This page provides a high-level overview of the actions that you must take if you want data profiles to generate findings in Security Command Center. This page also provides example queries that you can use to find the generated findings.
You can configure Sensitive Data Protection to automatically generate profiles about data across an organization, folder, or project. Data profiles contain metrics and metadata about your data and help you determine where sensitive and high-risk data reside. Sensitive Data Protection reports these metrics at various levels of detail. For information about the types of data you can profile, see Supported resources.
Security Command Center is the centralized vulnerability and threat reporting service of Google Cloud. Security Command Center helps you strengthen your security posture by identifying misconfigurations, vulnerabilities, observations, and threats. It also provides recommendations for investigating and remediating the findings.
Benefits of publishing data profiles to Security Command Center
Sensitive Data Protection can generate observation findings in Security Command Center based on your data profiles. The findings show the calculated sensitivity and data risk levels of your data. This feature offers the following benefits in Security Command Center:
You can use these findings to inform your response when you encounter threats and vulnerabilities related to your data.
You can configure Security Command Center to prioritize resources for the attack path simulation feature automatically according to the sensitivity of the data that the resources contain. For more information, see Set resource priority values automatically by data sensitivity.
Generated Security Command Center findings
When you configure the discovery service to publish data profiles to Security Command Center, each table data profile or file store data profile generates the following Security Command Center findings.
Vulnerability findings from the discovery service
The Sensitive Data Protection discovery service helps you determine whether you are storing highly sensitive data that is not protected.
Category | Summary |
---|---|
Category name in the API:
|
Finding description: The specified resource has high-sensitivity data that can be accessed by anyone on the internet. Supported assets:
Remediation: For Google Cloud data, remove For Amazon S3 data, configure block public access settings or update the object's ACL to deny public read access. Compliance standards: Not mapped |
Category name in the API:
|
Finding description: There are secrets—such as passwords, authentication tokens, and Google Cloud credentials—in environment variables. To enable this detector, see Report secrets in environment variables to Security Command Center in the Sensitive Data Protection documentation. Supported assets: Remediation: For Cloud Run functions environment variables, remove the secret from the environment variable and store it in Secret Manager instead. For Cloud Run service revision environment variables, move all traffic off of the revision, and then delete the revision. Compliance standards:
|
Category name in the API:
|
Finding description: There are secrets—such as passwords, authentication tokens, and cloud credentials—in the specified resource. Supported assets:
Remediation:
Compliance standards: Not mapped |
Observation findings from the discovery service
Data sensitivity
- An indication of the sensitivity level of the data in a particular data asset. Data is sensitive if it contains PII or other elements that might require additional control or management. The severity of the finding is the sensitivity level that Sensitive Data Protection calculated when generating the data profile.
Data risk
- The risk associated with the data in its current state. When calculating data risk, Sensitive Data Protection considers the sensitivity level of the data in the data asset and the presence of access controls to protect that data. The severity of the finding is the data risk level that Sensitive Data Protection calculated when generating the data profile.
Finding generation latency
From the time Sensitive Data Protection generates the data profiles, it can take up to six hours for the associated findings to appear in Security Command Center.
Send data profiles to Security Command Center
The following is a high-level workflow for publishing data profiles to Security Command Center.
Check the activation level of Security Command Center for your organization. To send data profiles to Security Command Center, you must have Security Command Center activated at the organization level, at any service tier.
If Security Command Center is activated at the project level only, findings from Sensitive Data Protection won't appear in Security Command Center.
If Security Command Center isn't activated for your organization, you must activate it. For more information, see one of the following, depending on your Security Command Center service tier:
Confirm that Sensitive Data Protection is enabled as an integrated service. For more information, see Add a Google Cloud integrated service.
Enable discovery by creating a discovery scan configuration for each data source that you want to scan. In your scan configuration, make sure that you keep the Publish to Security Command Center option enabled.
If you have an existing discovery scan configuration that doesn't publish data profiles to Security Command Center, see Enable publishing to Security Command Center in an existing configuration on this page.
Enable discovery with default settings
To enable discovery, you create a discovery configuration for each data source that you want to scan. This procedure lets you create those discovery configurations automatically using default settings. You can customize the settings at any time after you perform this procedure.
If you want to customize the settings from the start, see the following pages instead:
- Profile BigQuery data in an organization or folder
- Profile Cloud SQL data in an organization or folder
- Profile Cloud Storage data in an organization or folder
- Profile Vertex AI data in an organization or folder (Preview)
- Sensitive data discovery for Amazon S3
- Report secrets in environment variables to Security Command Center
To enable discovery with default settings, follow these steps:
In the Google Cloud console, go to the Sensitive Data Protection Enable discovery page.
