A Review of Forseti Security for GCP
This is a write-up of the findings from the Forseti Security POC which was conducted with Forseti Security v1.1.8.
The results of this phase are clear: Forseti Security is too immature to add any value to my organization at this time. This conclusion has been reached after reviewing all the existing documentation for Forseti and after using it for 2 weeks in GCP.
While some of the planned functionality will be of some value to my organization once implemented, the 2 primary needs(Configuration Diffs and IAM Policy Enumeration) are not currently supported in Forseti Security.
This document details the findings from the Forseti Security POC.
This technical proof of concept was conducted to evaluate whether Forseti Security at its current level of implementation could be suitable for use in my organization’s GCP environment. The primary objective of this POC is to evaluate if Forseti can determine changes in the GCP environment and whether Forseti could enumerate IAM Policies and Roles.
1.2 Factors Considered in Evaluation of Forseti Security
The following factors were considered in the evaluation of Forseti Security as a suitable security tool for GCP:
- Current development state of Forseti Security
- Level of implemented functionality
- Can Forseti Security identify changes in GCP inventory
- Does Forseti support all GCP components in use by my organization
- Permissions needed by Forseti to operate as needed
- State of IAM Explainer plugin
- State of the Scanner functionality implemented
- State of the enforcer functionality implemented
- Installation process
1.3 Document Structure
This document is organized in the following sections:
Section 2: Current State of Forseti Security Review
Section 3: IAM Explainer Review
Section 4: Alternative Options
Section 5: Summary
2 Current State of Forseti Security
Forseti Security comes with an auto-installer. The auto-installer will create 2 service accounts, 1 GCE instance, 1 GCS bucket and 1 CloudSQL database.
Forseti Security requires that the user performing the installation have both the Organization Admin and Project Owner primitive roles, described in section 2.2.
The installer’s permission checking feature kept failing, and needed to pas the —no-iam-check flag to bypass the error. Also, the GCE instance created by the installer is provided a public IP address.
2.2 Service Accounts
2 Service Accounts are created as part of the installation:
- Organization Level Roles
- Organization Browser
- App Engine Viewer
- BigQuery Data Viewer
- Cloud SQL Viewer
- Compute Network Viewer
- Compute Security Admin
- Quota Viewer
- Security Reviewer
- Project Level Roles
- Cloud SQL Client
- Storage Object Viewer
- Storage Object Creator
- Logs Writer
- Organization Level Roles
- Uses downloaded json api key
- Needs GSuite Domain-wide Group Delegation must be enabled and configured for this service account
- GSuite API Groups and Users read access required for this user
2.3 Forseti Security Inventory
Forseti Security has the functionality to gather an inventory of your GCP deployment, either within a project or across the organization. While there is some value in this capability, the limitation of which GCP components in which inventory is currently supported falls short of the list of components that my organization currently uses. Forseti does allow you to configure which of the supported GCP components you want to enable inventory for, though all are enabled by default.
Forseti compiles the inventory and stores it in a CloudSQL database. Each time Forseti compiles the inventory it stores the inventory in a table that has the naming scheme of: _. The inventory is only used for the scanning and enforcement features of Forseti. Forseti Security provides no facilities for displaying or comparing inventory versions and/or differences.
2.4 Forseti Security Scanner
The Forseti Security Scanner uses the compiled inventory to determine which GCP resources needs to be scanned. The scanner uses either the default rules that come with Forseti Security or any custom defined rules. The rules and the violation reports are stored in the GCS bucket created at the time of installation. The scanner is limited to the same set of supported components as the inventory functionality. The scanner can be enables/disabled for any supported GCP component through the Forseti configuration file.
2.5 Forseti Security Enforcer
The enforcer functionality of Forseti Security is the least mature functionality of the 3 major functions. Currently, as of Forseti Security v1.1.8, only enforcement of firewall rules is implemented, though the implementation of the scanner for firewall rules has yet to be implemented.
