A comprehensive security framework for multi-tenant SaaS infrastructure — covering encryption, identity, network isolation, GDPR compliance, and incident response across Google Cloud Platform.
Every component is protected by multiple independent security controls — no single point of failure.
Web Application Firewall with pre-configured rulesets blocking OWASP Top 10 threats including SQLi, XSS, RFI, and LFI. Rate limiting enforced per IP with adaptive protection enabled.
Google's global anycast network absorbs volumetric attacks at the edge. Cloud Armor adaptive protection uses ML to detect and block application-layer DDoS in real time.
All traffic terminated at Google's edge with TLS 1.3. Certificates auto-provisioned and rotated via Google-managed SSL. HSTS enforced with 1-year max-age.
Admin APIs restricted to allowlisted CIDR ranges. Cloud Armor security policies enforce geographic restrictions and block known malicious IP ranges.
Every service account granted minimum required permissions only. Cloud Run services, Cloud Build, and Cloud SQL use dedicated service accounts with scoped IAM roles — no wildcard permissions.
Each Cloud Run service runs under a dedicated service account. Cross-service communication requires explicit IAM bindings — no shared credentials, no ambient authority.
Kubernetes Workload Identity Federation used for GKE workloads, eliminating the need for service account key files. Short-lived tokens only — no long-lived credentials.
Console access requires 2FA/MFA. Organisation-level IAM policies enforced via Resource Manager. All privilege escalations logged in Cloud Audit Logs with alerts.
Dedicated VPC with custom subnet design — application tier, data tier, and management tier separated into distinct subnets with strict firewall rules controlling east-west traffic.
Cloud SQL accessed exclusively via Private Service Connect — no public IP. Cloud Run connects to Cloud SQL via Cloud SQL Auth Proxy over private networking, never over public internet.
Security perimeters defined around GCP projects — preventing data exfiltration via API abuse. Cloud Storage, BigQuery, and Cloud SQL enclosed in service perimeters.
Cloud Run services connected to VPC via Serverless VPC Access connector — all outbound traffic routed through private network. No direct internet egress from application services.
All Cloud SQL data encrypted using AES-256 with Google-managed encryption keys. Customer-Managed Encryption Keys (CMEK) available via Cloud KMS for sensitive workloads.
All secrets — database credentials, API keys, JWT secrets, third-party tokens — stored exclusively in GCP Secret Manager. Secrets accessed at runtime only; never hardcoded or in environment variable plaintext.
Multi-tenant data separated via per-client PostgreSQL schemas with Row-Level Security policies. Application-level tenant context enforced at connection — cross-tenant queries structurally impossible.
Automated Cloud SQL backups encrypted with same AES-256 standard. Point-in-time recovery enabled with 7-day retention. Backups stored in geographically separate region.
Artifact Registry with automated vulnerability scanning on every push. Critical and High CVEs block deployment via Cloud Build approval gates. Base images pinned to specific SHA digests.
Cloud Run enforces Binary Authorization policies — only images signed by trusted Cloud Build attestors can be deployed. Unsigned or unverified images are rejected at deploy time.
All containers built on minimal Alpine Linux base images — reducing attack surface. No shell access, no package managers, no unnecessary tooling in production images.
Cloud Run revisions are immutable — deployed containers never patched in place. Rollbacks achieved by routing traffic to a previous revision, not by modifying running containers.
Admin Activity, Data Access, and System Event logs enabled across all GCP services. Logs immutable — exported to Cloud Storage for 90-day retention with tamper-evident signatures.
GCP Security Command Center continuously scans for misconfigurations, IAM anomalies, exposed services, and compliance violations. Findings surfaced with remediation guidance.
Real-time alerting on failed authentication attempts, unusual API activity, database connection spikes, and Secret Manager access from unexpected identities.
Custom log-based metrics track security events — privilege escalations, denied requests, unusual data volumes. Dashboards in Cloud Monitoring with PagerDuty integration.
Server-side validation on all API inputs — type checking, length limits, format validation, and sanitisation. SQLAlchemy ORM used throughout — parameterised queries prevent SQL injection structurally.
Stateless JWT tokens with RS256 signing, short expiry windows (15 min access, 7 day refresh), and token rotation on refresh. Tokens validated on every request — no session state server-side.
Strict CORS configuration — only approved origins accepted. Preflight requests validated. No wildcard origins in production. Headers include Content-Security-Policy, X-Frame-Options, and Referrer-Policy.
API rate limiting enforced at both Cloud Armor (edge) and application (middleware) layers. Per-tenant rate limits prevent noisy-neighbour abuse. Exponential backoff enforced on failed auth.
Key technical controls implemented across the infrastructure stack.
All credentials, API keys, database passwords, and third-party tokens stored in GCP Secret Manager. Secrets versioned, audited, and accessed via IAM-controlled service accounts at runtime only.
Cloud SQL has no public IP. All database connections route via Cloud SQL Auth Proxy over private VPC. Zero database exposure to public internet — connection strings never leave GCP infrastructure.
PostgreSQL RLS policies enforce tenant isolation at the database level. Even if application-layer tenant routing fails, the database engine itself rejects cross-tenant data access.
Immutable audit trail across all GCP services — Admin Activity, Data Access, and System Events. 90-day retention exported to Cloud Storage. Tampering structurally prevented by Google's logging infrastructure.
Web Application Firewall protecting against OWASP Top 10 — SQL injection, XSS, CSRF, RFI, and LFI. Adaptive ML-based DDoS protection with rate limiting and geo-restriction capabilities.
Minimal Alpine base images, no root execution, read-only filesystems, Binary Authorization enforcement. Container images scanned on every build — CVE blocking gates prevent vulnerable images reaching production.
End-to-end encryption across every stage — from client browser to database storage.
Every request authenticated and authorised through multiple independent checkpoints.
| Role / Service Account | Permissions Granted | Scope | Status |
|---|---|---|---|
| cloud-run-sa@ | cloudsql.client, secretmanager.accessor | Project | Active |
| cloud-build-sa@ | run.developer, artifactregistry.writer | Project | Active |
| monitoring-sa@ | monitoring.viewer, logging.viewer | Project | Active |
| Developer Access | viewer + limited editor, no secret access | Restricted | MFA Required |
| Public / Unauthenticated | Cloud Run invoke (frontend only) | Service | Frontend Only |
Compliance controls for data handling, retention, and subject rights.
Multiple isolation layers ensure complete data separation between tenants — from network to database.
Documented 5-phase incident response procedure aligned with GDPR 72-hour notification requirements.