Zalando is a publicly traded e-commerce company that does business in 15 European markets and has more than 15 million active customers of very diverse origin. These customers speak various languages, have different tastes for products and styles, use different methods of payment, prefer different ways of having goods shipped, and require nonstop innovation. Until very recently, Zalando focused on building a unified, comprehensive retail system, a system built on mutual trust with the sole purpose to solve just our problems. However, during the early years of Zalando’s existence, identity and access management has been neglected allowing for inconsistencies that cannot keep up with company growth. Zalando strives to focus on what its customers truly need. We not only had to rethink the way we are building our systems, we also had to change how Identity and Access Management is perceived. Following the motto “”You build it, you run it”” autonomous teams are end-to-end responsible for their own applications – which means they are also entrusted with securing them. In this talk, Christian Kunert (Engineer) and Jan Löffler (Head of Platform Engineering) will take the audience on a journey. A journey of treacherous approaches, ill considered solutions and dangerous routes. Zalando has embarked on a voyage of epic proportions out of their classical datacenter and they will share the experience of how microservices enable Zalando’s engineers to move faster, build systems at scale, and keeping Zalando’s digital trade routes, as well as everybody on them, secure. They will show how microservices, in conjunction with a cloud infrastructure, support autonomous teams where security is of highest importance. Finally, they will draw upon their experiences to show how this all works in practice, and discuss what is necessary to really make identity matter for each and every Zalando customer, partner, service, and employee.

1. The Big Switch
Rewiring Zalando’s Infrastructure outside Datacenters
ForgeRock Identity Summit 2015 - Half Moon Bay - CA

2. ABOUT US
Jan Löffler
● Head of Platform Engineering
● twitter: @jlsoft2
● email: jan.loeffler@zalando.de

3. ABOUT US
Christian Kunert
● Security Engineer
● twitter:@noahk3lly
● email: christian.kunert@zalando.de

4. ONE of EUROPE’S LARGEST ONLINE FASHION RETAILERS
15 countries
3 fulfillment centers
15+ million active customers
2.2+ billion € revenue 2014
130+ million visits per month
8.000+ employees
Visit us: tech.zalando.com

8. ENVIRONMENT

9. THE GOOD OLD DAYS
Or, how to build a wall in 27 easy steps

10. file:///Users/kwalckermaye/Downloads/Mobil
e-Developers-look-ov-008.jpg
file:///Users/kwalckermaye/Downloads/deskt
op_death-600x369.jpg
file:///Users/kwalckermaye/Downloads/07235
8-wired.gif.jpeg
file:///Users/kwalckermaye/Downloads/the-
death-of-the-desktop.jpg
TOPIC 1
WHERE
TO GO
Building walls is an
obsession of mankind, for a
good reason.
However, someone will
always build a bigger ladder.
THE PAST

11. DATACENTER ENVIRONMENT
DataCenter I
Gütersloh, Germany
DataCenter II
Berlin, Germany
DataCenter III
Berlin, Germany
Global Traffic Management

12. DATACENTER ENVIRONMENT
DataCenter I
Gütersloh, Germany
DataCenter II
Berlin, Germany
DataCenter III
Berlin, Germany
APP 1
APP 2
APP 3
APP 4
APP 5
APP 6
APP 1
APP 2
APP 3
APP 4
APP 5
APP 6
APP 1
APP 2
APP 3
APP 4
FW FW

13. THE LOST HIGHWAY

14. CLOUD PROJECTS
2013/14 2014
Pequod
2013
Noah’s ARKzCloud

15. TOPIC 1
WHERE
TO GO
THIS NEEDS TO STOP
Doing it yourself is not the
most sensible thing.
Amazon invested already
thousands of engineering
hours… we must utilize this.
(Eric Bowman)

16. RADICAL
AGILITY

17. GOAL
DELIVER AMAZING
PRODUCTS
EFFICIENTLY AT
SCALE, AND
FEELING GREAT
ABOUT IT.

18. LEADERSHIP
FROM
CONTROL &
COMMAND
TO PURPOSE
AND TRUST

19. ARCHITECTURE
AN
ARCHITECTURE
FOR
INNOVATION

20. API FIRST

21. REST

22. SAAS

23. MICRO
SERVICES

24. CLOUD

25. BACK TO THE DRAWING BOARD

26. Securing REST APIs - The Candidates
Basic Auth
● Very simple, supported by all tools.
● More or less no transport overhead.
● Stateless.
SAML
● OASIS standard
● Used by AWS to authenticate users
● Assertions can express sophisticated
use cases
Kerberos
● There are no passwords on the network
● Flexible lifetime and must be revalidate
after it expired
● Works with Postgres Databases
OAuth 2.0
● Open standard for Authorization
● Provides client applications a delegated
access on behalf of a resource owner
● Specifies a process for resource owners
to authorize access to third party
resources
Notariat
● Claim-based approach similar to SAML
using a PKI.
● Authentication can be implemented for
different sources (SAML, Kerberos, ... )
● Rotating the signing keys

27. UNFORTUNATELY

29. STOPPING FOR SOME ELEVENSES

30. file:///Users/kwalckermaye/Downloads/Mobil
e-Developers-look-ov-008.jpg
file:///Users/kwalckermaye/Downloads/deskt
op_death-600x369.jpg
file:///Users/kwalckermaye/Downloads/07235
8-wired.gif.jpeg
file:///Users/kwalckermaye/Downloads/the-
death-of-the-desktop.jpg
TOPIC 1
WHERE
TO GO
[Me]: Want to try OpenAM?
[H]: Sure, why not, When?
[Me]: How about now?
[H]: Now works for me…
DECEMBER 2014

