Storing credentials in plaintext can make your organization less secure. Risks include exposing your credentials to unauthorized users, including threat actors. Improperly secured credentials can also be collected, propagated, and further exposed in various systems, such as logs or inventory systems.

Google recommend organizations protect their stored credentials with tools such as Secret Manager, which adds a layer of encryption and authorization to the use of secrets like passwords and API keys. However, like finding a needle buried under a ton of dirt, determining exactly which credentials have been stored and exposed in plaintext can be challenging. To help organizations improve their security, today Google are launching — at no cost — a secret discovery tool in our Sensitive Data Protection offering that can find and monitor for plaintext credentials stored in your environment variables.

Helping discover exposed secrets

When secret discovery is enabled, Sensitive Data Protection continuously monitors and reports violations directly into Security Command Center, our built-in security and risk management solution for Google Cloud. Ensuring environment variables do not contain secrets is also measured as part of CIS Benchmarks security compliance and posture reporting. The secret discovery service can be enabled at the project or organization level to give customers comprehensive and continuous coverage.

Below is an example of raw, unprocessed secrets being added as Key/Value pairs in the runtime environment variables of a Google Cloud Function.

https://storage.googleapis.com/gweb-cloudblog-publish/images/image1_ui9Qpd1.max-1000x1000.png

Any user with access to read the definition of this function along with any downstream logs or metadata catalogs may see these exposed credentials.

When Sensitive Data Protection discovers evidence of exposed credentials like these, they will be reported into Security Command Center as a vulnerability similar to the one shown below:

https://storage.googleapis.com/gweb-cloudblog-publish/images/image2_SmnWNoH.max-2000x2000.png

A more secure way to access secrets from Functions

Using Secret Manager to centralize secrets management enables easy management of access controls, auditing, and access logs. Securely accessing secrets such as API keys and passwords in Functions can be done in two ways:

  1. Mounting the secret as a volume: This makes the secret available to the function as a file, enabling access to the secret value from Secret Manager each time the file is read from disk. Mounting as a volume is a good strategy if you want to reference the latest version of the secret instead of a pinned version of the secret.
  2. Passing the secret “securely” as an environment variable: This enables you to access the secret like other environment variables but with the added protection of Secret Manger instead of storing and using plaintext values. Here secret values are resolved at instance startup time, which is good for referencing a pinned version of the secret.

Next Steps

You can start using secret discovery today by enabling secrets scanning directly in the Console UI.

This feature is free of charge as part of Sensitive Data Protection. Sensitive Data Protection and secrets discovery work with Security Command Center in both Standard and Premium Tiers. Security Command Center Standard Tier is available at no cost.