Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Spotify and Google Release Forseti GCP Security Tools

Spotify and Google Release Forseti GCP Security Tools

Leia em Português

Google has opened up Forseti Security, a set open source tools for Google Cloud Platform (GCP) security, to all GCP users. The project is the result of a collaborative effort from both Spotify and Google, combining what was originally separate work together into a single toolkit. It aims to automate security processes for developers in order for them to develop more freely.

The core set of tools are:

  1. Inventory: Intermittent resource snapshotting for security auditing purposes.
  2. Scanner: Monitoring of role-based access controls on resources, with a notification system which will fire when policies are wrong.
  3. Enforcer: Forces resource security policies to be in a desired state, preventing any unwanted changes.
  4. IAM Explain: Helps reason about and create Cloud Identity and Access Management Policies.

At Spotify, Forseti is used to create a notifications pipeline which informs developers about risky security configurations. Their aim is for development teams to have operational ownership of security, raising awareness and removing blockers. They explain:

Forseti gives us visibility into the GCP infrastructure that we didn’t have before, and we use it to help make sure we have the right controls in place and stay ahead of the game. It helps keep us informed about what’s going on in our environment so that we can quickly find out about any risky misconfigurations so they can be fixed right away. These tools allow us to create a workflow that puts the security team in a proactive stance rather than a reactive one. We can inform everyone involved in time rather than waiting for an incident to happen.

At its core, the inventory tool is used to store information about GCP resources, and then the scanner and enforcer tool operate on that data. A list of which GCP resources are covered by which tools is published in a coverage table.

The main use case for the inventory is auditing, making it easy to determine at what point in time resource security might have been changed, and by whom.

The scanner tool makes use of a JSON or YAML rules definition file to define expected security policies for resources. It then uses a rules engine to perform a diff between expected and actual policies, and then outputs and stores any violations in CloudSQL.

Rather than just monitoring and reporting, the enforcer tool actually operates on any detected policy or rules violations. It does this by using the various Google Cloud APIs to bring resources back into their desired security states. 

The explain tool is used to analyse and develop Cloud IAM policies, which can typically become difficult to reason about in more complex projects. For example, it can explain why a principal has access to a certain resource, or suggest a way to grant a principal to a certain resource.

Both the Forseti security documentation and source code can be found online, and are available for installation and use with GCP immediately.

Rate this Article