With Forseti, Spotify and Google release GCP security tools to open source community
Gianluca Brindisi, Carly Schneider, and Anton Sapozhnikov
Spotify Security Platform Engineering Team
Chris Law, Carrie McDaniel
Forseti Product Team
Being able to secure your cloud resources at scale is important for all Google Cloud Platform users. To help ensure the security of GCP resources, you need to have the right tools and processes in place. Spotify and Google Cloud worked together to develop innovative security tools that help organizations protect GCP projects, and have made them available in an open source community called Forseti Security. Forseti is now open to all GCP users!
For this blog post, we talked with Spotify about their experience working with the Google team to develop tools for the GCP security community. The Spotify team will also be presenting about their experience with Forseti today at the SEC-T information security conference in Stockholm.
Q: How did Forseti get started?
When we moved our back-end data infrastructure from in-house data centers to the cloud, we began by evaluating the tools that GCP offers to help us develop securely in the cloud. Once we had a handle on that, we wanted to build some specific tools that would help us automate security processes so that our engineering team could develop freely, but securely.
In parallel to our efforts, Google had developed their own GCP security tools and was interested in bringing them to the open source community. Both of our security teams wanted to contribute our ideas to the bigger picture, and it made sense to collaborate rather than each company writing their own tools. This is how the Forseti open source idea was born.
Q. What is Forseti?
Forseti is an open source toolkit designed to help give security teams the confidence and peace of mind that they have the appropriate security controls in place across GCP. Today, Forseti features a number of useful security tools:
- Inventory: provides visibility into existing GCP resources
- Scanner: validates access control policies across GCP resources
- Enforcer: removes unwanted access to GCP resources
- Explain: analyzes who has what access to GCP resources
Q: How does Forseti help keep your GCP environment more secure?
Forseti gives us visibility into the GCP infrastructure that we didn’t have before, and we use it to help make sure we have the right controls in place and stay ahead of the game. It helps keep us informed about what’s going on in our environment so that we can quickly find out about any risky misconfigurations so they can be fixed right away. These tools allow us to create a workflow that puts the security team in a proactive stance rather than a reactive one. We can inform everyone involved on time rather than waiting for an incident to happen.
With the Inventory tool, we get ongoing snapshots of our GCP resources which provides an audit trail of any changes.This visibility allows us to give our developers a lot of freedom, and enables us to investigate any potential incidents.
Scanner helps us detect misconfigurations and security issues. It greatly reduces risk and saves us a ton of time. As soon as we see a violation from Scanner, we ping the team in charge of the affected resource so they can make the necessary fix. This way, security only needs to get involved if the dev team needs help.
Q: How have you put Forseti into practice so far at Spotify?
We want our security culture to promote operational ownership by the dev team. Our team strives to be a business enabler, rather than a blocker to getting things done. This approach has allowed us to educate engineering and raise their security awareness. We believe it’s been influential in helping the dev teams become more security-conscious.
Using Forseti, we’ve been able to create a notification pipeline that proactively informs us about risky misconfigurations in GCP. This process is a major time saver for us.
Here’s how it works:
- We run scans on our resources, and if a violation is found, it triggers our notification pipeline.
- Once the violation is parsed, we retrieve ownership information about the affected resource. This is like a phonebook that tells us which team is responsible, and then pings them automatically.
- Engineering acknowledges the notification and then books a fix.
- We run inventory the next day to make sure the fix was completed. The security team gets involved only if the dev team is unable to resolve the issue on their own.
Q: Why take an open source approach?
The Forseti community is all about teamwork. It allows us to work with big and small companies who, at the end of the day, need to accomplish the same things. With this combined community expertise, we’ve identified areas where companies can make the most risky mistakes in configuring GCP, and executed on those areas first. We determined what should be in Forseti as a team, rather than as individual companies.
Different organizations often share the same risks, but have unique perspectives. When we collaborate with other organizations, the possibilities are multiplied exponentially and it helps everyone operate more securely. It also allows us to put security processes in place faster than we could do it individually. Forseti is all about about sharing ideas and collaborating, which are the ideals of open source. The benefit is to not reinvent the wheel; with Forseti we can divide and conquer — the more we are, the more we can do.
Interested in joining the Forseti security community? Get started here!
Read more about Foresti on the Spotify Labs blog.