31. IT COULD WORK

32. Project
Start
WE KNOW WHAT - LEAVES THE QUESTION - HOW?
December
2014
March
2015
Hack
Week
Initial
TelCo
PoC
January
2015
February
2015
First
Delivery
April
2015

33. 33
LET’S ADD
A LITTLE
PRESSURE
CATCHING OUR BREATH

34. Delivery OAuth 2.0
✓ 30.04.2015
GoLive for all Zalando
✓ 28.05.2015

35. MOVING TO AWS IN A NUTSHELL
One AWS account per Team
secured via SSL and OAuth 2.0
Deployment based on Docker
Usage of REST+OAuth mandatory

36. ISOLATED AWS ACCOUNTS
Public Internet
*.foo.zalan.do *.bar.zalan.do
Team “Foo” Team “Bar”ELB ELB
EC2
Instance
EC2
InstanceEC2
InstanceEC2
Instance
EC2
InstanceEC2
Instance
Datacenter LB
EC2
InstanceEC2
InstanceLegacy
Instances

37. PLANS ARE USELESS
BUT PLANNING IS EVERYTHING

38. Unified Identity
Being in control of account, data and access regardless of its source
Unified Password
One password only to manage all accounts
Unified Flows
Ability to authenticate and authorize reliably for any identity
Unified cohesive architecture
Know you can trust an identity, without being aware of the protocol
The Vision

39. “Employee”
THE MISSION
ADS
OpenAM
AWS
DC
ITR/GTH
OpenDJ
OpenDJ
OpenDJ
OpenIDM
HR
Cust.
DB
Brand
CMS
Role
Mgmt.
“Customer”
“Others”
OpenIG

40. THE PROJECT PLAN
Phase III
New South Wales
Phase I
Tasmania
Phase II
Victoria
Phase IV
Queensland
End of April End of July ETA October ETA December
Employee
Services
API’s
Roles Partner/Brands
Customer
Portal
Provisioning

41. ■ Team Info
■ Service Management
■ Token Retrieval
All written in GOLang
Follow 12FactorApp Guides
APIs
all can be reached via
a common domain:
https://auth.zalando.com

42. GTM
PHYSICAL INFRASTRUCTURE
F5 Load-Balancer F5 Load-Balancer F5 Load-Balancer Elastic Load-Balancer
Office
Berlin
OpenAM
Service
API
Team
API
config-store
session
store
sae
store
employee
store
AD brands
store
OpenAM
Service
API
Team
API
config-store
session
store
sae
store
employee
store
AD brands
store
OpenAM
Service
API
Team
API
config-store
session
store
sae
store
employee
store
brands
store
OpenAM
Service
API
Team
API
config-store
session
store
sae
store
employee
store
AD brands
store
OpenIDM
DC
Berlin
DC
Gütersloh
AWS

44. • Mai
Get AWS tokens via SAML/OAuth
• Piu
Request SSH access to a server
• Senza
Cloud formation based deploy
TOOL OVERVIEW
Fork us on Github
https://github.com/zalando-stups

45. AWS ACCOUNT SETUP
DMZ DMZ DMZ
internalinternal
eu-west-1a eu-west-1b eu-west-1c
ELB
EC2
internal
• ELB for inbound
traffic
• NAT Instances for
outbound
• HTTPS Only
• Internal VPC with
own subnet
EC2
NAT
VPCVPC

46. Mai
$ mai create stups
Identity provider: https://aws.zalando.net
Available roles:
1) AWS Account 600231584188 (zalando-hackweek): Shibboleth-PowerUser
2) AWS Account 786011980701 (zalando-stups): Shibboleth-PowerUser
Please select (1-4): 2
‘stups’ profile created.
$ mai login stups # logs in and stores keys for ‘stups’ profile
$ mai Shibboleth-PowerUser
$ mai --set-default stups # define ‘stups’ to be the default
$ mai # login to default (‘stups’ in this case)
$ mai --env stups # instead of storing, print env variables
AWS_ACCESS_KEY_ID=ASIAIA2JMCGTEH64IK2A
AWS_SECRET_KEY=265nbjuqugAMWeZbS9ABhd3m6F2oik/dj37fonyl

47. Piu
$ piu --even https://even.stups.zalan.do # you can specify
defaults
--odd odd-eu-central-1.stups.zalan.do
johndoe@172.31.148.155
health debugging
ssh -tA johndoe@odd.stups.zalan.do ssh johndoe@172.31.148.155
$ piu defaults https://even.stups.zalan.do odd-eu-central-1.stups.zalan.do johndoe # store all defaults
ssh -tA johndoe@odd.stups.zalan.do ssh johndoe@172.31.148.155
$ piu 172.31.148.155 health debugging # uses all the defaults
ssh -tA johndoe@odd.stups.zalan.do ssh johndoe@172.31.148.155
$ piu --odd odd-eu-west-1.zalan.do 172.31.148.155 fun project restart # overwritable
ssh -tA johndoe@odd.stups.zalan.do ssh johndoe@172.31.148.155

48. Senza
$ senza create kio.yaml b123 DockerImageVersion 0.1.0-SNAPSHOT
$ senza show kio.yaml # shows DNS weights
90% 180 kio-b122
10% 20 kio-b121
? 0 kio-b123
$ senza weight kio.yaml # sets DNS weights
kio-b121:0
kio-b123:10
$ senza delete kio.yaml b121 # deletes a stack
$ senza cf-template kio.yaml b123 DockerImageVersion 0.1.0-SNAPSHOT # prints the effective cf template
… cf json …
$ senza manifest kio.yaml b123 DockerImageVersion 0.1.0-SNAPSHOT # prints the effective manifest
… manifest yaml …

49. Documentation
http://greendale.readthedocs.org
http://stups.readthedocs.org
Open Source
https://github.com/zalando/
https://github.com/zalando-stups

50. QUESTIONS?