Google Cloud Platform

Snapchat shares security best practices for running on GCP

Snapchat security engineer, Subhash Sankuratripati, took the stage at GCP NEXT in San Francisco this week, to share his company’s best practices for running securely at scale on Google Cloud Platform. And when we say at scale, we mean at scale!

Snapchat has over 100 million daily users and supports 8 billion videos, viewed daily. The company runs about 100 separate GCP projects, each requiring different permissions for who at the company can do what on which GCP resources.

Until recently, Snapchat engineers exclusively used viewer/editor roles and built their own stopgaps to manage resources on the platform. With the launch of IAM Roles in beta, Snapchat now uses this service to set fine grained permissions it needs to help secure its users’ data. Essentially, Snapchat operates on the principle of least privilege.

The company is working on using our new iam.setpolicy feature to create what it calls Access Control List leases or “ACL leases.” These leases temporarily grant access to resources only when someone needs them, then the policy tears them down when the lease is over, for example:

  • AccessControlService can iam.SetPolicy
  • When bob@ needs access, AccessControlService adds bob@ to policy
  • AccessControlService removes bob@ after 1 hour
Like the nature of Snapchat itself, the company wants to treat access to its cloud resources as ephemeral for maximum security. Snapchat has implemented this leasing model for certain resources and privileges and is striving towards a goal where developers are granted access to the resources when they need it and for however long they need it.

Snapchat’s using the new Organizational Node, which sits above projects and manages GCP resources. This prevents shadow projects from being created, giving the company more control over all projects and the permissions of members associated to those projects. Sankuratripati said he’s also doing data siloing based on role using IAM Roles and is testing the IAM Service Account API, which can be used by programs to authenticate to Google and make API calls.

The possibilities this opens up are endless, according to Sankuratripati. He said microservice to microservice authentication would mean an even larger reduction in what his engineers can manage directly, locking down access to resources even further. Snapchat's strategy is essentially to ensure its developers have enough freedom to get their job done, but not enough to get themselves into trouble.

Stay tuned for more resources coming soon on using IAM on Cloud Platform and as you check out these services, please share your feedback with us at GCP-iam-feedback@google.com