Enable sensitive data discovery

This page describes how to set up Sensitive Data Protection to generate findings that show the sensitivity and data risk levels of the data assets across your organization. This procedure describes how to enable sensitive data discovery if you're subscribed to the Enterprise tier of Security Command Center. For information about how to enable sensitive data discovery regardless of your Security Command Center service tier, see the following pages in the Sensitive Data Protection documentation:

• Publish data profiles to Security Command Center
• Report secrets in environment variables to Security Command Center

How it works

The Sensitive Data Protection discovery service helps you protect data across your organization by identifying where sensitive and high-risk data reside. In Sensitive Data Protection, the service generates data profiles, which provide metrics and insights about your data at various levels of detail. In Security Command Center, the service does the following:

• Generate observation findings in Security Command Center that show the calculated sensitivity and data risk levels of your BigQuery and Cloud SQL data. You can use these findings to inform your response when you encounter threats and vulnerabilities related to your data assets. For a list of finding types generated, see Observation findings from the discovery service.

  These findings can inform the automatic designation of high-value resources based on data sensitivity. For more information, see Use discovery insights to identify high-value resources on this page.

• Generate vulnerability findings in Security Command Center when Sensitive Data Protection detects the presence of secrets in your Cloud Functions environment variables. Storing secrets, such as passwords, in environment variables isn't a secure practice because environment variables aren't encrypted. For a full list of secret types that Sensitive Data Protection detects, see Credentials and secrets. For a list of finding types generated, see Vulnerability findings from the Sensitive Data Protection discovery service.

To enable sensitive data discovery for your organization, you create one discovery scan configuration for each supported resource that you want to scan.

Pricing

Sensitive data discovery is charged separately from Security Command Center regardless of your service tier. If you don't purchase a subscription for discovery, you are charged based on your consumption (bytes scanned). For more information, see Discovery pricing in the Sensitive Data Protection documentation.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Activate the Security Command Center Enterprise tier

Complete step 1 and step 2 of the setup guide to activate the Security Command Center Enterprise tier. For more information, see Activate the Security Command Center Enterprise tier.

Enable Sensitive Data Protection as an integrated service

If Sensitive Data Protection isn't already enabled as an integrated service, enable it. For more information, see Add a Google Cloud integrated service.

Set up permissions

To get the permissions that you need to configure sensitive data discovery, ask your administrator to grant you the following IAM roles on the organization:

Purpose	Predefined role	Relevant permissions
Create a discovery scan configuration and view data profiles	DLP Administrator (roles/dlp.admin)	dlp.inspectTemplates.create dlp.jobs.create dlp.jobTriggers.create dlp.columnDataProfiles.list dlp.jobs.list dlp.jobTriggers.list dlp.projectDataProfiles.list dlp.tableDataProfiles.list
Create a project to be used as the service agent container1	Project Creator (roles/resourcemanager.projectCreator)	resourcemanager.organizations.get resourcemanager.projects.create
Grant discovery access2	One of the following: Organization Administrator (roles/resourcemanager.organizationAdmin) Security Admin (roles/iam.securityAdmin)	resourcemanager.organizations.getIamPolicy resourcemanager.organizations.setIamPolicy

¹ If you don't have the Project Creator (roles/resourcemanager.projectCreator) role, you can still create a scan configuration, but the service agent container that you use must be an existing project.

² If you don't have the Organization Administrator (roles/resourcemanager.organizationAdmin) or Security Admin (roles/iam.securityAdmin) role, you can still create a scan configuration. After you create the scan configuration, someone in your organization who has one of these roles must grant discovery access to the service agent.

For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable discovery

To enable discovery, you create a scan configuration for each discovery type that you want to enable.

1. In the Google Cloud console, go to the setup page.

   Go to setup

2. Verify that you are viewing the organization that you activated the Security Command Center Enterprise tier on.

3. Click Set up sensitive data protection. The discovery dashboard in Sensitive Data Protection appears. The Product coverage section of the dashboard shows the status of each discovery type.

4. For a discovery type that you want to enable, click Enable. For example, if you want to scan BigQuery tables in your organization, in the BigQuery card, click Enable.

   The Create scan configuration page opens.

5. Configure discovery at the organization level. For more information, see one of the following pages, depending on the type of discovery that you want to enable:

   • Profile BigQuery data in an organization or folder
   • Profile Cloud SQL data in an organization or folder
   • Report secrets in environment variables to Security Command Center

6. Repeat these steps to create scan configurations for the remaining discovery types.

From the time Sensitive Data Protection generates the data profiles, it can take up to six hours for the associated Data sensitivity and Data risk findings to appear in Security Command Center.

From the time you turn on secrets discovery in Sensitive Data Protection, it can take up to 12 hours for the initial scan of environment variables to complete and for any Secrets in environment variables findings to appear in Security Command Center. Subsequently, Sensitive Data Protection scans environment variables every 24 hours. In practice, scans can run more frequently than that.

To view the findings generated by Sensitive Data Protection, see Review Sensitive Data Protection findings in the Google Cloud console.

Use discovery insights to identify high-value resources

You can have Security Command Center automatically designate any BigQuery dataset that contains high-sensitivity or medium-sensitivity data as a high-value resource by enabling the Sensitive Data Protection discovery insights option when you create a resource value configuration for the attack path simulation feature.

For high-value resources, Security Command Center provides attack exposure scores and attack path visualizations, which you can use to prioritize the security of your resources that contain sensitive data.

Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection for only the bigquery.googleapis.com/Dataset data resource type.

What's next

• View Sensitive Data Protection findings