ADEO Services: Supporting ADEO’s teams to stay cloud compliant with serverless, real-time monitoring

Whether you own or rent your home, creating a comfortable and practical place to live is important to well-being. That's why ADEO wants to make home improvement accessible to everyone, serving 500 million customers worldwide through 900 sales outlets in 13 countries. It is taking a technology-driven, platform-based approach to successfully adapt its products and services to local markets and support its multiple independent brands to share knowledge.

ADEO Services teams work closely with multiple business units around the world, with a dedicated operations team that helps to deliver new cloud functionalities and technical support.The team supports and advises product managers and their teams on tasks such as network connectivity and building data pipelines, as well as monitoring and referencing. Jean-François Marquis, Head of Operations at ADEO Services, says that the key to doing this is a cloud mindset.

"We work with the Google Cloud ecosystem, from Cloud Identity to Google Workplace and Looker Studio," explains Jean-François Marquis. "We want to make the most of the possibilities that this opens up, such as quicker time-to-market and optimized costs, and to do that, we need to work in a cloud-native way."

When ADEO Services implemented a new data platform within the Global Tech and Data Platform for ADEO in 2018, it took a site reliability engineering (SRE) approach using the Google Cloud operations suite to analyze and monitor its data platforms and automate tasks where possible. But for certain services, it required custom options, and it also wanted the ability to automatically monitor services in real time, detecting noncompliance errors as they occurred.

Working with Bruno Reboul, a senior PSO consultant at Google Cloud, ADEO Services developed a tool called Heimdall compliance to help solve these issues. The idea for Heimdall compliance emerged from conversations between the SRE team and Bruno Reboul in late 2019, and the teams worked together to build and parameter the solution during 2020.

Building a tool that enables real time monitoring at scale

The ADEO Services Operations team needed Heimdall to address three key areas: inventory, accountability, and real-time monitoring. While ADEO was already using Cloud Asset Inventory, which enables users to access an inventory of their cloud services from a given point in time, the team wanted to have up-to-date overviews across all its services. It also wanted to be able to cross-reference data errors, to support ADEO's legal responsibility to log all the ways data from its customers' journeys are used.

Finally, it wanted real-time compliance monitoring to make sure systems were compliant at the point of development instead of relying on reporting, as previously errors might not be detected until audits.

"Google Cloud provides numerous ways of setting parameters for your deployments and monitoring your system, but ADEO Services needed a custom solution, to deploy different rules in different geographic regions, for example," explains Reboul. "My role was to develop Realtime Asset Monitor (RAM), an open source tool which ADEO Services uses to feed Heimdall with the real-time status of all ADEO's Google Cloud and Google Workspace configurations."

ADEO Services has since released RAM as an open source project so other companies can use it. Sharing its knowledge and skills is all part of a wider mission to become a technological leader in its sector.

"It's really useful to see our projects being applied in other contexts," says Jean-François Marquis. "Releasing open source projects enables us to have a dialogue with other companies and push the limits with the technology we're developing."

Offering greater visibility over services, when it's needed

RAM is a serverless tool built around microservices using Cloud Functions, leveraging Cloud Build, Cloud Source Repositories, Cloud Scheduler, and Cloud Asset Inventory. It offers access to compliance and violations statuses via BigQuery, displaying information via Looker Studio, and can also connect with Pub/Sub violations messages.

Heimdall uses BigQuery to cross-reference the data from RAM with ADEO's accountability and inventory databases, which enables it to see when exactly services have been used, as well as whether or not they are compliant. For the inventory function, Heimdall uses a Dataflow pipeline to ingest Cloud Asset Inventory data into BigQuery, while for the accountability function, data from Cloud Logging is sinked into BigQuery. Because both RAM and Heimdall are serverless, the tools can be scaled down to zero when not in use.

"Before, without an up-to-date inventory, we weren't able to master the scope of new projects because we didn't know exactly what we had available," says Jean-François Marquis. "Now, we can see exactly what we're using at any moment."

Making sure services are compliant from the start

Heimdall's real-time monitoring function delivers real-time compliance checks to developers via an API using App Engine. Because any changes to services are validated as and when they are made, developers have immediate feedback on whether what they have deployed is compliant or noncompliant. This helps with meeting localized data regulations, such as the GDPR in Europe and the LGPD in Brazil, because developers are notified if they violate data storage protocols. ADEO also sets its own internal compliance criteria to ensure tools are configured correctly.

"By 'compliance' we also mean deploying in ways that are compliant with our internal deployment preferences," says Marc Fundenberger, Senior SRE. "Tools such as Compute Engine have a huge range of configuration options, and we need those tools to be configured in a particular way, to abide by security regulations as well as our architectural pattern." For example, ADEO prefers to use resources through Cloud Load Balancing, in order to run backend instances through a single frontend IP address.

The volume of requests it deals with also means it sometimes needs to architect in a particular way in order to work around quota limits. "With 40,000 events per second on a Cloud Functions segment, we're often working close to the limits of what's possible," Marc Fundenberger explains. "Using real-time monitoring enables us to follow best practices for deployment and keep our infrastructure functioning as well as it can."

Focusing on more robust security checks

Before Heimdall was created, if there was an error in one of the product platforms, it might only be caught when weekly audits were carried out. Now, the delay between a change in configuration and an error notification is around 10 seconds for 90% of events. As developers are able to check compliance themselves, noncompliances detected during the penetration test carried out before applications are put into production have been drastically reduced.

"Since implementing this project, we've completely changed the way we approach security and compliance," says Jean-François Marquis. "Developers can immediately check if the project they're developing is compliant or not. That means our security teams can focus their efforts on developing really robust penetration tests."

ADEO is now planning to use RAM and Heimdall in new ways to optimize further; for example, by removing deleted service accounts in real time and by making the most of committed-use discounts (CUDs) on Google Cloud to optimize costs. It can use Heimdall to ensure the use of specific resources on Compute Engine, for example, and by committing to an agreed level of use, ADEO will receive discounted rates for the relevant workloads.

The team is also working closely with the Cloud Asset Inventory product management team to contribute feedback on the road map for the product and suggest ways that it can better answer ADEO Services' needs in the future.

"What's really interesting is the way we're growing with Google Cloud, technically but also in terms of human skills," says Jean-François Marquis. "We have a real partnership and we learn from one another. That's what has enabled us to evolve from a legacy way of working into our current, cloud-native approach."