top of page
MGraph Auth Migration

In the threat intelligence landscape, security and agility are foundational. Mandiant previously relied on a combination of PingFederate and Azure AD for authentication and authorization. While functional, this legacy setup presented several challenges as Mgraph(Mandaint Threat-Intel Graph System) became central to internal analytics:

​

  • Operational Friction: Routine workflows often required complex Mesa SSH proxies for human access.

  • Integration Gaps: Coupling with non-Google systems hindered the use of native Google services.

  • Scaling Constraints: Supporting modern access patterns, such as service-to-service calls or notebook exploration, was increasingly cumbersome.​

In 2024, at Google I led the migration of Mgraph (Mandaint Threat-Intel Graph System) to start using Google Native Authentication and Authorization system.

​

Introducing ControlTower

 

ControlTower is a custom authorization service purpose-built for Mandiant’s first-party applications on Google Cloud Platform (GCP). It replaces scattered authorization logic with a single, well-defined control plane. This service is hosted on Google Prod systems.

​

 

Key Architectural Pillars
​

  • Identity Source of Truth: The system standardizes on Ganpati Groups to validate both users and services.

     

  • Token-Based Access: ControlTower issues JSON Web Tokens (JWTs) containing narrowly scoped, application-specific claims to enable precise authorization.

     

  • Secure Connectivity: Bifrost is utilized to securely connect Google Cloud workloads with internal production systems without exposing services directly.

​

​​

Dual Authentication Flows

 

ControlTower is designed to optimize both security and usability by supporting two distinct access patterns.

​

 

1. Human User Access (User Token Flow)
​

To ensure strong security with minimal complexity, human users authenticate via corporate identity systems handled by UberProxy.

 

  • Exchange: UberProxy (Google proxy connectivity service) provides an X-Uptick-Signed-Token.

     

  • Validation: ControlTower exchanges this for a signed JWT based on Ganpati group (Google internal AD equivalent)membership

     

  • Outcome: Users authenticate seamlessly via Google LDAP, eliminating the need for SSH proxies.

    ​

     

2. Machine-to-Machine Access (Service Token Flow)
​

For services, the architecture moves away from static secrets in favor of Workload Identity (WKID).

 

  • Identity: Services run in GKE pods or VMs bound to a WKID service account.

     

  • Validation: Requests traverse Bifrost ( a connectivity mechanism for connecting from Cloud to Prod) to ControlTower, which verifies the service account and group membership.

     

  • Outcome: This eliminates long-lived secrets and aligns with zero-trust principles.

     

 
Access Flows at a Glance​​

​

​

Auth-Migration-table
Strategic Outcomes
 

The migration to a Google-native framework has resulted in three concrete improvements:

  1. Stronger Security: Alignment with Google standards, including GIN logging and Access-on-Demand, provides default defense-in-depth.

  2. Enhanced Productivity: Users now experience a frictionless login process.

  3. Expanded Capabilities: The new model unlocks secure access from Colab notebooks and direct data consumption by Nirvana services.

    ​

The deprecation of legacy IDAM and PingFederate represents more than a technical cleanup—it is a strategic upgrade that allows Mandiant to move faster and scale with the complexity of modern threat intelligence.

​

  • LinkedIn Clean Grey

© 2026 by Ramesh Krishnamurthy

bottom of page