Google Cloud unveils a free tool to stop plaintext password leaks. Secret discovery finds & monitors plain passwords in your cloud, securing your data & boosting compliance.
Google Cloud seeks to improve security for organizations by launching a secret discovery tool set to find and monitor plaintext credentials stored in an organization’s environment variables. This new security initiative will be free and part of Google’s Sensitive Data Protection offering. The idea is to strengthen the security backbone of any organization that uses Google Cloud by helping to eliminate the vulnerability associated with covert plaintext credentials that might have been stored without proper encryption.
Google Cloud is a suite of cloud computing services offered by Google. These services include infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) products, covering areas such as computing, storage, databases, machine learning, data analytics, and more. Google Cloud provides a scalable and flexible cloud infrastructure that businesses and developers can use to build, deploy, and scale applications.
Scott Ellis and Tim Wingerter, Senior and Product Managers at Google Cloud, respectively, emphasized the risks of storing credentials in plaintext. These risks include exposing your credentials to unauthorized users, including potential threat actors. Furthermore, improperly secured credentials can be collected and propagated and exposed across various systems, such as logs or inventory systems, increasing the avenues from which they can be attacked.
For further secure management of stored credentials, Google Cloud has recommended the use of tools like Secret Manager. Secret Manager adds encryption and authorization to the use of secrets such as passwords and API keys. However, identifying which credentials have been stored and exposed in plaintext can be difficult. The launched secret discovery tool in Google Cloud’s Sensitive Data Protection offering aims to solve this challenge by finding and monitoring plaintext credentials stored under environment variables.
Once secret discovery is enabled, Sensitive Data Protection will continually monitor and report violations directly to the Security Command Center, Google Cloud’s built-in security and risk management solution.
The secret discovery service can be activated at the project or organization level to provide comprehensive and continuous coverage. Any environment variables found to contain secrets will be identified as part of the CIS Benchmarks security compliance and posture reporting process. If evidence of exposed credentials is discovered, they are reported to the Security Command Center as a vulnerability.
This new approach towards a more secure access to secrets underlines the importance of centralizing secret management. This enables easier management of access controls, auditing, and access logs. Google Cloud also allows users two choices for securely accessing secrets such as API keys and passwords in functions. Users can either use the method of mounting the secret as a volume or passing the secret securely as an environment variable.
Google Cloud users can use secret discovery today by directly enabling secret scanning in the Console UI. This feature is free as part of Sensitive Data Protection and works with the Security Command Center in both Standard and Premium Tiers.Â
