Snapchat security engineer, Subhash Sankuratripati, took the stage at GCP NEXT in San Francisco this week, to share his company’s best practices for running securely at scale on Google Cloud Platform. And when we say at scale, we mean at scale!

Snapchat has over 100 million daily users and supports 8 billion videos, viewed daily. The company runs about 100 separate GCP projects, each requiring different permissions for who at the company can do what on which GCP resources.

Until recently, Snapchat engineers used viewer/editor roles and built their own stopgaps to manage resources on the platform, but not anymore. With the launch of IAM Roles in beta, Snapchat now uses this service to set the fine grained permissions it needs to help secure its users’ data.

Essentially, Snapchat operates on the principle of least privilege to the extreme. The principle of least privilege promotes minimal user profile privileges on machines, based on your job necessities. You get the least access and authority necessary to perform your job. It sounds a bit restrictive, but it reduces the attack surface considerably.

In Snapchat’s case, the company's working on using our new iam.setpolicy feature to create what it calls Access Control List leases or “ACL leases.” These leases temporarily grant access to resources only when someone needs them, then the policy tears them down when the lease is over, for example:

• AccessControlService can iam.SetPolicy
• When bob@ needs access, AccessControlService adds bob@ to policy
• AccessControlService removes bob@ after 1 hour

Like the nature of Snapchat itself, the company treats its cloud resources as ephemeral for maximum security. In a steady state in Snapchat’s GCP environment, nobody would have access to anything.

Snapchat’s using the new Organizational Node, which sits above projects and manages GCP resources. This prevents shadow projects from being created, giving the company more control over all projects and the permissions of members associated to those projects. Subhash said he’s also doing data siloing based on role using IAM Roles and is testing the IAM Service Account API, which can be used by programs to authenticate to Google and make API calls.

The possibilities this opens up are endless, according to Subhash. He said microservice to microservice authentication would mean an even larger reduction in what his engineers can manage directly, locking down access to resources even further. Snapchat's strategy is essentially to ensure its developers have enough freedom to get their job done, but not enough to get themselves into trouble.

Stay tuned for more resources coming soon on using IAM on Cloud Platform and as you check out these services, please share your feedback with us at mailto:[email protected].

- Posted by Jo Maitland, Managing Editor, Google Cloud Platform