BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Spotify and Google Release Forseti GCP Security Tools

| by Andrew Morgan Follow 0 Followers on Sep 18, 2017. Estimated reading time: 2 minutes |

Google has opened up Forseti Security, a set open source tools for Google Cloud Platform (GCP) security, to all GCP users. The project is the result of a collaborative effort from both Spotify and Google, combining what was originally separate work together into a single toolkit. It aims to automate security processes for developers in order for them to develop more freely.

The core set of tools are:

  1. Inventory: Intermittent resource snapshotting for security auditing purposes.
  2. Scanner: Monitoring of role-based access controls on resources, with a notification system which will fire when policies are wrong.
  3. Enforcer: Forces resource security policies to be in a desired state, preventing any unwanted changes.
  4. IAM Explain: Helps reason about and create Cloud Identity and Access Management Policies.

At Spotify, Forseti is used to create a notifications pipeline which informs developers about risky security configurations. Their aim is for development teams to have operational ownership of security, raising awareness and removing blockers. They explain:

Forseti gives us visibility into the GCP infrastructure that we didn’t have before, and we use it to help make sure we have the right controls in place and stay ahead of the game. It helps keep us informed about what’s going on in our environment so that we can quickly find out about any risky misconfigurations so they can be fixed right away. These tools allow us to create a workflow that puts the security team in a proactive stance rather than a reactive one. We can inform everyone involved in time rather than waiting for an incident to happen.

At its core, the inventory tool is used to store information about GCP resources, and then the scanner and enforcer tool operate on that data. A list of which GCP resources are covered by which tools is published in a coverage table.

The main use case for the inventory is auditing, making it easy to determine at what point in time resource security might have been changed, and by whom.

The scanner tool makes use of a JSON or YAML rules definition file to define expected security policies for resources. It then uses a rules engine to perform a diff between expected and actual policies, and then outputs and stores any violations in CloudSQL.

Rather than just monitoring and reporting, the enforcer tool actually operates on any detected policy or rules violations. It does this by using the various Google Cloud APIs to bring resources back into their desired security states. 

The explain tool is used to analyse and develop Cloud IAM policies, which can typically become difficult to reason about in more complex projects. For example, it can explain why a principal has access to a certain resource, or suggest a way to grant a principal to a certain resource.

Both the Forseti security documentation and source code can be found online, and are available for installation and use with GCP immediately.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT