Often called “Airbnb for cars,” Turo is the world’s largest car sharing marketplace, providing a platform for people to share their own vehicles to consumers who want an easy, exciting alternative to traditional car rental. Becoming the world’s largest car sharing marketplace and disrupting an entire industry did not come easily, though. Turo first had to build trust with each person who used the app, which meant the technology had to work flawlessly each and every time.
Knowing that, Turo put a developer-first culture in place early on. Devs were not only encouraged to be agile and innovative – any roadblocks standing in their way were systematically removed. Turo thought hard about what devs needed to succeed because they were the ones who would ultimately drive (or deter engagement with the platform.
That effort helped Turo grow steadily from startup to industry trailblazer. But as with any app that collects tremendous amounts of data – including driver’s licenses, phone numbers, and addresses – success meant the size of the databases started to ramp up rapidly as did the dev’s reliance on those databases. Turo reached a point where the company’s continued success required seemingly contradictory objectives: streamline database access for devs while strengthening security around sensitive data.
Turo had one monolithic database handling most of the application and traffic load coming from around 70 engineers. Minimal visibility into that database made it unclear who was using it and how, which was becoming increasingly unmanageable as the engineering team rapidly brought new members onboard. Around the same time, news of database breaches made frequent headlines, and it was clear a breach could risk Turo’s database and jeopardize their market position as a result. Turo needed better ways to leverage their databases while managing the risks and regulatory requirements accompanying that data. Essentially, they needed guardrails that could keep database access within secure parameters without impacting the performance of their developers.
There were three key objectives:
- Getting a handle on fast multiplying data sources combined within a massive central database.
- Promoting a developer-first culture that facilitates speed, productivity, and innovation.
- Supporting the growth of the database, developer team, user-base, and company
Turo found only one product on the market that could provide the granular, scalable, and friction-free database access they required: Cyral. It integrated well with Turo’s existing technologies (Terraform, Redshift, AWS Aurora) and workflows and came backed by a team capable of customizing the implementation. Most importantly, Cyral offered the visibility and control around databases that Turo’s developer-first culture and their ongoing growth both depended upon.
Cyral helps us put security andTuro Software Engineer
reliability top of mind when
thinking about databases and
planning database architecture.
Consistent Policies for Database Access
Before adding Cyral, database access was only limited by the SSH box that different job roles had access to. Once inside, users had broad latitude to alter, replicate, or exfiltrate whatever they wanted. Consequently, data sources were increasing significantly, as were the number of saved queries that were causing the database to lock up. Turo sought to solve these challenges by improving database performance, visibility, and predictability of usage.
By default, Cyral assigns engineers read-only access to the Turo databases through SSO or Okta. It also directs users to a replica database so that any problems that may emerge stay isolated from the primary data source. Production access requires approval, but users can request that through Slack to expedite the process for all.
The ability to limit data risks without inhibiting access is helping Turo transition to a microservices model. When each microservice has a dedicated database, the total number could go from a few to 15 in six months, then top 100 in two years. Cyral enables Turo to automatically enforce consistent policies across all data sources so their infrastructure can evolve around the needs of developers rather than data risks or resource constraints.
Automatic Audit of Database Activity
Turo made a concerted effort to eliminate blind spots around database activity — activity that, if left unchecked, could result in downtime or, even worse, open the door to cyber attacks. Increasing cyber regulations like GDPR and CCPA can make the damage of data breaches cut even deeper. Yet without a clear view into the databases, maintaining security, compliance, and governance becomes an ever-growing challenge.
Cyral maintains an audit trail across all users and data sources. With that information, Turo can now preemptively identify problems that might be affecting performance or undermining security. And should a security issue ever occur, the audit trail will be invaluable for maximizing the speed and precision of the response before resolving the underlying issue. For example, in one seven-day period, just a few developers ran over 7,000 ad-hoc queries. Most organizations would be blind to the volume and specifics of these queries. And an audit would ordinarily be a manual, time-consuming process that can take weeks or months. With Cyral, Turo now can quickly and easily see who or what queried the data, and understand what data was accessed — validating the integrity of database access. “Cyral helps us put security and reliability top of mind when thinking about databases and planning database architecture.” – Turo Software Engineer The Solution Getting a handle on fast multiplying data sources combined within a massive central database. Promoting a developer-first culture that facilitates speed, productivity, and innovation. Supporting the growth of the database, developer team, user-base, and company. There were three key objectives: cyral.com l Case Study 3
Robust Databases to Support Growth
In the past, a small number of developers made the vast majority of queries. As demand for data has grown, more developers need to run queries, but some are gun shy about doing something that will break the database. In a developer-first culture like Turo’s, Cyral gives devs freedom to access whatever data they need since the guardrails keep them away from anything risky. Furthermore, they need ways to access those databases that are aligned with their existing workflows.
Cyral gives devs freedom to access whatever data they need since the guardrails keep them away from anything risky. It also encourages them to leverage that freedom by letting them provision data in code rather than going through the Cyral UI. And by tracking how devs interact with databases over time, Turo understands how to put scalable solutions and policies in place rather than band-aid fixes as issues arise.
Turo was one of the fortunate companies to see a surge in demand during the pandemic as people flocked to the app seeking cars. This sudden explosion in activity could have caused the technical infrastructure to buckle, souring a golden opportunity. But it didn’t, thanks in no small part to the work that Turo has done to support developers and plan proactively around databases. Turo emerged from the pandemic stronger than ever. Cyral equips them to keep that momentum using the best resource at their disposal: their database.
Lowered risk of data breaches and downtime
Streamlined developer access to data
Turned databases into competitive assets
More Case Studies
HR Tech Company
Cyral provides production data security for one of the YC top 100 fastest growing software companies in the country.
Informatica is an Enterprise Cloud Data Management leader. Their mission is to bring data to life by empowering businesses to realize the transformative power of their most critical assets.