Configuring Forseti into a Serverless Architecture
by Will Carlson
Product Manager, GCP
All of our customers within the healthcare and life sciences space are faced with managing large sets of sensitive health data that must adhere to rigorous compliance regulations all put in place to protect the patient. This is our bread and butter. As an organization, security is top of mind. We speak compliance across many different standards, and we know how to translate it into cloud technology. We interpret the different regulations, map to IT controls, and then program it into the cloud. Then, we show it is in fact compliant via the Compliance Dashboard. This feature requires us to inventory all of our customers’ projects to prove whether or not they're compliant. To do so, it’s imperative that we have a secure solution to conduct the inventory.
For our approach on Google Cloud, our lead engineer identified Forseti to help deliver security at scale because it lets you create intelligible rules that codify your security posture. For those who aren’t familiar, Forseti Security is a collection of community-driven, open-source tools to help you improve the security of your Google Cloud Platform (GCP) environment.1 The only challenge is that Forseti is built as a traditional server application, requiring a dedicated virtual machine. This would mean the single Forseti service account would have to access every customer’s environment, which is something we could never allow. Our policy is for no single credential to have simultaneous access to multiple customer projects, which means many of our services are built on serverless design patterns. This is really a breach prevention strategy—no bug, no matter how bad, should ever have the necessary access to be able to copy data between customer projects.
Our lead engineer, Ross Vandegrift, discovered how to configure Forseti in a serverless way to ensure our dashboard is secure, while being able to scale as we innovate. I'm excited to share this blog post, knowing this could be a good tip for other customers interested in Forseti. Check it out here.