Scribd Logo
Upload

Welcome to Scribd!

  • Design Thinking and Innovation Project

    Uploaded by

    venkata Himavanth
    14 views8 pages
    Forseti Security is an open-source collection of tools that helps users improve the security of their Google Cloud Platform environments. It consists of independent modules that work together to provide a complete understanding of resources and security risks. The Inventory module collects data from GCP resources which is then analyzed by the Scanner module based on the user's policy rules. Notifier sends the results to channels like Cloud Storage and Slack. Explain and Enforcer help manage access policies while the command line interface and Data Studio provide visualization of the data.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Forseti Security is an open-source collection of tools that helps users improve the security of their Google Cloud Platform environments. It consists of independent modules that work together to provide a complete understanding of resources and security risks. The Inventory module collects data from GCP resources which is then analyzed by the Scanner module based on the user's policy rules. Notifier sends the results to channels like Cloud Storage and Slack. Explain and Enforcer help manage access policies while the command line interface and Data Studio provide visualization of the data.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views8 pages

    Design Thinking and Innovation Project

    Uploaded by

    venkata Himavanth
    Forseti Security is an open-source collection of tools that helps users improve the security of their Google Cloud Platform environments. It consists of independent modules that work together to provide a complete understanding of resources and security risks. The Inventory module collects data from GCP resources which is then analyzed by the Scanner module based on the user's policy rules. Notifier sends the results to channels like Cloud Storage and Slack. Explain and Enforcer help manage access policies while the command line interface and Data Studio provide visualization of the data.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Project Title: Forseti Security

    Description About Forseti Security:

    Forseti Security is a collection of community-driven, open-source tools


    to help you improve the security of your Google Cloud Platform (GCP)
    environments. Forseti consists of core modules that you can enable,
    configure, and execute independently of each other.
    Overview About Forseti Security
    Forseti gives you tools to understand all the resources you have in Google Cloud Platform (GCP).
    The core Forseti modules work together to provide complete information so you can take action
    to secure resources and minimize security risks.
    •Inventory regularly collects data from your GCP resources and makes it available to other
    modules.
    •Scanner periodically compares your rules about GCP resource policies against the policies
    collected by Inventory, and saves the output for your review.
    •Explain helps you understand, test, and develop Cloud Identity and Access Management (Cloud
    IAM) policies.
    •Enforcer uses Google Cloud APIs to change resource policy state to match the state you define.
    •Notifier keeps you up to date about Forseti findings and actions.
    1.Inventory collects information about your GCP resources and G Suite.
    2.Inventory stores information in Cloud SQL for your review and use by other Forseti modules.
    3.Scanner compares the data collected by Inventory to the policy rules you set.
    4.Notifier sends Scanner & Inventory results to one or more of the following channels you configure: Cloud Storage,
    SendGrid, Slack and Cloud Security Command Center.
    5.You use Explain to query and understand your Cloud IAM policies.
    6.Enforcer uses Google Cloud APIs to make sure policies match your desired state.
    7.You use the command-line interface to query Forseti data using gRPC.
    8.You use Data Studio or MySQL Workbench to visualize the Forseti data stored in Cloud SQL.
    Deployment Architecture

    In a traditional Forseti installation, the compute resources are deployed as GCE virtual machines (VM). The Forseti server VM
    executes the forseti_server process, listening for requests to take action. On the Forseti server is also a Linux cronjob that
    periodically invokes the server to build inventory and a model, scan, and notify on any violations. The Forseti client VM provides a
    CLI where a user can invoke these same functions as well as execute the IAM explain function.
    In Forseti on-GKE, the core compute resources are deployed in containers: the server and orchestrator. These containers are each
    wrapped in Kubernetes Pods; the forseti-server and forseti-orchestrator pods respectively.
    The forseti-server pod is deployed in a Kubernetes Deployment controller. Like the forseti_server process on the VM, this is a long
    running process that listens for requests made to it by a client.
    The forseti-orchestrator pod is deployed in a Kubernetes CronJob. This reflects the behavior of the Linux cronjob on the server
    VM, periodically invoking the inventory build, scan, and notification actions on the forseti-server deployment.
    The config-validator pod is also deployed in a Kubernetes Deployment controller. The service provided by the config-validator pod
    is exposed internally to Forseti on-GKE. The Config Validator Scanner uses this service when auditing resources against a
    policy-library. The config-validator uses git-sync in a container to periodically pull a policy-library in from a Git repository. If a
    change in the policies is detected, git-sync will make a call to the kube-proxy container to restart the pod with the updated
    policies.
    The client CLI is still provided through the GCE VM. The endpoint configuration for the the VM is set to send requests to the GCP
    load balancer for the Forseti server deployment.
    Flow Chart
    Models

    The data model is an additional pool of relational data that is created from the flat JSON data in Inventory. With the relational
    data, Forseti can more easily understand the entire relationship, including inheritance between resources. Models allow for
    easier querying against the entire computed policy.
    Scanner and Explain depend on a data model, so you must create a valid data model before you use Scanner or Explain. Note that
    data models aren’t meant to be persistent, so when you’re finished using a model, you should delete it.
    Thank you

    You might also like