Securing Your GCP Account Using Forseti Security Controls
Forseti Security, a collection of open source tools for GCP, helps companies maintain a strong security posture by providing guidance on which controls should be enabled. In this guide, we'll show how you can check your GCP environment to identify gaps.
Patrick Londa
Author
Jul 7, 2023
•
4
min read
Share this post
Forseti Security is a collection of open-source, community-supported tools designed to help teams maintain secure GCP environments. This collection was launched in 2017 through a collaboration between Google and the music service Spotify.
By tracking metrics like memory use, network traffic, and storage capacity in your GCP environment, these tools make it easier to spot issues like risky misconfigurations and address them immediately.
In this guide, we’ll explain a few of the Forseti Security controls and how you can use Blink to validate them in your GCP environment.
Understanding Forseti Security Controls for GCP
The Forseti Security project combines a policy library bundle of security best practices with open source tooling to check compliance and notify users about gaps.
In this policy bundle, there is a list of various constraints that GCP accounts should have enforced with controls. Here are some examples:
Failing to rotate your encryption keys can make it easier for attackers to get hold of them. If that happens, they can infiltrate your GCP servers. Regular rotation prevents them from being compromised. If an incident occurs, initiating rotation can reduce your recovery time and minimize the attack's impacts.
Allowing unfettered access to your GCP resources also makes it hard to track the activities happening within the environment. You also increase your risk of exposing sensitive data.
Open firewall rules that allow SSH or TCP/UPD traffic from the internet can increase the attack surface of your GCP environment. Users can gain unauthorized access to your instances, unleash malware attacks, or commit other security breaches.
Automating Forseti Security Compliance Checks with Blink
While you could install the Forseti open source modules and navigate the implementation, the project is unfortunately being archived and won’t be supported moving forward. There’s an easier way to check that all of these security controls are enabled.
Blink is a powerful automation platform that enables you to seamlessly connect the dots between open source scripts, commercial tools, and your team members.
For example, with this automation, you can check weekly whether your GCP account adheres to all of the Forseti Security constraints.