A Review of Forseti Security for GCP

This is a write-up of the findings from the Forseti Security POC which was conducted with Forseti Security v1.1.8.

The results of this phase are clear: Forseti Security is too immature to add any value to my organization at this time.  This conclusion has been reached after reviewing all the existing documentation for Forseti and after using it for 2 weeks in GCP.

While some of the planned functionality will be of some value to my organization once implemented, the 2 primary needs(Configuration Diffs and IAM Policy Enumeration) are not currently supported in Forseti Security.

1     Purpose

1.1    Introduction

This document details the findings from the Forseti Security POC.

This technical proof of concept was conducted to evaluate whether Forseti Security at its current level of implementation could be suitable for use in my organization’s GCP environment.  The primary objective of this POC is to evaluate if Forseti can determine changes in the GCP environment and whether Forseti could enumerate IAM Policies and Roles.

1.2    Factors Considered in Evaluation of Forseti Security

The following factors were considered in the evaluation of Forseti Security as a suitable security tool for GCP:

  • Current development state of Forseti Security
  • Level of implemented functionality
  • Can Forseti Security identify changes in GCP inventory
  • Does Forseti support all GCP components in use by my organization
  • Permissions needed by Forseti to operate as needed
  • State of IAM Explainer plugin
  • State of the Scanner functionality implemented
  • State of the enforcer functionality implemented
  • Installation process

1.3   Document Structure

This document is organized in the following sections:

Section 2: Current State of Forseti Security Review

This section covers the installation and the implementation of the inventory, scanner and enforcer functionality.

Section 3: IAM Explainer Review

This section covers the installation and usage of the IAM Explainer plugin for Forseti Security

Section 4: Alternative Options

This section discusses other alternatives to Forseti Security and how they compare to the current version of Forseti Security

Section 5: Summary

This section contains an overall summary for the POC along with recommendations.

2    Current State of Forseti Security

2.1    Installation

Forseti Security comes with an auto-installer.  The auto-installer will create 2 service accounts, 1 GCE instance, 1 GCS bucket and 1 CloudSQL database[1].

Forseti Security requires that the user performing the installation have both the Organization Admin and Project Owner primitive roles, described in section 2.2.

The installer’s permission checking feature kept failing, and needed to pas the —no-iam-check flag to bypass the error.  Also, the GCE instance created by the installer is provided a public IP address[2].

2.2     Service Accounts

2 Service Accounts are created as part of the installation:

  • Forseti-gcp-reader
    • Organization Level Roles
      • Organization Browser
      • App Engine Viewer
      • BigQuery Data Viewer
      • Cloud SQL Viewer
      • Compute Network Viewer
      • Compute Security Admin
      • Quota Viewer
      • Security Reviewer
    • Project Level Roles
      • Cloud SQL Client
      • Storage Object Viewer
      • Storage Object Creator
      • Logs Writer
  • Forseti-gsuite-reader
    • Uses downloaded json api key
    • Needs GSuite Domain-wide Group Delegation must be enabled and configured for this service account
    • GSuite API Groups and Users read access required for this user[3]

2.3    Forseti Security Inventory

Forseti Security has the functionality to gather an inventory of your GCP deployment, either within a project or across the organization.  While there is some value in this capability, the limitation of which GCP components in which inventory is currently supported[4] falls short of the list of components that my organization currently uses.  Forseti does allow you to configure which of the supported GCP components you want to enable inventory for, though all are enabled by default.

Forseti compiles the inventory and stores it in a CloudSQL database.  Each time Forseti compiles the inventory it stores the inventory in a table that has the naming scheme of: _.  The inventory is only used for the scanning and enforcement features of Forseti.  Forseti Security provides no facilities for displaying or comparing inventory versions and/or differences.

2.4    Forseti Security Scanner

The Forseti Security Scanner uses the compiled inventory to determine which GCP resources needs to be scanned.  The scanner uses either the default rules that come with Forseti Security[7] or any custom defined rules.  The rules and the violation reports are stored in the GCS bucket created at the time of installation.  The scanner is limited to the same set of supported components as the inventory functionality.  The scanner can be enables/disabled for any supported GCP component through the Forseti configuration file.

2.5    Forseti Security Enforcer

The enforcer functionality of Forseti Security is the least mature functionality of the 3 major functions.  Currently, as of Forseti Security v1.1.8, only enforcement of firewall rules is implemented, though the implementation of the scanner for firewall rules has yet to be implemented.

