![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg"><g d="M 4.5 0 L 4.5 9.334 M 0 4.5 L 4.667 9.167 L 9.334 4.5" fill="transparent" height="9.334000000000003px" id="wVLQb2Yt7" transform="translate(2.5 2.5)" width="9.333999999999946px"><path d="M 0 0 L 0 9.334" fill="transparent" height="9.334000000000003px" id="Ho_4eUERn" stroke-dasharray="" stroke-linecap="butt" stroke-linejoin="round" stroke-width="1.2" stroke="rgb(35, 41, 51)" transform="translate(4.5 0)" width="1px"/><path d="M 0 0 L 4.667 4.667 L 9.334 0" fill="transparent" height="4.667000000000002px" id="q4SooRAjE" stroke-dasharray="" stroke-linecap="square" stroke-linejoin="round" stroke-width="1.2" stroke="rgb(35, 41, 51)" transform="translate(0 4.5)" width="9.333999999999946px"/></g></svg>)
How Mercari Built and Maintains Zero-Touch Access to Production Systems with Opal
Fintech
/1
27
GitHub Organization-level roles
/2
54
Google Workspace groups
/3
5353
Okta entitlements
Mercari, Japan's largest consumer-to-consumer marketplace, secures production systems with Opal to keep customer financial data secure.
Company: Founded in 2013, Mercari is Japan’s largest “C2C” (consumer-to-consumer) marketplace. The company has 2,300 employees, with 14.2B of annual revenue.
Challenge: Just-in-time access systems were built in-house, but were failing to keep up with changing developer and DevOps tools.
Solution: Opal maintains over 50 integrations, and automates on-call and break-glass access for Mercari, ensuring the team can focus on business problems, rather than building support for new development tools.
Operating Environment
Identity provider(s): Okta, Google Workspace
Core systems: GCP, GKE, GitHub
Workforce: 2,300 employees
Compliance/regulatory needs: Japan’s Act on the Protection of Personal Information (APPI), PCI-DSS, other industry specific Japanese regulations
Challenge
After being impacted by a supply chain security incident in 2021, Mercari implemented “Carrier,” a system for “Zero Touch Production” as a preventative measure to reduce the potential blast radius of similar incidents in the future.
Informed by Google’s SRE practices, they worked to implement on-call and “break glass” access to production instances. Today, Mercari is migrating from their in-house system to Opal so they don’t have to maintain a whole host of integrations with third-party services.
Mercari’s engineering teams are typically small and operate fairly autonomously, so access requests and approvals are best delegated to teams themselves.
Goals
Replace Carrier, the in-house access tool, with a more flexible platform
Enable faster access to production systems for on-call SREs without creating long-standing privilege
Eliminate the need to support various third-party services that Opal already supports
Opal Solution
Infrastructure-as-code via Terraform
Track GCP projects and their associated GKE instances
Just-in-Time and ”break glass” access for SREs on call
In 2021, Mercari experienced a security incident as a result of a supply chain attack. The aftermath of this led to various initiatives to improve their overall security posture. One of the risks highlighted was the potential impact of the exposure of long-lived credentials. To tackle this the Mercari Platform team worked on the development of an internal tool called Carrier, used to provide just-in-time role bindings. The goal was to achieve “Zero Touch Production,” removing, as much as possible, any need to maintain permanent access to systems.
“Opal enabled Mercari to migrate away from Carrier and sustain the same ‘Zero Touch Production’ mindset without the need for internal development and maintenance. Opal also allowed Mercari to expand just-in-time access to more developer tools and productivity applications.
It’s a huge relief to unload a lot of ‘keep the lights on’ maintenance work while improving our security posture in line with the broader business goal of keeping customer data safe.”
— Allan Wirth, Manager of Platform and AI Security, Mercari
Strategic Impact
With tedious “keep the lights on” work reduced, engineers can now focus more on business problems, all while still maintaining strong just-in-time access capabilities for our environment and high level of security in the solution to provide this.
