Publish data profiles to Security Command Center

This page provides a high-level overview of the actions that you must take if you want data profiles to generate findings in Security Command Center. This page also provides example queries that you can use to find the generated findings.

You can configure Sensitive Data Protection to automatically generate profiles about data across an organization, folder, or project. Data profiles contain metrics and metadata about your data and help you determine where sensitive and high-risk data reside. Sensitive Data Protection reports these metrics at various levels of detail. For information about the types of data you can profile, see Supported resources.

Security Command Center is the centralized vulnerability and threat reporting service of Google Cloud. Security Command Center helps you strengthen your security posture by identifying misconfigurations, vulnerabilities, observations, and threats. It also provides recommendations for investigating and remediating the findings.

Benefits of publishing data profiles to Security Command Center

Sensitive Data Protection can generate observation findings in Security Command Center based on your data profiles. The findings show the calculated sensitivity and data risk levels of your data. This feature offers the following benefits in Security Command Center:

Generated Security Command Center findings

When you configure the discovery service to publish data profiles to Security Command Center, each table data profile or file store data profile generates the following Security Command Center findings.

Vulnerability findings from the discovery service

The Sensitive Data Protection discovery service helps you determine whether you are storing highly sensitive data that is not protected.

Category Summary

Public sensitive data

Category name in the API:

PUBLIC_SENSITIVE_DATA

Finding description: The specified resource has high-sensitivity data that can be accessed by anyone on the internet.

Supported assets:

  • bigquery.googleapis.com/Dataset
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket
  • Amazon S3 bucket

Remediation:

For Google Cloud data, remove allUsers and allAuthenticatedUsers from the data asset's IAM policy.

For Amazon S3 data, configure block public access settings or update the object's ACL to deny public read access.

Compliance standards: Not mapped

Secrets in environment variables

Category name in the API:

SECRETS_IN_ENVIRONMENT_VARIABLES

Finding description: There are secrets—such as passwords, authentication tokens, and Google Cloud credentials—in environment variables.

To enable this detector, see Report secrets in environment variables to Security Command Center in the Sensitive Data Protection documentation.

Supported assets:

Remediation:

For Cloud Run functions environment variables, remove the secret from the environment variable and store it in Secret Manager instead.

For Cloud Run service revision environment variables, move all traffic off of the revision, and then delete the revision.

Compliance standards:

  • CIS GCP Foundation 1.3: 1.18
  • CIS GCP Foundation 2.0: 1.18

Secrets in storage

Category name in the API:

SECRETS_IN_STORAGE

Finding description: There are secrets—such as passwords, authentication tokens, and cloud credentials—in the specified resource.

Supported assets:

  • bigquery.googleapis.com/Dataset
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket
  • Amazon S3 bucket

Remediation:

  1. For Google Cloud data, use Sensitive Data Protection to run a deep inspection scan of the specified resource to identify all affected resources. For Cloud SQL data, export that data to a CSV or AVRO file in a Cloud Storage bucket and run a deep inspection scan of the bucket.

    For Amazon S3 data, manually inspect the specified bucket.

  2. Remove the detected secrets.
  3. Consider resetting the credentials.
  4. For Google Cloud data, consider storing the detected secrets in Secret Manager instead.

Compliance standards: Not mapped

Observation findings from the discovery service

Data sensitivity
An indication of the sensitivity level of the data in a particular data asset. Data is sensitive if it contains PII or other elements that might require additional control or management. The severity of the finding is the sensitivity level that Sensitive Data Protection calculated when generating the data profile.
Data risk
The risk associated with the data in its current state. When calculating data risk, Sensitive Data Protection considers the sensitivity level of the data in the data asset and the presence of access controls to protect that data. The severity of the finding is the data risk level that Sensitive Data Protection calculated when generating the data profile.

Finding generation latency

From the time Sensitive Data Protection generates the data profiles, it can take up to six hours for the associated findings to appear in Security Command Center.

Send data profiles to Security Command Center

The following is a high-level workflow for publishing data profiles to Security Command Center.

  1. Check the activation level of Security Command Center for your organization. To send data profiles to Security Command Center, you must have Security Command Center activated at the organization level, at any service tier.

    If Security Command Center is activated at the project level only, findings from Sensitive Data Protection won't appear in Security Command Center.

  2. If Security Command Center isn't activated for your organization, you must activate it. For more information, see one of the following, depending on your Security Command Center service tier:

  3. Confirm that Sensitive Data Protection is enabled as an integrated service. For more information, see Add a Google Cloud integrated service.

  4. Enable discovery by creating a discovery scan configuration for each data source that you want to scan. In your scan configuration, make sure that you keep the Publish to Security Command Center option enabled.

