Your SlideShare is downloading. ×
0
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Cloud Security at Netflix
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Security at Netflix

5,714

Published on

Published in: Technology, Business
0 Comments
10 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,714
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
161
Comments
0
Likes
10
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Transcript

    • 1. Cloud Security @ Netflix Jason Chan chan@netflix.com SVForum Cloud and Virtualization SIG March 27, 2012
    • 2. Jason Chan• Cloud Security Architect @ Netflix• Previously: • Most recently led security team at VMware • Primarily security consulting at @stake, iSEC Partners• Some presentations at: • http://www.slideshare.net/netflix
    • 3. Agenda• Developing a “cloud appropriate” security model• Cloud security: challenges and advantages• APIs, Automation & the Security Monkey• A note on regulatory compliance• Takeaways
    • 4. Developing a“Cloud Appropriate” Security Model
    • 5. Word Association:Cloud & Security
    • 6. Word Association:Cloud & Security
    • 7. Word Association: Cloud & SecurityCloud• Agility• Self-service• Scale• Automation
    • 8. Word Association: Cloud & SecurityCloud• Agility• Self-service• Scale• Automation
    • 9. Word Association: Cloud & SecurityCloud Security• Agility • Gatekeeper• Self-service • Standards• Scale • Control• Automation • Centralized
    • 10. General Guidelines
    • 11. Risk-Based Approach• Not everything is equal• Understand what’s important and prioritize appropriately
    • 12. Leverage Tooling• Build and deployment pipeline is a key point for security integration• Think integration vs. separation
    • 13. Make Doing the Right Thing Easy • Sensible defaults • Libraries for common, but difficult, security tasks • Publish and evangelize reusable patterns
    • 14. Embrace Self- Service, withsome Exceptions • SSL certificate management • Some firewall rules • VPC configuration • User and permissions management (IAM)
    • 15. Cloud Security Challenges
    • 16. SharedResponsibility• Incident response• Investigations• Compliance
    • 17. ExistingSecurity Tools• Bad assumptions• Licensing• Node ephemerality• Thundering herd
    • 18. KeyManagement• Untrusted infrastructure• Automated bootstrapping• Hardware security modules
    • 19. Cloud Security Advantages
    • 20. Build Standards& Vulnerability Management • Fewer “snowflakes” • Easier to identify problem systems • Push and kill vs. patch and nurse
    • 21. Integrity and Activity Monitoring• No changes to running systems• Fewer production logins
    • 22. Visibility &Reachability Analysis• Flat networking• “Nowhere to hide”• Firewall APIs
    • 23. APIs, Automation, andthe Security Monkey
    • 24. Common Challenges for Security Engineers
    • 25. Common Challenges for Security Engineers• Lots of data from different sources, in different formats
    • 26. Common Challenges for Security Engineers• Lots of data from different sources, in different formats• Too many administrative interfaces and disconnected systems
    • 27. Common Challenges for Security Engineers• Lots of data from different sources, in different formats• Too many administrative interfaces and disconnected systems• Too few options for scalable automation
    • 28. How do you . . .
    • 29. How do you . . .• Add a user account?
    • 30. How do you . . .• Add a user account?• Inventory systems?
    • 31. How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?
    • 32. How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?
    • 33. How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
    • 34. How do you . . .• Add a user account? • CreateUser()• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
    • 35. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
    • 36. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
    • 37. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis? • CreateSnapshot()• Disable a multi-factor authentication token?
    • 38. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis? • CreateSnapshot()• Disable a multi-factor • DeactivateMFADevice() authentication token?
    • 39. Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
    • 40. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis
    • 41. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis• Leverages AWS APIs and common security tools
    • 42. Security Monkey• Certificate monitoring• Security group monitoring• Exposed instances/applications• Web application vulnerability scanning• Upcoming: • Policy analysis (firewall, user, S3, etc.)
    • 43. A Note on Regulatory Compliance
    • 44. Compliance
    • 45. ComplianceBackground
    • 46. ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy)
    • 47. ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud
    • 48. ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
    • 49. ComplianceBackground Approach • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
    • 50. ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
    • 51. ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • Limit access and • More conservative increase auditing and approach to the cloud logging • Some architectural components are “cloud unfriendly”
    • 52. ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • Limit access and • More conservative increase auditing and approach to the cloud logging • Some architectural • Leverage tooling for components are auditability and “cloud unfriendly” control integration
    • 53. Takeaways
    • 54. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud
    • 55. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately
    • 56. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately• The programmability of the cloud presents an unprecedented opportunity for security teams to focus and streamline efforts
    • 57. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately• The programmability of the cloud presents an unprecedented opportunity for security teams to focus and streamline efforts• Understand the constraints and limitations of both security tools and cloud vendors when planning and implementing controls
    • 58. Thanks!Questions? chan@netflix.com
    • 59. References• http://www.slideshare.net/netflix• http://techblog.netflix.com• https://cloudsecurityalliance.org/• http://www.nist.gov/itl/cloud/index.cfm• http://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud- computing-risk-assessment

    ×