Forseti Engagement Guide - 8 Apr 2019

Version 1

    Forseti Engagement Guide



    Prepared for:

    Document type:

    About this document


    Document details


    A reference for guiding Customer Engineers, Consultants, TAMs, SCEs or SAs into helping customers understand the Forseti Security Tool and helping them to guide customers into installing and leveraging Forseti within their own GCP environments.

    Intended audience

    The primary audience is any customer-facing GCP individuals, especially those who may be engaged with a customer early in the customer’s cloud migration journey.



    Familiarity with the Google Cloud Platform.



    This document can support Pre-Sales, PSO and Partners when delivering a Security Driven Cloud Plan or Cloud Deploy - in relation to discussing Forseti Security.



    1. Introduction  3

    1.1 Forseti Security  3

    2. Prerequisites  3

    2.1 Prerequisites: Technology  3

    2.2 Prerequisites: Security  3

    2.3 Prerequisites: Logistics  4

    3. Engagement Agenda  4

    4. Conclusion  7

    1. Introduction

    The Forseti Engagement Checklist is meant to guide customer-facing engineers into understanding Forseti and being able to deliver a Cloud Plan and Cloud Deploy. 


    1.1 Forseti security

    Forseti Security is a GCP sponsored, open-source security tool that improves customer security posture for GCP environments. Forseti consists of multiple underlying modules to address GCP inventorying and resource management, policy monitoring, notification, enforcement and security insights.


    2. Prerequisites

    Prior to a successful Forseti Security Cloud Deploy, we should account for the following prerequisites around technology, security and logistics.


    2.1 Prerequisites: Technology

    Ensure that the customer has an accessible GCP environment.

    1. Environments and access
      1. Verify that the customer has a GCP environment configured.
      2. Verify that the customer can access GCP.


    1. Forseti Security installation requirements
      1. A dedicated GCP Project or set of GCP Projects (by environment) that Forseti will be installed into
      2. A GCP Organization Administrator
      3. Customer’s Networking Model and approval/access to deploy to a given subnet
        1. Default VPC
        2. Shared VPC


    2.2 Prerequisites: Security

    Ensure that the customer has security guidelines and goals.

    1. Understand Forseti Security’s default list of policies.
    2. Sync with the customer ahead of time on their security policies and use cases around leveraging Forseti.
    3. Ensure proper approvals are in place prior to the engagement.
    4. Customer support model around Forseti Security
      1. Will a dedicated team / individual be managing Forseti?
      2. Who is responsible for updating the policies / tool?
      3. Who will receive notifications?
      4. Cloud SCC Integration?


    2.3 Prerequisites: Logistics

    The following steps will help us to consider any logistics that go into working with the customer and deploying Forseti.

    1. Location
      1. Where will the meeting occur?
      2. Has an all-day meeting room been reserved?
      3. Are the proper people invited? (At least 1 GCP Organization Admin and any key security stakeholders)
    2. Longevity
      1. How many days will the initial engagement last?
        1. Recommend an engagement length of 3-4 days (if customer is new to Forseti) - can also be spread out over multiple weeks


    3. Engagement agenda

    A recommended schedule around a Forseti engagement. Many of these activities can be planned ahead of time and also scheduled over multiple weeks.

    30 minutesIntro
    • Meet & greet
    1 hourInstallation and configuration of Forseti
    • Assuming all approvals and prerequisites were accounted for...
    • Work with an organization administrator to install Forseti Security
    • Installation and Connectivity to G Suite (via Service Account and G Suite Scopes) and SendGrid (via API Key)
    2 hoursUnderstanding the customer’s security model
    • Discussion around Customer’s Current Security Posture
      • Existing Tools
      • Security Goals
      • Vulnerabilities and Concerns
      • Future Direction of Security
    • Discussion around Customer’s Security Organization
      • How are escalations handled?
      • How is security implemented today?
      • What is the separation between responsibilities between a developer, SRE, Security Operations, etc.?
    • Overview of the Customer’s Organization Resource Diagrams and Environment
      • How are Org, Folders and Projects structured?
      • How are responsibilities divided?
      • Who are the G Suite Super Administrator & GCP Organization Administrators?
    2 hoursForseti introduction
    • Forseti 101
      • What is Forseti
      • Intro to Forseti Modules
      • Goals of Forseti
    • Forseti 102
    • Forseti Default Policies (ref)
    • Patching and Upgrade Strategies (ref)
    • Forseti Future Roadmap
    1 hourForseti analysis - Identification of how Forseti will fit into the customer’s ecosystem
    • Ask questions around Forseti Default Policy Violations
    • Determination of Short-Term and Long-Term Support Model for Forseti
    • Security Recommendations
    2-4 hoursImplementation of Custom Policies
    • Identification of Forseti Default Policies and Implementation of Custom Policies to be used for Forseti
    • Assist customer in getting this into Source Control and help with a reusable deployment pipeline
    • Creation of a README or Centralized Document detailing the All Policies that Forseti
    1 - 2 days
    • Allocate enough time to verify a few CRON runs
    Verification of Forseti Security
    • Confirm Inventory is Created and is marked as ‘SUCCESS’
    • Confirm Forseti Cron is running
    • Confirm Proper User Access to the Forseti Project
    • Resizing of VMs / Cloud SQL database
    • Verification that Violations are found
    • Testing and Re-testing of Custom Policies
    • Setup Integration with Cloud Security Command Center
    1 hourForseti Support Model
    • Discussion around Short-Term and Long-Term Support Model
    • Discussion around Go-To Contacts who will be supporting Forseti
    • Introduction to Forseti Community and Forseti Slack Channel
    Additional TopicsRoadmaps and Collaboration (if customer is under NDA)
    • Short-Term and Long-Term Forseti Roadmap
    • Cloud SCC Roadmap
    • RedLock Roadmap and other GCP Security Tools
    • Github Issue (Feature / Bug) Collaboration and Sharing of Forseti Security OSS Github
      • Discussion around Contributing

    4. Conclusion

    At the end of the multi-day engagement, we expect the customer to be setup with Forseti Security in their GCP Environment.
    The customer should:

    • Understand what Forseti is
    • Have Forseti installed and running
    • How to add, update and remove policies
    • Know where to view and analyze violations
    • Be notified of violations
    • Understand remediative actions
    • Be able to communicate with the broader Forseti Community