    If you have an existing discovery scan configuration that doesn't publish data profiles to Security Command Center, see Enable publishing to Security Command Center in an existing configuration on this page.

Enable discovery with default settings

To enable discovery, you create a discovery configuration for each data source that you want to scan. This procedure lets you create those discovery configurations automatically using default settings. You can customize the settings at any time after you perform this procedure.

If you want to customize the settings from the start, see the following pages instead:

To enable discovery with default settings, follow these steps:

  1. In the Google Cloud console, go to the Sensitive Data Protection Enable discovery page.

    Go to Enable discovery

  2. Verify that you are viewing the organization that you activated Security Command Center on.

  3. In the Service agent container field, set the project to be used as a service agent container. Within this project, the system creates a service agent and automatically grants the required discovery permissions to it.

    If you previously used the discovery service for your organization, you might already have a service agent container project that you can reuse.

    • To automatically create a project to use as your service agent container, review the suggested project ID and edit it as needed. Then, click Create. It can take a few minutes for the permissions to be granted to the new project's service agent.
    • To select an existing project, click the Service agent container field and select the project.
  4. To review the default settings, click the expand icon.

  5. In the Enable discovery section, for each discovery type that you want to enable, click Enable. Enabling a discovery type does the following:

    • BigQuery: Creates a discovery configuration for profiling BigQuery tables across the organization. Sensitive Data Protection starts profiling your BigQuery data and sends the profiles to Security Command Center.
    • Cloud SQL: Creates a discovery configuration for profiling Cloud SQL tables across the organization. Sensitive Data Protection starts creating default connections for each of your Cloud SQL instances. This process can take a few hours. When the default connections are ready, you must give Sensitive Data Protection access to your Cloud SQL instances by updating each connection with the proper database user credentials.
    • Secrets/credentials vulnerabilities: Creates a discovery configuration for detecting and reporting unencrypted secrets in Cloud Run environment variables. Sensitive Data Protection starts scanning your environment variables.
    • Cloud Storage: Creates a discovery configuration for profiling Cloud Storage buckets across the organization. Sensitive Data Protection starts profiling your Cloud Storage data and sends the profiles to Security Command Center.
    • Vertex AI datasets: Creates a discovery configuration for profiling Vertex AI datasets across the organization. Sensitive Data Protection starts profiling your Vertex AI datasets and sends the profiles to Security Command Center.
    • Amazon S3: Creates a discovery configuration for profiling Amazon S3 data across the organization, a single S3 account, or a single bucket.

  6. To view the newly created discovery configurations, click Go to discovery configuration.

    If you enabled Cloud SQL discovery, the discovery configuration is created in paused mode with errors indicating the absence of credentials. See Manage connections for use with discovery to grant the required IAM roles to your service agent and to provide database user credentials for each Cloud SQL instance.

  7. Close the pane.

Enable publishing to Security Command Center in an existing configuration

If you have an existing discovery scan configuration that is not set to publish discovery results to Security Command Center, follow these steps:

  1. Open the scan configuration for editing.

  2. In the Actions section, enable Publish to Security Command Center.

  3. Click Save.

Query for Security Command Center findings related to data profiles

The following are example queries that you can use to find relevant Data sensitivity and Data risk findings in Security Command Center. You can enter these queries in the Query editor field. For more information about the query editor, see Edit a findings query in the Security Command Center dashboard.

List all Data sensitivity and Data risk findings for a particular BigQuery table

This query is useful, for example, if Security Command Center detects an event where a BigQuery table was saved to a different project. In this case, an Exfiltration: BigQuery Data Exfiltration finding is generated, and it contains the full display name of the table that was exfiltrated. You can search for any Data sensitivity and Data risk findings related to the table. View the calculated sensitivity and data risk levels for the table and plan your response accordingly.

state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND resource.display_name="PROJECT_ID:DATASET_ID.TABLE_ID"

Replace the following:

  • PROJECT_ID: the ID of the project that contains the BigQuery table
  • DATASET_ID: the dataset ID of the table
  • TABLE_ID: the ID of the table

List all Data sensitivity and Data risk findings for a particular Cloud SQL instance

This query is useful, for example, if Security Command Center detects an event where live Cloud SQL instance data was exported to a Cloud Storage bucket outside of the organization. In this case, an Exfiltration: Cloud SQL Data Exfiltration finding is generated, and it contains the full resource name of the instance that was exfiltrated. You can search for any Data sensitivity and Data risk findings related to the instance. View the calculated sensitivity and data risk levels for the instance and plan your response accordingly.

state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND resource.name:"INSTANCE_NAME"

Replace the following:

  • INSTANCE_NAME: a portion of the name of the Cloud SQL instance

List all Data risk and Data sensitivity findings with a High severity level

state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND severity="HIGH"

What's next