top of page
MGraph Auth Migration

In the threat intelligence landscape, security and agility are foundational. Mandiant previously relied on a combination of PingFederate and Azure AD for authentication and authorization. While functional, this legacy setup presented several challenges as Mgraph(Mandaint Threat-Intel Graph System) became central to internal analytics:

  • Operational Friction: Routine workflows often required complex Mesa SSH proxies for human access.

  • Integration Gaps: Coupling with non-Google systems hindered the use of native Google services.

  • Scaling Constraints: Supporting modern access patterns, such as service-to-service calls or notebook exploration, was increasingly cumbersome.

In 2024, at Google I led the migration of Mgraph (Mandaint Threat-Intel Graph System) to start using Google Native Authentication and Authorization system.

Introducing ControlTower

 

ControlTower is a custom authorization service purpose-built for Mandiant’s first-party applications on Google Cloud Platform (GCP). It replaces scattered authorization logic with a single, well-defined control plane. This service is hosted on Google Prod systems.

 

Key Architectural Pillars

  • Identity Source of Truth: The system standardizes on Ganpati Groups to validate both users and services.

     

  • Token-Based Access: ControlTower issues JSON Web Tokens (JWTs) containing narrowly scoped, application-specific claims to enable precise authorization.

     

  • Secure Connectivity: Bifrost is utilized to securely connect Google Cloud workloads with internal production systems without exposing services directly.

Dual Authentication Flows

 

ControlTower is designed to optimize both security and usability by supporting two distinct access patterns.

 

1. Human User Access (User Token Flow)

To ensure strong security with minimal complexity, human users authenticate via corporate identity systems handled by UberProxy.

 

  • Exchange: UberProxy (Google proxy connectivity service) provides an X-Uptick-Signed-Token.

     

  • Validation: ControlTower exchanges this for a signed JWT based on Ganpati group (Google internal AD equivalent)membership

     

  • Outcome: Users authenticate seamlessly via Google LDAP, eliminating the need for SSH proxies.

     

2. Machine-to-Machine Access (Service Token Flow)

For services, the architecture moves away from static secrets in favor of Workload Identity (WKID).

 

  • Identity: Services run in GKE pods or VMs bound to a WKID service account.

     

  • Validation: Requests traverse Bifrost ( a connectivity mechanism for connecting from Cloud to Prod) to ControlTower, which verifies the service account and group membership.

     

  • Outcome: This eliminates long-lived secrets and aligns with zero-trust principles.

     

 
Access Flows at a Glance

Auth-Migration-table
Strategic Outcomes
 

The migration to a Google-native framework has resulted in three concrete improvements:

  1. Stronger Security: Alignment with Google standards, including GIN logging and Access-on-Demand, provides default defense-in-depth.

  2. Enhanced Productivity: Users now experience a frictionless login process.

  3. Expanded Capabilities: The new model unlocks secure access from Colab notebooks and direct data consumption by Nirvana services.

The deprecation of legacy IDAM and PingFederate represents more than a technical cleanup—it is a strategic upgrade that allows Mandiant to move faster and scale with the complexity of modern threat intelligence.

  • LinkedIn Clean Grey

© 2026 by Ramesh Krishnamurthy

bottom of page