FireAudit: How it allowed us using Firebase in mission-critical software
Two years ago, we were asked to come up with an architecture for a B2B application that would manage applications ten’s of thousand people a week. Everything needs to be configurable, it should always be up to date, even with unreliable networks, the show must go on. The system would hold personal information, and it plays a part in access-management for secured areas, so auditability is a must. Next to that, the typical load of the system would be high peaks low valleys.
We settled on a serverless approach. Serverless has the benefit that the platform solves the load variance, and there are a couple of vendors that might address our non-functional requirements. Synchronising offline data is hard, and we would have to cope with being offline for hours, pre-caching around 100MB of data, and sync writes once the network is back.
After consideration, we choose Firebase. We also looked at other services, like Couchbase, AWS AppSync, or Back4App. But they had downsides, like the need for Ops, offline data limits, or pricing. The downside of Firebase was the fluidity of how data flows through it. Even though it’s also their main selling point — the ease of which data flows — it was also a risk. It is so easy to cache and sync data, that is also easy to make mistakes, and having no insights into it, which was a problem for the auditability requirement.
Database auditing enables you to draw conclusions about actions that happened in the past, and prevent malicious activity since users know the can be held accountable for their actions. Combined with analyses, it can inform you of suspicious activity, and give insight into usage metrics.
By leveraging the reactive nature of Firestore, we created an environment that brings auditablity to all of our Firestore projects, and thus to any project’s Firestore. Any mutation in a client’s Firestore causes an append to FireAudit’s BigQuery. This way, FireAudit always has the record on ‘what happened when’, and paired with meta information, it can also answer ‘who and why’. Next to that, analyses bring violations to light, like data integrity and data tampering.
Interested? Give us a try at https://fireaudit.studio/!
Ziggo Dome image by Steven Lek.