Forseti Security for Google Cloud Platform (GCP)

By albert
7 May 2019

Metallica sang in “…And Justice for All”: “Hammer of justice crushes you overpower”, so who’s better to judge us than Forseti, Norse God of Justice! (epic thunderbolt).

What? Is it not the topic? Damn! Well, let’s talk about Forseti Security then.

Forseti Security is an open source toolkit designed to:

  • Take snapshots of resources on a recurring cadence, so you always have a history of what was in your cloud.
  • Scan your GCP resources to ensure that access controls are set as you intended and protect against unsafe changes.
  • For the most important policies, provide enforced correction to ensure the safest settings on GCP resources.
  • Gain visibility into your IAM policies and answer key questions about who has what access to which resources.

To be able to provide us these features, Forseti Security is composed by the following modules:

Inventory: Regularly collects data from your GCP resources and makes it available to other modules providing visibility into existing GCP resources.

Scanner: Periodically compares your rules about GCP resources policies against the policies collected by Inventory and saves the output for your review helping you to detect misconfigurations and security issues.

Explain: Helps you understand and develop Cloud IAM providing us the information of who has what access to GCP resources

Enforcer: Change resource policy state to match the state you define removing unwanted configurations or granted permissions to GCP resources.

Notifier: Keeps you up to date about Forseti findings and actions through different channels (SendGrid, Cloud Storage, Cloud Security Command Center…).

Combining all these functionalities we are able to define some interesting procedures for a few security dimensions:

Security Compliance

  • To define and to monitor our security framework.
  • To enforce our security framework to ensure the compliance (Optional).

Security Monitoring

  • To monitor the platform changes regarding the policies about:
    • Resources
    • IAM
    • Firewalling
  • To monitor the defined security events.

Security Governance

  • To inventory all the resources, users and roles of the platform.
  • To define and to show security indicators (i.e.: using BigQuery and DataStudio).

Author: Germán Arranz

Comments are closed.