Historically, relationships between developers and security teams have been challenging. Security teams sometimes see developers as careless and ignorant of risk, while developers might see security teams as dogmatic barriers to productivity. Can technologies and approaches such as the cloud, APIs, and automation lead to happier developers and more secure systems? Netflix has had success pursuing this approach, by leaning into the fundamental cloud concept of self-service, the Netflix cultural value of transparency in decision making, and the engineering efficiency principle of facilitating a “paved road.” This session explores how security teams can use thoughtful tools and automation to improve relationships with development teams while creating a more secure and manageable environment. Topics include Netflix’s approach to IAM entity management, Elastic Load Balancing and certificate management, and general security configuration monitoring.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jason Chan
December 2016
SAC307
The Psychology of
Security Automation

2. What to Expect from the Session
An inside look at cloud security automation at Netflix
How to use the opportunities that AWS and cloud present
to make security more ubiquitous
Design principles for security automation that improve both
security and developer-security relationships

3. The Psychology of Security Automation

4. History:
Developer - Security
Relationships

13. Opportunities for Developers
are also
Opportunities for Security Teams

14. Opportunities + History = Powerful Tools

15. Design Principles for Security Automation

16. Design Principles
Integrate
Security++
Transparency
Low Touch and Decoupled
Reduce Cognitive Load

18. SSL

22. Historic Issues
• Expiry-based outages
• Security vulnerabilities
• Complex configuration
SSL/TLS Certificate Management
Now with AWS
• API-driven config
• Centralized management
• Machine-readable policies

23. Lemur
https://github.com/Netflix/lemur

24. Lemur
One-stop shop for SSL certificate management
Request, provision, deploy, monitor, escrow
Identify SSL configuration issues
Plugin architecture to extend as necessary

27. Lemur Certificate Creation
Create and Escrow Keys
Create CSR
Certificate Authority
Issue Certificate
Deploy to AWS Account(s)

31. Lemur Takeaways
APIs = Opportunities
Focus automation investments on persistent, difficult,
common problems
Security++

32. Permissions Management and
Access Control

33. Goal = Least Privilege

34. But . . .

35. “It is often easier to ask for
forgiveness than to ask for
permission”
– Grace Hopper

37. AWS Permissions Management
• Innovation is enabled by composition of multiple
services, but . . . .
• Sophisticated policy language
• 2500+ individual API calls
• New services and features released weekly

38. Historic Issues
• Least privilege is difficult in
practice
• Multiple disconnected systems
to configure
• Low visibility
Permissions Management and Access Control
Now with AWS
• One place for all permissions
• API level, API driven
• Visibility
• Infrastructure as code

39. Repoman:
Right-sizing IAM
Permissions

46. Repoman Benefits
Low-risk access reduction
Transparent and versioned operations
Enables innovation and high-velocity development on AWS
Security++

47. Rollie Pollie – AWS
Permissions Management via
ChatOps

48. ChatOps Basics

52. Rollie Pollie

56. Rollie Pollie Benefits
Engineering-native workflows
Transparent decisions
Automated, secure, consistent
ChatOps allows quicker changes and reduced context
switching

57. Security in the Development
Lifecycle

60. Security in the Agile Lifecycle
17 steps across 7 phases 

61. Application Risk Assessment

63. Application Risk Assessment
Historic Issues
Spreadsheet and human-driven
One-time
Presupposes managed intake
Now with AWS
Objective observability
Ongoing analysis
No humans required!

64. Penguin Shortbread:
Automated Risk
Analysis for
Microservice
Architectures

65. Penguin Shortbread Operation
Passively and continually analyze system dimensions, e.g.:
• Instance count
• Dependencies
• Connectivity to sensitive systems
• Internet-accessibility
• AWS account location

66. Risk Assessment
Develop risk scoring based on observations
Use risk scoring to prioritize efforts

67. Application Risk Metric
Metric summary
Metric algorithm
Scoring

68. Application Risk Rollup
Metrics
Risk metrics by region/environment

69. Developer View in Context

70. Penguin Shortbread Benefits
Low touch and ongoing
Objective and transparent view to application risk
Simple prioritization helps reduce cognitive load

71. Security Requirements

72. Historic Issues
Ambiguous
Difficult to verify
Security Requirements
Now with AWS
API-driven implementation
API-driven evaluation

73. Security
Requirements
via Production
Ready

74. Production Ready
SRE-driven developer outreach program
Evangelize well-established patterns and practices, e.g.:
• Deployment
• Monitoring and Alerting
• Testing
Automated scoring
Uncover risk and reward operational excellence

75. Security-Specific Production Ready Measures
App-Specific Security Group
App-Specific IAM Role
No plaintext secrets in code

76. Production Ready Scorecard
Tracking over time

77. Production Ready Benefits
Security integrated with other measures of readiness
Simple to evaluate compliance
Paved road lowers cognitive load
Easy to extend as capabilities expand

78. Takeaways
• Security teams can and should leverage the high-
velocity development ecosystem
• Shared history provides both lessons and input to
development
• Aim to make security more integrated and ubiquitous
while also improving other system characteristics

79. Thank you!

80. Remember to complete
your evaluations!

81. Related Sessions