Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IDaaS at Scale - From 0 to 2.5B+ logins/month

IDaaS at Scale - From 0 to 2.5B+ logins/month

In recent years, we're seeing the emergence of a new form of technology scale. Today's emerging technologies - which rapidly grow to millions of users, do not sell a product or service. Instead, they build a platform on which others can create value. Yet, new platforms often fail because the design and growth strategies involved in building them are complex, resource intensive and expensive to scale. Yet, in the IAM/CIAM space, many companies are still building their own internal IDaaS platform internally, facing this massive challenge, and oftentimes failing to achieve their goals. This talk discusses the complexities, resources, and scalability challenges Auth0 has faced in creating an IDaaS platform that securely manages more than 2.5 billion logins per month. We will take a deep dive into specific scenarios including: scaling password hashing, user search and designing across multiple cloud regions among others.

Damian Schenkelman

June 27, 2019
Tweet

More Decks by Damian Schenkelman

Other Decks in Technology

Transcript

  1. IDaaS at Scale From 0 to 2.5B+ logins/month Damian Schenkelman

    - Director of Engineering
  2. Armemos un IDaaS. Dale. Cuán dificil puede ser??

  3. Era muy dificil Iba a ser muy dificil... Narrator

  4. Agenda • Surface • Scale & Reliability • Hosting •

    Security & Compliance • Wrap-up • Questions
  5. Compliance Trust Scale Reliability Security

  6. Compliance Features Trust Protocols User Management Search Scale Reliability Security

    AuthZ Session Management Identity Providers Anomaly Detection Auditing
  7. Compliance Features Trust Protocols User Management Search Dashboard SDKs APIs

    Scale Reliability Security AuthZ Session Management Identity Providers Anomaly Detection Auditing Docs Support Experience
  8. Compliance Features Trust Protocols User Management Search Dashboard SDKs APIs

    Scale Reliability Security AuthZ Session Management Identity Providers Anomaly Detection Auditing Docs Support Experience Extensible
  9. SCALE & RELIABILITY

  10. ® From 2014 to Now

  11. ® • Automated deployments • Rollout, blue/green • Feature flags

    • Rate limits • Autoscaling General Techniques
  12. Architecture

  13. SCALING IAM

  14. PASSWORD HASHING

  15. ® PASSWORD HASHING • Hash: one way, no ability to

    revert • Resource intensive • bcrypt: configure number of rounds • 2^10: ~80ms -> 12.5/sec per CPU • 2^12: ~320ms -> 3.125/sec per CPU
  16. Expected Response Times

  17. Actual Response Times

  18. PASSWORD HASHING SERVICE AUTH NODE LB BaaS BaaS BaaS BaaS

  19. User Search

  20. None
  21. 2013 Mongo as a database Expose search

  22. 2015 Problems with case insensitive search No ability to search

    on metadata fields Move to Elastic Search
  23. 2017 Objects with many fields affected ES Overly permissive query

    syntax Moved to Postgres Support for customer partitions Remove ability to perform some queries Search v3
  24. Tap Compare https://saucelabs.com/blog/the-why-and-how-of-tap-compare-testing

  25. WHERE TO HOST?

  26. 2014: PROVIDE OPTIONS ON-PREM AWS SINGLE TENANT AZURE SINGLE TENANT

    AWS + AZURE MULTI-TENANT MULTI-REGION
  27. 2017 High cost to maintain another cloud provider Low probability

    of risk Decision: No longer Azure on multi tenant environment
  28. 2017: PUBLIC CLOUD AWS ONLY ON-PREM AWS SINGLE TENANT (Auth0

    or Customer) AZURE SINGLE TENANT (Customer Only) AWS MULTI-TENANT MULTI-REGION
  29. On-Prem Hard to sync on updates Different hardware • Stateful

    scaling • Stateless scaling Different levels of access/permissions
  30. 2019: AWS ONLY AWS SINGLE TENANT (Customer Account) AWS MULTI-TENANT

    MULTI-REGION AWS SINGLE TENANT (Auth0 Account)
  31. Security

  32. Brute Force Protection • User Level • Environment Level •

    Two-factor
  33. Breached Password Detection • Aggregate Sources • Hash & Salt

    Passwords • Compare on login • IP Reputation Database
  34. Compliance

  35. Compliance

  36. and Finally...

  37. Build Learn Measure The Feedback Loop Baseline Hypothesis Analyze

  38. Gracias

  39. Preguntas