Historically, relationships between developers and security teams have been challenging. Security teams sometimes see developers as careless and ignorant of risk, while developers might see security teams as dogmatic barriers to productivity. Can technologies and approaches such as the cloud, APIs, and automation lead to happier developers and more secure systems? Netflix has had success pursuing this approach, by leaning into the fundamental cloud concept of self-service, the Netflix cultural value of transparency in decision making, and the engineering efficiency principle of facilitating a “paved road.”
This session explores how security teams can use thoughtful tools and automation to improve relationships with development teams while creating a more secure and manageable environment. Topics include Netflix’s approach to IAM entity management, Elastic Load Balancing and certificate management, and general security configuration monitoring.
2. What to Expect from the Session
An inside look at cloud security automation at Netflix
How to use the opportunities that AWS and cloud present
to make security more ubiquitous
Design principles for security automation that improve both
security and developer-security relationships
35. “It is often easier to ask for
forgiveness than to ask for
permission”
– Grace Hopper
36.
37. AWS Permissions Management
• Innovation is enabled by composition of multiple
services, but . . . .
• Sophisticated policy language
• 2500+ individual API calls
• New services and features released weekly
38. Historic Issues
• Least privilege is difficult in
practice
• Multiple disconnected systems
to configure
• Low visibility
Permissions Management and Access Control
Now with AWS
• One place for all permissions
• API level, API driven
• Visibility
• Infrastructure as code
77. Production Ready Benefits
Security integrated with other measures of readiness
Simple to evaluate compliance
Paved road lowers cognitive load
Easy to extend as capabilities expand
78. Takeaways
• Security teams can and should leverage the high-
velocity development ecosystem
• Shared history provides both lessons and input to
development
• Aim to make security more integrated and ubiquitous
while also improving other system characteristics