2.6     Forseti Security Communications

Forseti Security has the ability to send notifications for scanner reports and enforcer notifications.  At this time, email notifications are only supported going through the SendGrid service.  You can also setup an incoming web hook for slack and configure Forseti to push notifications to the incoming web hook.

3    Forseti Security IAM Explain

3.1    Installation

The installation requirements for the IAM Explain plugin for Forseti Security if very poorly documented.  There are additional IAM roles needed for the forseti-gcp-reader service account over what is required for normal Forseti Security operation.  None of the additional IAM roles are documented on the Forseti Security site.

The additional roles needed for the forseti-gcp-reader service account to allow Forseti Security IAM Explainer to function:

  • Organization Level Roles
    • Container Analysis Notes Attacher
    • DLP Jobs Reader
    • Organization Creator
    • StackDriver Maintenance Window Editor
    • StackDriver Maintenance Window Viewer

Forseti Security IAM Explainer also uses Deployment Manager as a method of deploying itself.

3.2     Usage

The Forseti IAM Explainer requires an inventory be compiled, this will need to be a separate inventory from the normal Forseti Inventory since the broader permissions for IAM Explainer allows more resources to be cataloged. Once the inventory is compiled, it will have to be converted into a model[5].  You can create several different models, beyond conducting an IAM permission enumeration against a model, models can be loaded into the Forseti IAM explainer playground for simulation.

3.3    IAM Explain Playground

The IAM Forseti Security Playground is a simulated environment based off of a loaded IAM model.  The playground provides a space that allows you to simulate IAM permission changes on a model and compare the changes to a different model or enumerate the permissions in the simulated environment to understand permission changes before applying them in the real environment.

The IAM Explainer functionality is still classified as experimental.  The output of the explain command includes 3 lines of out put for each resource, the user/service account, the fine-grained permission and the resource the permission applies to.  This level of output is not useful as is, this should ideally be grouped at a higher level, with the options to display the finer grained permissions if desired and constrained to a resource.

4    Forseti Alternatives

4.1    Spotify GCP Audit

GCP Audit is a tool created by Spotify for auditing the security properties of GCP projects.  This tool scans the specified GCP projects for violations of the default/custom set of security rules, very similar to Forseti’s Scanner utility.  Currently rules for checking bucket_objects, buckets, firewalls and cloudsql exists.

In September of 2017, Spotify deprecated GCP Audit and asked Google to collaborate on a cloud security solution, giving birth to Forseti as a result of the joint effort[6].

4.2    Netflix Security Monkey/Cloud Aux

In March of 2017 Netflix announced that there was a beta of Security Monkey released with support for tracking GCP services.  As of the Security Monkey 0.9.0 release, support for Firewall Rules, Networking, GCS and Service Accounts will be included.

Most if not all of the GCP specific Security Monkey documentation has yet to be created and like to those documents on the Security Monkey site all lead not non-existent pages.

4.3     NCC G-Scout – GCP variant of Scout2 for AWS

NCC Group has undertaken the project of converting their Scout2 application that audits AWS infrastructure to be GCP compatible.  There needs to be a service account with a downloaded key that has the Project Viewer and IAM Security Reviewer roles.

5     Summary and Recommendations

5.1    Summary

As of the current release, v1.1.8 of Forseti Security, there are no features that are currently implemented that will create any level of benefit for my organization at this time.  The 2 primary needs are IAM role enumeration and checking for changes in our GCP environment can not be fulfilled by Forseti Security, even with the IAM Explainer plugin.  With the functionality of GCP audit being implemented in Forseti, GCP Audit is not an option, nor is Security Monkey given the complete lack of GCP related documentation.

The IAM role requirements also seem to allow Forseti to make changes to the GCP environment, which is a bit of a concern, especially given the current state of development.

5.2 Recommendations

  • GCP has a feature in Alpha that allows the exporting of the organization GCP configuration.  This can be used to determine changes to the GCP environment over a given period of time.
  • If your need is more ensuring no misconfiguration exist for components where Forseti already has Scanner support, than the current version may suffice.
  • If your needs are beyond that of which Forseti can currently deliver, you may need to consider looking at some commercial solutions until Forseti can get to a point where it meet your needs.
[1]: The Forseti Security installer creates a Deployment Manager manifest to handle the installation.
[2]: The Deployment Manager manifest would need to be modified and redeployed to have no public IP assigned to the Forseti Security VM
[6]: Spotify blog on the evolution of GCP Audit to Forseti: https://labs.spotify.com/2017/09/15/stepping-up-the-cloud-security-game/
[7]: The default rules are those that Spotify added to the project.  They typically check for resources open to the public