Using Forseti to Secure GCP Environments
Forseti is an open-source project designed specifically for improving the security of your Google Cloud Platform (GCP). A quick Google for “Forseti” also provides some indicators as to where the name may have come from. Forseti is said to be a Norse god, who, apparently is an equivalent of the Scandinavian “law speaker” who often acted as a judge and decided the outcome of disputes in accordance with the law. As we’re about to discover this seems rather fitting for the purpose of the Forseti tool.
With organisations moving more from a traditional data centre to more cloud-based offerings, their security strategy, processes and their tooling has struggled to keep up with the pace of adoption into the public cloud.
Each of the main cloud offerings from Azure, AWS and GCP have a multitude of service offerings to cater to your requirements. The security challenges with each of the offerings haven’t changed from the on-prem days.
- Keeping and maintaining an inventory
- Lack of monitoring over your policies or if something in your estate violates the policy
- Lack of tooling to enforce settings if the bad config is pushed, e.g someone allows a storage bucket to be public either intentionally or by accident
- No real understanding or view of your policies across your estate
Well, this is exactly some of the issues that Forseti tries to help you with within your GCP environment.
It does so by first building an inventory of your GCP environment and storing snapshots of the estate to Cloud SQL, this gives you a historical view and capability to compare and contrast its state. It's configurable too, you can change how often it takes an inventory, additionally, you can send email notifications when your snapshot has been updated.
Now is where it gets interesting, “the enforcer”. This is where we use the policies to compare to any changes made in the environment that are in violation of the policies. An example might be that someone has tried to make a storage bucket publicly available, the enforcer finds this in the event log and takes corrective action in close to real-time. Another example within a Compute Engine firewall; someone tries to allow 0.0.0.0 network access to a compute instance, typically you wouldn’t do this, so enforcer reverts the rule, again in real-time. It's granular too, you can apply enforcer rules at the organisation level or at the project level in GCP and apply exclusions too, for instance, you may have a storage bucket that hosts all the images used on your company website, this obviously needs to be public and a great use of an exclusion in the policy.
The scanner function in Forseti uses the inventory to scan for violations of role-based access policies in GCP.
Examples of violations the scanner can identify are
Bigquery:
- Datasets are publicly available
- Someone has access to a dataset who may not be part of the organisation with a @gmail.com address
Blacklist:
- The IP address of any GCP instances should not be listed on the emerging threats website
Cloud SQL:
- Cloud SQL instances should not be allowed access from anywhere and only from authorised networks
- Cloud SQL instances should not be allowed access from anywhere over SSL and only from authorised networks
Cloud storage:
- Bucket ACL’s should not be publicly accessible
Firewall:
- Allow all ingress should be prevented
KMS:
- Keys should be rotated every “x” days
Kubernetes:
- Allow the only x supported versions
Ok, this is all sounding great, but it’s starting to get a bit… complicated…
This is where the explain module comes in.
Explain is there to help you understand:
- Who has access to what resources and how that user can interact with a resource
- Why a principal has permission on a resource or why they don’t have permission and how to fix it
- What roles provide specific permission
Scanner and Inventory both have the ability to send email notifications, they also have a new visualiser available which “attempts to enable Google Cloud Platform users to better understand their GCP Organisation Structure, while providing insights into policy adherence through the identification of violations.” In addition, any violation can be sent to the Cloud Security Command Center to ensure you get all security events in one single pane of glass.
The documentation for setting up Forseti is well written and detailed and can be found here. The Forseti Terraform module is the only supported method of installing Forseti Security. The default infrastructure for Forseti is the Google Compute Engine. This module also supports installing Forseti on Google Kubernetes Engine (GKE), and at some point in the future will become the default. For more information on installing Forseti on-GKE, please see the detailed guide on setting up Forseti on-GKE.
Forseti is continually being developed as can be seen from their detailed release log
Support for Forseti is community-driven through their slack channel. They hold a meeting on hangouts every Tuesday from 9 AM — 9:30 AM PST and through google groups where you can post to discuss@forsetisecurity.org
