a cloud-native monitoring and compliance enforcement solution that establishes good baseline configuration in regulatory environments, monitors drift from them, and has the ability to use automated remediation to correct drift if the customer wants that.
Today, cloud security vendor Fugue is publicly launching their new Fugue Risk Manager SaaS offering at the AWS Re:Invent show in Las Vegas. Risk Manager provides the automated monitoring and compliance enforcement capabilities of the Fugue Platform in a SaaS format. While the Frederick, Maryland-based company pre-announced Risk Manager last week, they will be doing the formal launch at Re:Invent, where they are also demoing the new solution.
“Fuque is an on-prem software platform that you run in the cloud,” said Phillip Merrick, Fugue’s CEO. “We’ve taken the compliance and automated security monitoring capabilities from the Fugue Platform, and put them into an easy-to-access SaaS application called Risk Manager, which we are formally unveiling at AWS Re:Invent.” The Fugue Platform itself was just updated a month ago, with the release of the Fugue Compliance Suite in the platform’s 1.8 release.
Merrick, who joined Fugue as CEO in July, was recruited away from his previous CEO position at email delivery vendor SparkPost because he was impressed with Fugue’s technology and value proposition.
“The number one thing Fuque sells is assurance – not that you won’t have a breach, but that the policies put in place to guard against it are there, all day every day,” he said. “When the recruiters explained it to me, I understood the proposition instantly, and that’s why I joined Fuque.”
Josh Stella, the founding CEO, moved to the Chief Technology Officer role in July when Merrick came in.
“Sometimes this kind of move takes place because the decision is forced on them, but not in this case,” Merrick said. “The CEO went to the board and said he wanted to bring in a world class CEO, and move to the technology role.”
There are multiple offerings in this space, but Merrick said that Fugue has some differentiated advantages, in being cloud-native, in their core methodology, and in their capability to remediate as well as scan and alert.
“Suites have been brought to market where they really weren’t focused on the cloud,” he stated. “That’s why they are making acquisitions to secure their cloud footprint by bringing in point solutions who can do that natively. Other competing products are simple-minded scanning products, which scan against a list of rules of things that might be bad. We do it differently. Our tool establishes a known good baseline. We then look for drifts from this known good configuration, which happens all day, every day. We scan constantly and reporting on the drift events, and then, optionally, we put it back to the way we should be. So what’s different about us is our ability to establish that known good baseline, to monitor against that baseline, and to provide automated remediation. Nobody else has that combination of capabilities. We also don’t bug people with a lot of false positives, because we work off what’s good, and get truly actionable alerts.”
The baseline establishes resource configuration for common compliance regimes, including AWS CIS Benchmarks, NIST 800-53 Rev. 4, GDPR, HIPAA, and custom controls specified by the customer.
Merrick said some customers are still leery about automated remediation out of the gate.
“They like the idea of an automated capability, but past experience with automation creates some inherent distrust, especially around a new vendor,” he said. “It’s a rare individual who brings in a brand new vendor and will trust them to make changes without assessing what changes they will want to make. They take a Trust But Verify position – they are inclined to trust us, but want to see what we will do. We find that as customers get confident, they inevitably move to automated remediation, which reduces time to remediation to as little as minutes, and a few hours at most.”
As a SaaS product, Risk Manager is well-suited for MSPs, and Fugue has been seeing interest from some large ones as they build their channel ecosystem out.
“We have channel partnerships already in place, particularly with Unisys in the federal and commercial space,” Merrick said. “We have others in the process of being developed, which are not yet at the stage where they can be announced. With Unisys we have our Platform product in their managed service offering, although we also work with them in their systems integrator business. We are also seeing a lot of interest from major MSPs. It’s a very good value proposition for the MSP, because in addition to keeping workloads safe, we increase their margin and bring down the cost. It’s an attractive proposition for them.”
The goal is to build out a select value channel.
“We offer a differentiated value proposition where partners can pitch as part of their offering, and we are getting pulled into bids with partners where we can provide the subject matter expertise around cloud providers,” Merrick said. “That has us playing a more strategic role. For the foreseeable future, we want to work with a small number of significant partners.”
Fugue and their Risk Manager offering will be at AWS:Reinvent at Booth #2305.