rvlsoft - Fotolia
Google has added a new managed service called Secret Manager to its cloud platform amid a climate increasingly marked by high-profile data breaches and exposures.
Secret Manager, now in beta, builds on existing Google Cloud security services by providing a central place to store and manage sensitive data such as API keys or passwords.
The system employs the principle of least privilege, meaning only a project's owners can look at secrets without explicitly granted permissions, Google said in a blog post. Secret Manager works in conjunction with the Cloud Audit Logging service to create access audit trails. These data sets can then be moved into anomaly detection systems to check for breaches and other abnormalities.
All data is encrypted in transit and at rest with AES-256-level encryption keys. Google plans to add support for customer-managed keys later on, according to the blog.
Scott PiperAWS security consultant, Summit Route
Google Cloud customers have been able to manage sensitive data prior to now with Berglas, an open source project that runs from the command line, whereas Secret Manager adds a layer of abstraction through a set of APIs.
Berglas can be used on its own going forward, as well as directly through Secret Manager beginning with the recently released 0.5.0 version, Google said. Google also offers a migration tool for moving sensitive data out of Berglas and into Secret Manager.
Secret Manager builds on the existing Google Cloud security lineup, which also includes Key Management Service, Cloud Security Command Center and VPC Service Controls.
With Secret Manager, Google has introduced its own take on products such as HashiCorp Vault and AWS Secrets Manager, said Scott Piper, an AWS security consultant at Summit Route in Salt Lake City.
A key management service is used to keep an encryption key and perform encryption operations, Piper said. "So, you send them data, and they encrypt them. A secrets manager, on the other hand, is really no different than a database, but just with more audit logs and access checking. You request a piece of data from it -- such as your database password -- and it returns it back to you. The purpose of these solutions is to avoid keeping secrets in code."
Indeed, Google's Key Management Service targets two different audiences within enterprise IT, said Doug Cahill, an analyst at Enterprise Strategy Group in Milford, Mass.
"The former is focused on managing the lifecycle of data encryption keys, while the latter is focused on securing the secrets employed to securely operate API-driven infrastructure-as-code environments," Cahill said.
As such, data security and privacy professionals and compliance officers are the likely consumers of a key management offering, whereas secret management services are targeted toward DevOps, Cahill added.
Meanwhile, it is surprising that the Google Cloud security portfolio didn't already have something like Secret Manager, but AWS only released its own version in mid-2018, Piper said. Microsoft released Azure Key Vault in 2015 and has positioned it as appropriate for managing both encryption keys and other types of sensitive data.
Pricing for Secret Manager during the beta period is calculated two ways: Google charges $0.03 per 10,000 operations, and $0.06 per active secret version per regional replica, per month.