Everyone has secrets. And it is not really a secret that we store them all in clouds. However, accessing the database, managing and getting secure access to these secrets aren’t always easy. Fortunately for us, Google has an answer to our woes – Secret Manager. This cloud service is a secure way to store passwords, API keys, certificates and other types of sensitive data and access them from a central place.
Berglas and Google Cloud Secret Manager – They Are In Sync
As users, you already know that the Google Cloud Secret Manager is a follow-up to their existing open source project – Berglas which is a command-line tool that can be used to manage secrets. Berglas and the Secret Manager work in sync with each other. Users can create and manage secrets using Berglas and move them to the Cloud Secret Manager. Berglas can also be used to get direct access to secrets stored on the Secret Manager.
Features Of The Google Cloud Secret Manager
It is no secret that the Secret Manager has all the tools needed to manage secrets and audit their access. The noteworthy features of this resource are:
Global Names And Replication
Secrets such as certificates and API keys are usually common across cloud regions. Regionalization is one of the most common pain points. While secret names are considered global resources within a project, the data is considered regional. People can choose between user-managed and automatic replication policies to control where this data is stored.
- User-managed replication – This policy is designed to meet the needs of users wanting to control where their secret data is stored. All secret data is replicated by the Secret Manager into locations supplied by the user without the need for additional services or software.
- Automatic replication – This policy allows Google to choose where secrets are replicated and stored. Thus, users have no control over where the data is stored.
Secret data is considered immutable. Most data operations are conducted on secret versions of this data. Versioning is one of the basic tenets to support auditing, emergency rollbacks and gradual rollouts. The Secret Manager automatically creates versions of secret data to allow it to be accessed, destroyed, enabled and disabled. While updating a secret is treated in the same way as deploying a new version of an application, development and staging uses the latest alias created by the Secret Manager.
Principles Of Least Privilege
Ensuring that only the right people gain access to is one of the core features of the Secret Manager. This program allows only project owners to access the secret data. People in other roles will need to ask for explicit permission through the Cloud IAM.
One of the ways to identify potential or existing security breaches is to audit access patterns of secret data. The Google Cloud Secret Manager is enabled with Cloud Audit Logging. This ensures that an audit entry is created every time a user interacts with the Secret Manager. Using the data from this audit in an anomaly detection system can help alert the authorities to possible security breaches.
Strong Encryption Guarantees
All secret data stored is encrypted by the Secret Manager with AES-256-bit encryption keys and TLS. Users do not need to bother themselves with any type of new setup or modify the way they access the service. There is also no visible impact on performance. Users will soon be able to control and manage the encryption keys used through the Customer-managed encryption keys (CMEK)
VPC Service Controls
VPC service controls help enterprises secure the privacy of their sensitive data while taking advantage of the platform’s storage and data processing capabilities from hybrid environments. It also helps minimize the risk of data exposure resulting from misconfigured access controls, users with malicious intent and internet hackers.
If you are an individual or enterprise who is reaping the benefits of Google Cloud, the beta version of the Secret Manager is already at your disposal. Now is the time to take advantage of Google Cloud Courses to make the best use of this system. Are you ready to secure your environment and data with Google Cloud by advancing in Google Cloud Fundamental Training? We say, go for it now.