How Turn.io Helped 20M+ People During COVID-19

Having a unified secrets management platform enabled Turn.io to scale their server infrastructure 20x across multiple clouds in response to COVID-19.

Turn.io

Summary

  • Grew infrastructure 20x with minimal changes required.
  • Cloud agnostic secrets management broke vendor lock-in and made it possible to deploy to multiple clouds.
  • Implementing SecretHub on production took less than a day.

In the first three weeks of the COVID-19 pandemic, Turn.io helped over 20 million people to get access to accurate health information by enabling NGOs to quickly create no-code chatbots on Whatsapp.

Using Turn.io’s 24/7 automated WhatsApp helpline, the WHO and the governments of South Africa, New Zealand, Australia, Mozambique, Ethiopia, and Bangladesh were able to both support citizens with health queries and gather real-time insights to better coordinate the national response to COVID-19.

“Almost overnight, we became the biggest WhatsApp Business API user worldwide. When you’re growing that fast and have to develop the product to keep up with the situation, there’s very little time for anything. We went from one production environment on Google Cloud Platform to twenty environments spread over multiple clouds. Doing all this while making sure secrets were handled properly was a real challenge for us,” says Shaun Sephton, Head of Operations at Turn.io.

The Challenge

“Our main challenge was storing, managing and deploying secrets and configuration values securely in a cloud platform and configuration management agnostic manner. We deploy to multiple cloud platforms using various infrastructure and configuration as code tools. Avoiding vendor lock-in was critical for us.”

“Sharing secret (and non-sensitive) configuration values that are generated by Terraform or Ansible with services running in Kubernetes can be very onerous. Once we needed to use values from one tool in another tool, that’s where the friction starts. And because we are running on multiple clouds as well, we try to Terrraform our infrastructure in such a way that we can deploy the product to multiple clouds and environments with minimal changes. That’s why we didn’t choose to go with any of the platform-specific secrets managers, which tend to only work well with their own platform.”

“A secondary challenge we had was something as simple as sending a colleague a TLS certificate and private key. How do I share a secret with a colleague today? We looked at Keybase or using people’s own keys with GPG, but it is a nightmare. Expecting a colleague, especially those less technically proficient, to set up a GPG key and send me their public key, then to have them decrypt something like a TLS certificate and private key just doesn’t work.”

“Initially we looked at self-hosting a HashiCorp Vault cluster. While it’s a very powerful and feature-rich product, once we started looking at the details we quickly discovered hidden complexity which we didn’t want to be burdened with – not to mention the ongoing maintenance effort that would be required to ensure its operation and security. It would end up being more of a burden than it’s worth for us.”

“We just want to get a service up and running and not have to care about it. We’re a small team. We want to work on our product, not on overhead. And for me personally, it’s very important to keep things simple. Any layer of complexity makes things less secure. When people don’t understand what’s going on, that inherently leads to holes in the security. Eventually, someone will make a mistake. So that complexity is also an operational concern for the long run, especially in a growing team.”

How SecretHub Helped

“As I said, I needed something done today and all the alternatives were way too complicated and created lots of friction. We were really looking for a solution that we could implement quickly and then forget about, having it working happily in the background. The great thing about SecretHub is that there is zero friction. From finding their product, to signing up, to actually using it on production and deploying secrets into Kubernetes, was a day’s work.”

“If you compare that to any of the existing stuff out there, there’s nothing that comes close to that. Normally you’d have to code up pipelines and juggle secrets all over the place yourself. With SecretHub, there are no complex setups, self-managed clusters or complicated key management operations on GCP and AWS. All you have is a very simple service that stores values securely and can push those values out to your infrastructure with simple integrations.”

“Using SecretHub on a day to day basis is frictionless, but also all the integrations are fantastic. It simplifies the whole thing. This enables us to use SecretHub not only for storing secrets, we can now also keep other configuration values in sync across systems, like sharing the database host information between Terraform and Kubernetes.”

“And for sharing those TLS certificates, SecretHub is just perfect. Sign up for an account, configure access, and you’re done! I mean obviously, you still have to do a bit of work, but it’s much less involved. It’s way simpler.”

“Finally, because SecretHub is very easy to use, other team members can easily understand it, pick it up and run with it. In the long term, this makes it very sustainable for us from an operational perspective.”

Results

“The last three months we rolled out twenty new clusters. In a matter of weeks, we went from having one primary production environment on Google Cloud Platform, to having twenty environments spread across both GCP and AWS. And the great thing is, nothing really changed between those environments from a secrets and configuration value management perspective. Because we were using SecretHub, we could deploy twenty new clusters with no additional setup involved. I can use the same simple process across whatever infrastructure I have. There was no additional setup or secret management concerns when we needed to scale. For all of the new clusters, even on a different cloud, everything worked in exactly the same way. With SecretHub, I have a single workflow that works across all cloud vendors and we’re not locked into a single cloud vendor.”

“If I had to manage secrets for all those deployments in AWS or GCP specific tools… I don’t even want to think about that. That would have cost us days. As I said before, we were under the gun and had to move quickly. That’s why SecretHub is so fantastic. Because I can actually get something done today. I can sign up and get it working today instead of spending a week trying to deploy a key management store of some kind. SecretHub was a real time saver there.”

“The simplicity and frictionless integration paid off massively for us. Effectively, SecretHub has reduced all of our secrets management concerns to a line item on an invoice.”

Deploy On

Team Size

  • 10