Ramesh Krishnamurthy, PhD

Architecture: Security by Design

​

The replatforming wasn't just a change of scenery; it was a total overhaul of our security posture. We moved away from the risks of long-lived service account keys, opting instead for Workload Identity.

​

By leveraging the GCP Metadata Server, the bot now fetches short-lived ID tokens for every request. This ensures that our backend Threat Intel APIs and data stores are only accessible via verified, ephemeral identities, significantly hardening our security perimeter.

​

The "Partner Domain" Challenge

​

The most difficult hurdle wasn't the code—it was the boundaries. We needed to allow analysts from a specific Google Partner Domain to query the bot. Standard cross-domain patterns often fail to validate these external users against internal backend services, creating significant authentication friction.

​

The Solution: Collaborative Impersonation

​

To solve this, we moved beyond standard documentation and collaborated directly with Google’s Core teams, including EIP, ALE, CHP, and the Google Chat product team.

The result was a custom Service Account Impersonation flow. This allows the bot to:

1. Validate incoming requests from the partner domain.

2. "Impersonate" a trusted internal identity to fetch the required data.

3. Deliver results securely without exposing internal services to the public internet.​

​

Final Takeaways

 

• Modernize Auth Early: Transitioning to Workload Identity simplifies secret management and builds a foundation of trust.

• Plan for Boundaries: Identity friction between partner domains is often the steepest hurdle in any corporate integration.

• Push the Platform: When you hit a wall, brainstorm with platform experts (like the EIP and Chat teams) to find undocumented paths to success.

​

JB5k is now live, serving Mandiant analysts faster and more securely than ever before