Verify that you are viewing the organization that you activated Security Command Center on.
In the Service agent container field, set the project to be used as a service agent container. Within this project, the system creates a service agent and automatically grants the required discovery permissions to it.
If you previously used the discovery service for your organization, you might already have a service agent container project that you can reuse.
- To automatically create a project to use as your service agent container, review the suggested project ID and edit it as needed. Then, click Create. It can take a few minutes for the permissions to be granted to the new project's service agent.
- To select an existing project, click the Service agent container field and select the project.
To review the default settings, click the
expand icon.In the Enable discovery section, for each discovery type that you want to enable, click Enable. Enabling a discovery type does the following:
- BigQuery: Creates a discovery configuration for profiling BigQuery tables across the organization. Sensitive Data Protection starts profiling your BigQuery data and sends the profiles to Security Command Center.
- Cloud SQL: Creates a discovery configuration for profiling Cloud SQL tables across the organization. Sensitive Data Protection starts creating default connections for each of your Cloud SQL instances. This process can take a few hours. When the default connections are ready, you must give Sensitive Data Protection access to your Cloud SQL instances by updating each connection with the proper database user credentials.
- Secrets/credentials vulnerabilities: Creates a discovery configuration for detecting and reporting unencrypted secrets in Cloud Run environment variables. Sensitive Data Protection starts scanning your environment variables.
- Cloud Storage: Creates a discovery configuration for profiling Cloud Storage buckets across the organization. Sensitive Data Protection starts profiling your Cloud Storage data and sends the profiles to Security Command Center.
- Vertex AI datasets: Creates a discovery configuration for profiling Vertex AI datasets across the organization. Sensitive Data Protection starts profiling your Vertex AI datasets and sends the profiles to Security Command Center.
Amazon S3: Creates a discovery configuration for profiling Amazon S3 data across the organization, a single S3 account, or a single bucket.
To view the newly created discovery configurations, click Go to discovery configuration.
If you enabled Cloud SQL discovery, the discovery configuration is created in paused mode with errors indicating the absence of credentials. See Manage connections for use with discovery to grant the required IAM roles to your service agent and to provide database user credentials for each Cloud SQL instance.
Close the pane.
Enable publishing to Security Command Center in an existing configuration
If you have an existing discovery scan configuration that is not set to publish discovery results to Security Command Center, follow these steps:
In the Actions section, enable Publish to Security Command Center.
Click Save.
Query for Security Command Center findings related to data profiles
The following are example queries that you can use to find relevant Data
sensitivity
and Data risk
findings in Security Command Center. You can enter these
queries in the Query editor field. For more information about the
query editor, see Edit a findings query in the Security Command Center
dashboard.
List all Data sensitivity
and Data risk
findings for a particular BigQuery table
This query is useful, for example, if Security Command Center detects an event where
a BigQuery table was saved to a different project. In this case,
an Exfiltration: BigQuery Data
Exfiltration
finding is generated, and it contains the full display name of the table that
was exfiltrated. You can search for any Data sensitivity
and Data risk
findings related to the table. View the calculated sensitivity and data risk
levels for the table and plan your response accordingly.
state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND resource.display_name="PROJECT_ID:DATASET_ID.TABLE_ID"
Replace the following:
- PROJECT_ID: the ID of the project that contains the BigQuery table
- DATASET_ID: the dataset ID of the table
- TABLE_ID: the ID of the table
List all Data sensitivity
and Data risk
findings for a particular Cloud SQL instance
This query is useful, for example, if Security Command Center detects an event where
live Cloud SQL instance data was exported to a Cloud Storage bucket
outside of the organization. In this case, an Exfiltration: Cloud SQL Data
Exfiltration
finding is generated, and it contains the full resource name of the instance
that was exfiltrated. You can search for any Data sensitivity
and Data risk
findings related to the instance. View the calculated sensitivity and data risk
levels for the instance and plan your response accordingly.
state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND resource.name:"INSTANCE_NAME"
Replace the following:
- INSTANCE_NAME: a portion of the name of the Cloud SQL instance
List all Data risk
and Data sensitivity
findings with a High
severity level
state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND severity="HIGH"
What's next
- Learn about how to Set resource priority values automatically by data sensitivity in Security Command Center.
- Learn how to report the presence of secrets in environment variables to
Security Command Center.