• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cloud Security at Netflix
 

Cloud Security at Netflix

on

  • 5,496 views

 

Statistics

Views

Total Views
5,496
Views on SlideShare
5,486
Embed Views
10

Actions

Likes
8
Downloads
146
Comments
0

3 Embeds 10

http://us-w1.rockmelt.com 6
http://irq.tumblr.com 2
http://paper.li 2

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Cloud Security at Netflix Cloud Security at Netflix Presentation Transcript

  • Cloud Security @ Netflix Jason Chan chan@netflix.com SVForum Cloud and Virtualization SIG March 27, 2012
  • Jason Chan• Cloud Security Architect @ Netflix• Previously: • Most recently led security team at VMware • Primarily security consulting at @stake, iSEC Partners• Some presentations at: • http://www.slideshare.net/netflix
  • Agenda• Developing a “cloud appropriate” security model• Cloud security: challenges and advantages• APIs, Automation & the Security Monkey• A note on regulatory compliance• Takeaways
  • Developing a“Cloud Appropriate” Security Model
  • Word Association:Cloud & Security
  • Word Association:Cloud & Security
  • Word Association: Cloud & SecurityCloud• Agility• Self-service• Scale• Automation
  • Word Association: Cloud & SecurityCloud• Agility• Self-service• Scale• Automation
  • Word Association: Cloud & SecurityCloud Security• Agility • Gatekeeper• Self-service • Standards• Scale • Control• Automation • Centralized
  • General Guidelines
  • Risk-Based Approach• Not everything is equal• Understand what’s important and prioritize appropriately
  • Leverage Tooling• Build and deployment pipeline is a key point for security integration• Think integration vs. separation
  • Make Doing the Right Thing Easy • Sensible defaults • Libraries for common, but difficult, security tasks • Publish and evangelize reusable patterns
  • Embrace Self- Service, withsome Exceptions • SSL certificate management • Some firewall rules • VPC configuration • User and permissions management (IAM)
  • Cloud Security Challenges
  • SharedResponsibility• Incident response• Investigations• Compliance
  • ExistingSecurity Tools• Bad assumptions• Licensing• Node ephemerality• Thundering herd
  • KeyManagement• Untrusted infrastructure• Automated bootstrapping• Hardware security modules
  • Cloud Security Advantages
  • Build Standards& Vulnerability Management • Fewer “snowflakes” • Easier to identify problem systems • Push and kill vs. patch and nurse
  • Integrity and Activity Monitoring• No changes to running systems• Fewer production logins
  • Visibility &Reachability Analysis• Flat networking• “Nowhere to hide”• Firewall APIs
  • APIs, Automation, andthe Security Monkey
  • Common Challenges for Security Engineers
  • Common Challenges for Security Engineers• Lots of data from different sources, in different formats
  • Common Challenges for Security Engineers• Lots of data from different sources, in different formats• Too many administrative interfaces and disconnected systems
  • Common Challenges for Security Engineers• Lots of data from different sources, in different formats• Too many administrative interfaces and disconnected systems• Too few options for scalable automation
  • How do you . . .
  • How do you . . .• Add a user account?
  • How do you . . .• Add a user account?• Inventory systems?
  • How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?
  • How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?
  • How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
  • How do you . . .• Add a user account? • CreateUser()• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
  • How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
  • How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
  • How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis? • CreateSnapshot()• Disable a multi-factor authentication token?
  • How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis? • CreateSnapshot()• Disable a multi-factor • DeactivateMFADevice() authentication token?
  • Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
  • Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis
  • Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis• Leverages AWS APIs and common security tools
  • Security Monkey• Certificate monitoring• Security group monitoring• Exposed instances/applications• Web application vulnerability scanning• Upcoming: • Policy analysis (firewall, user, S3, etc.)
  • A Note on Regulatory Compliance
  • Compliance
  • ComplianceBackground
  • ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy)
  • ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud
  • ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
  • ComplianceBackground Approach • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
  • ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
  • ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • Limit access and • More conservative increase auditing and approach to the cloud logging • Some architectural components are “cloud unfriendly”
  • ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • Limit access and • More conservative increase auditing and approach to the cloud logging • Some architectural • Leverage tooling for components are auditability and “cloud unfriendly” control integration
  • Takeaways
  • Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud
  • Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately
  • Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately• The programmability of the cloud presents an unprecedented opportunity for security teams to focus and streamline efforts
  • Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately• The programmability of the cloud presents an unprecedented opportunity for security teams to focus and streamline efforts• Understand the constraints and limitations of both security tools and cloud vendors when planning and implementing controls
  • Thanks!Questions? chan@netflix.com
  • References• http://www.slideshare.net/netflix• http://techblog.netflix.com• https://cloudsecurityalliance.org/• http://www.nist.gov/itl/cloud/index.cfm• http://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud- computing-risk-assessment