Google Cloud launches tool to detect plaintext credentials for free

Fri, 5th Jan 2024

Google Cloud seeks to improve security for organisations by launching a secret discovery tool set to find and monitor plaintext credentials stored in an organisation's environment variables. This new security initiative is part of Google's Sensitive Data Protection offering and will be provided at no cost. The idea is to strengthen the security backbone of any organisation that uses Google Cloud by helping to eliminate the vulnerability associated with covert plaintext credentials that might have been stored without proper encryption.

Google Cloud is a suite of cloud computing services offered by Google. These services include infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) products, covering areas such as computing, storage, databases, machine learning, data analytics, and more. Google Cloud provides a scalable and flexible cloud infrastructure businesses and developers can use to build, deploy, and scale applications.

Scott Ellis and Tim Wingerter, Senior and Product Managers at Google Cloud, respectively, emphasised the risks that come with storing credentials in plaintext. These risks include exposing your credentials to unauthorised users, including potential threat actors. Furthermore, improperly secured credentials can be collected and propagated and could be exposed across various systems, such as logs or inventory systems, increasing the avenues from which they can be attacked.

For further secure management of stored credentials, Google Cloud has recommended the use of tools like Secret Manager. Secret Manager adds encryption and authorisation to the use of secrets such as passwords and API keys. However, identifying which credentials have been stored and exposed in plaintext can be difficult. The launched secret discovery tool in Google Cloud's Sensitive Data Protection offering aims to solve this challenge by finding and monitoring plaintext credentials stored under environment variables.

Once secret discovery is enabled, Sensitive Data Protection will continually monitor and report violations directly to the Security Command Center, Google Cloud's built-in security and risk management solution.

The secret discovery service can be activated at the project or organisation level to provide comprehensive and continuous coverage. Any environment variables found to contain secrets will be identified as part of the CIS Benchmarks security compliance and posture reporting process. If evidence of exposed credentials is discovered, they are reported to the Security Command Center as a vulnerability.

This new approach towards a more secure access to secrets underlines the importance of centralising secret management. This enables easier management of access controls, auditing, and access logs. Google Cloud also allows users two choices for securely accessing secrets such as API keys and passwords in functions. Users can either use the method of mounting the secret as a volume or passing the secret securely as an environment variable.

Google Cloud users can start using secret discovery today by enabling secret scanning directly in the Console UI. This feature is free as part of Sensitive Data Protection and works with the Security Command Center in both Standard and Premium Tiers. Google Cloud confirmed that the Security Command Center Standard Tier is available at no cost.