Enable sensitive data discovery in the Enterprise tier

This page describes how to enable sensitive data discovery using default settings if you're subscribed to the Enterprise tier and enable the Sensitive Data Protection discovery service. You can customize the settings at any time after you enable discovery.

The Sensitive Data Protection discovery service is included in your Security Command Center Enterprise subscription. Your discovery capacity is dynamically allocated based on your processing needs.

Benefits

This feature offers the following benefits:

  • You can use Sensitive Data Protection findings to identify and remediate vulnerabilities in your resources that can expose sensitive data to the public or to malicious actors.

  • You can use these findings to add context to the triage process and prioritize threats that target resources containing sensitive data.

  • You can configure Security Command Center to automatically prioritize resources for the attack path simulation feature according to the sensitivity of the data that the resources contain. For more information, see Set resource priority values automatically by data sensitivity.

How it works

The Sensitive Data Protection discovery service helps you protect data across your organization by identifying where sensitive and high-risk data reside. In Sensitive Data Protection, the service generates data profiles, which provide metrics and insights about your data at various levels of detail. In Security Command Center, the service does the following:

To enable sensitive data discovery for your organization, you create one discovery scan configuration for each supported resource that you want to scan.

Finding generation latency

From the time Sensitive Data Protection generates the data profiles, it can take up to six hours for the associated findings to appear in Security Command Center.

From the time you turn on secrets discovery in Sensitive Data Protection, it can take up to 12 hours for the initial scan of environment variables to complete and for any Secrets in environment variables findings to appear in Security Command Center. Subsequently, Sensitive Data Protection scans environment variables every 24 hours. In practice, scans can run more frequently than that.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Activate the Security Command Center Enterprise tier

Complete step 1 and step 2 of the setup guide to activate the Security Command Center Enterprise tier. For more information, see Activate the Security Command Center Enterprise tier.

Enable Sensitive Data Protection as an integrated service

If Sensitive Data Protection isn't already enabled as an integrated service, enable it. For more information, see Add a Google Cloud integrated service.

Set up permissions

To get the permissions that you need to configure sensitive data discovery, ask your administrator to grant you the following IAM roles on the organization:

Purpose Predefined role Relevant permissions
Create a discovery scan configuration and view data profiles DLP Administrator (roles/dlp.admin)
  • dlp.columnDataProfiles.list
  • dlp.fileStoreProfiles.list
  • dlp.inspectTemplates.create
  • dlp.jobs.create
  • dlp.jobs.list
  • dlp.jobTriggers.create
  • dlp.jobTriggers.list
  • dlp.projectDataProfiles.list
  • dlp.tableDataProfiles.list
Create a project to be used as the service agent container1 Project Creator (roles/resourcemanager.projectCreator)
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
Grant discovery access2 One of the following:
  • Organization Administrator (roles/resourcemanager.organizationAdmin)
  • Security Admin (roles/iam.securityAdmin)
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.organizations.setIamPolicy

1 If you don't have the Project Creator (roles/resourcemanager.projectCreator) role, you can still create a scan configuration, but the service agent container that you use must be an existing project.

2 If you don't have the Organization Administrator (roles/resourcemanager.organizationAdmin) or Security Admin (roles/iam.securityAdmin) role, you can still create a scan configuration. After you create the scan configuration, someone in your organization who has one of these roles must grant discovery access to the service agent.

For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable discovery with default settings

To enable discovery, you create a discovery configuration for each data source that you want to scan. This procedure lets you create those discovery configurations automatically using default settings. You can customize the settings at any time after you perform this procedure.

If you want to customize the settings from the start, see the following pages instead:

To enable discovery with default settings, follow these steps:

  1. In the Google Cloud console, go to the Sensitive Data Protection Enable discovery page.

    Go to Enable discovery

  2. Verify that you are viewing the organization that you activated Security Command Center on.

  3. In the Service agent container field, set the project to be used as a service agent container. Within this project, the system creates a service agent and automatically grants the required discovery permissions to it.

    If you previously used the discovery service for your organization, you might already have a service agent container project that you can reuse.

    • To automatically create a project to use as your service agent container, review the suggested project ID and edit it as needed. Then, click Create. It can take a few minutes for the permissions to be granted to the new project's service agent.
    • To select an existing project, click the Service agent container field and select the project.
  4. To review the default settings, click the expand icon.

  5. In the Enable discovery section, for each discovery type that you want to enable, click Enable. Enabling a discovery type does the following:

    • BigQuery: Creates a discovery configuration for profiling BigQuery tables across the organization. Sensitive Data Protection starts profiling your BigQuery data and sends the profiles to Security Command Center.
    • Cloud SQL: Creates a discovery configuration for profiling Cloud SQL tables across the organization. Sensitive Data Protection starts creating default connections for each of your Cloud SQL instances. This process can take a few hours. When the default connections are ready, you must give Sensitive Data Protection access to your Cloud SQL instances by updating each connection with the proper database user credentials.
    • Secrets/credentials vulnerabilities: Creates a discovery configuration for detecting and reporting unencrypted secrets in Cloud Run environment variables. Sensitive Data Protection starts scanning your environment variables.
    • Cloud Storage: Creates a discovery configuration for profiling Cloud Storage buckets across the organization. Sensitive Data Protection starts profiling your Cloud Storage data and sends the profiles to Security Command Center.
    • Vertex AI datasets: Creates a discovery configuration for profiling Vertex AI datasets across the organization. Sensitive Data Protection starts profiling your Vertex AI datasets and sends the profiles to Security Command Center.
    • Amazon S3: Creates a discovery configuration for profiling Amazon S3 data across the organization, a single S3 account, or a single bucket.

  6. To view the newly created discovery configurations, click Go to discovery configuration.

    If you enabled Cloud SQL discovery, the discovery configuration is created in paused mode with errors indicating the absence of credentials. See Manage connections for use with discovery to grant the required IAM roles to your service agent and to provide database user credentials for each Cloud SQL instance.

  7. Close the pane.

To view the findings generated by Sensitive Data Protection, see Review Sensitive Data Protection findings in the Google Cloud console.

Use discovery insights to identify high-value resources

You can have Security Command Center automatically designate a resource that contains high-sensitivity or medium-sensitivity data as a high-value resource by enabling the Sensitive Data Protection discovery insights option when you create a resource value configuration for the attack path simulation feature.

For high-value resources, Security Command Center provides attack exposure scores and attack path visualizations, which you can use to prioritize the security of your resources that contain sensitive data.

Attack path simulations can automatically set priority values based on data-sensitivity classifications from Sensitive Data Protection discovery for only the following data resource types:

  • bigquery.googleapis.com/Dataset
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket

Customize the scan configurations

After you create the scan configurations, you can customize them. For example, you can do the following:

  • Adjust the scan frequencies.
  • Specify filters for data assets that you don't want to reprofile.
  • Change the inspection template, which defines the information types that Sensitive Data Protection scans for.
  • Publish the generated data profiles to other Google Cloud services.
  • Change the service agent container.

What's next