Cloud Security at Netflix

0 views
6,831 views

Published on

Published in: Technology, Business
0 Comments
12 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
0
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
194
Comments
0
Likes
12
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Cloud Security at Netflix

    1. 1. Cloud Security @ Netflix Jason Chan chan@netflix.com SVForum Cloud and Virtualization SIG March 27, 2012
    2. 2. Jason Chan• Cloud Security Architect @ Netflix• Previously: • Most recently led security team at VMware • Primarily security consulting at @stake, iSEC Partners• Some presentations at: • http://www.slideshare.net/netflix
    3. 3. Agenda• Developing a “cloud appropriate” security model• Cloud security: challenges and advantages• APIs, Automation & the Security Monkey• A note on regulatory compliance• Takeaways
    4. 4. Developing a“Cloud Appropriate” Security Model
    5. 5. Word Association:Cloud & Security
    6. 6. Word Association:Cloud & Security
    7. 7. Word Association: Cloud & SecurityCloud• Agility• Self-service• Scale• Automation
    8. 8. Word Association: Cloud & SecurityCloud• Agility• Self-service• Scale• Automation
    9. 9. Word Association: Cloud & SecurityCloud Security• Agility • Gatekeeper• Self-service • Standards• Scale • Control• Automation • Centralized
    10. 10. General Guidelines
    11. 11. Risk-Based Approach• Not everything is equal• Understand what’s important and prioritize appropriately
    12. 12. Leverage Tooling• Build and deployment pipeline is a key point for security integration• Think integration vs. separation
    13. 13. Make Doing the Right Thing Easy • Sensible defaults • Libraries for common, but difficult, security tasks • Publish and evangelize reusable patterns
    14. 14. Embrace Self- Service, withsome Exceptions • SSL certificate management • Some firewall rules • VPC configuration • User and permissions management (IAM)
    15. 15. Cloud Security Challenges
    16. 16. SharedResponsibility• Incident response• Investigations• Compliance
    17. 17. ExistingSecurity Tools• Bad assumptions• Licensing• Node ephemerality• Thundering herd
    18. 18. KeyManagement• Untrusted infrastructure• Automated bootstrapping• Hardware security modules
    19. 19. Cloud Security Advantages
    20. 20. Build Standards& Vulnerability Management • Fewer “snowflakes” • Easier to identify problem systems • Push and kill vs. patch and nurse
    21. 21. Integrity and Activity Monitoring• No changes to running systems• Fewer production logins
    22. 22. Visibility &Reachability Analysis• Flat networking• “Nowhere to hide”• Firewall APIs
    23. 23. APIs, Automation, andthe Security Monkey
    24. 24. Common Challenges for Security Engineers
    25. 25. Common Challenges for Security Engineers• Lots of data from different sources, in different formats
    26. 26. Common Challenges for Security Engineers• Lots of data from different sources, in different formats• Too many administrative interfaces and disconnected systems
    27. 27. Common Challenges for Security Engineers• Lots of data from different sources, in different formats• Too many administrative interfaces and disconnected systems• Too few options for scalable automation
    28. 28. How do you . . .
    29. 29. How do you . . .• Add a user account?
    30. 30. How do you . . .• Add a user account?• Inventory systems?
    31. 31. How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?
    32. 32. How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?
    33. 33. How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
    34. 34. How do you . . .• Add a user account? • CreateUser()• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
    35. 35. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
    36. 36. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
    37. 37. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis? • CreateSnapshot()• Disable a multi-factor authentication token?
    38. 38. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis? • CreateSnapshot()• Disable a multi-factor • DeactivateMFADevice() authentication token?
    39. 39. Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
    40. 40. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis
    41. 41. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis• Leverages AWS APIs and common security tools
    42. 42. Security Monkey• Certificate monitoring• Security group monitoring• Exposed instances/applications• Web application vulnerability scanning• Upcoming: • Policy analysis (firewall, user, S3, etc.)
    43. 43. A Note on Regulatory Compliance
    44. 44. Compliance
    45. 45. ComplianceBackground
    46. 46. ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy)
    47. 47. ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud
    48. 48. ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
    49. 49. ComplianceBackground Approach • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
    50. 50. ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
    51. 51. ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • Limit access and • More conservative increase auditing and approach to the cloud logging • Some architectural components are “cloud unfriendly”
    52. 52. ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • Limit access and • More conservative increase auditing and approach to the cloud logging • Some architectural • Leverage tooling for components are auditability and “cloud unfriendly” control integration
    53. 53. Takeaways
    54. 54. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud
    55. 55. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately
    56. 56. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately• The programmability of the cloud presents an unprecedented opportunity for security teams to focus and streamline efforts
    57. 57. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately• The programmability of the cloud presents an unprecedented opportunity for security teams to focus and streamline efforts• Understand the constraints and limitations of both security tools and cloud vendors when planning and implementing controls
    58. 58. Thanks!Questions? chan@netflix.com
    59. 59. References• http://www.slideshare.net/netflix• http://techblog.netflix.com• https://cloudsecurityalliance.org/• http://www.nist.gov/itl/cloud/index.cfm• http://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud- computing-risk-assessment

    ×