2.6 Forseti Security Communications
Forseti Security has the ability to send notifications for scanner reports and enforcer notifications. At this time, email notifications are only supported going through the SendGrid service. You can also setup an incoming web hook for slack and configure Forseti to push notifications to the incoming web hook.
3 Forseti Security IAM Explain
The installation requirements for the IAM Explain plugin for Forseti Security if very poorly documented. There are additional IAM roles needed for the forseti-gcp-reader service account over what is required for normal Forseti Security operation. None of the additional IAM roles are documented on the Forseti Security site.
The additional roles needed for the forseti-gcp-reader service account to allow Forseti Security IAM Explainer to function:
- Organization Level Roles
- Container Analysis Notes Attacher
- DLP Jobs Reader
- Organization Creator
- StackDriver Maintenance Window Editor
- StackDriver Maintenance Window Viewer
Forseti Security IAM Explainer also uses Deployment Manager as a method of deploying itself.
The Forseti IAM Explainer requires an inventory be compiled, this will need to be a separate inventory from the normal Forseti Inventory since the broader permissions for IAM Explainer allows more resources to be cataloged. Once the inventory is compiled, it will have to be converted into a model. You can create several different models, beyond conducting an IAM permission enumeration against a model, models can be loaded into the Forseti IAM explainer playground for simulation.
3.3 IAM Explain Playground
The IAM Forseti Security Playground is a simulated environment based off of a loaded IAM model. The playground provides a space that allows you to simulate IAM permission changes on a model and compare the changes to a different model or enumerate the permissions in the simulated environment to understand permission changes before applying them in the real environment.
The IAM Explainer functionality is still classified as experimental. The output of the explain command includes 3 lines of out put for each resource, the user/service account, the fine-grained permission and the resource the permission applies to. This level of output is not useful as is, this should ideally be grouped at a higher level, with the options to display the finer grained permissions if desired and constrained to a resource.
4 Forseti Alternatives
4.1 Spotify GCP Audit
GCP Audit is a tool created by Spotify for auditing the security properties of GCP projects. This tool scans the specified GCP projects for violations of the default/custom set of security rules, very similar to Forseti’s Scanner utility. Currently rules for checking bucket_objects, buckets, firewalls and cloudsql exists.
In September of 2017, Spotify deprecated GCP Audit and asked Google to collaborate on a cloud security solution, giving birth to Forseti as a result of the joint effort.
4.2 Netflix Security Monkey/Cloud Aux
In March of 2017 Netflix announced that there was a beta of Security Monkey released with support for tracking GCP services. As of the Security Monkey 0.9.0 release, support for Firewall Rules, Networking, GCS and Service Accounts will be included.
Most if not all of the GCP specific Security Monkey documentation has yet to be created and like to those documents on the Security Monkey site all lead not non-existent pages.
4.3 NCC G-Scout – GCP variant of Scout2 for AWS
NCC Group has undertaken the project of converting their Scout2 application that audits AWS infrastructure to be GCP compatible. There needs to be a service account with a downloaded key that has the Project Viewer and IAM Security Reviewer roles.
5 Summary and Recommendations
As of the current release, v1.1.8 of Forseti Security, there are no features that are currently implemented that will create any level of benefit for my organization at this time. The 2 primary needs are IAM role enumeration and checking for changes in our GCP environment can not be fulfilled by Forseti Security, even with the IAM Explainer plugin. With the functionality of GCP audit being implemented in Forseti, GCP Audit is not an option, nor is Security Monkey given the complete lack of GCP related documentation.
The IAM role requirements also seem to allow Forseti to make changes to the GCP environment, which is a bit of a concern, especially given the current state of development.
- GCP has a feature in Alpha that allows the exporting of the organization GCP configuration. This can be used to determine changes to the GCP environment over a given period of time.
- If your need is more ensuring no misconfiguration exist for components where Forseti already has Scanner support, than the current version may suffice.
- If your needs are beyond that of which Forseti can currently deliver, you may need to consider looking at some commercial solutions until Forseti can get to a point where it meet your needs.