1. Cloud Security @ Netflix
Jason Chan
chan@netflix.com
SVForum Cloud and Virtualization SIG
March 27, 2012
2. Jason Chan
• Cloud Security Architect @ Netflix
• Previously:
• Most recently led security team at VMware
• Primarily security consulting at @stake, iSEC
Partners
• Some presentations at:
• http://www.slideshare.net/netflix
3. Agenda
• Developing a “cloud appropriate” security model
• Cloud security: challenges and advantages
• APIs, Automation & the Security Monkey
• A note on regulatory compliance
• Takeaways
11. Risk-Based
Approach
• Not everything is equal
• Understand what’s
important and prioritize
appropriately
12. Leverage
Tooling
• Build and deployment
pipeline is a key point for
security integration
• Think integration vs. separation
13. Make Doing the
Right Thing
Easy
• Sensible defaults
• Libraries for common,
but difficult, security tasks
• Publish and evangelize
reusable patterns
14. Embrace Self-
Service, with
some Exceptions
• SSL certificate management
• Some firewall rules
• VPC configuration
• User and permissions
management (IAM)
25. Common Challenges for
Security Engineers
• Lots of data from different sources, in
different formats
26. Common Challenges for
Security Engineers
• Lots of data from different sources, in
different formats
• Too many administrative interfaces and
disconnected systems
27. Common Challenges for
Security Engineers
• Lots of data from different sources, in
different formats
• Too many administrative interfaces and
disconnected systems
• Too few options for scalable
automation
30. How do you . . .
• Add a user account?
• Inventory systems?
31. How do you . . .
• Add a user account?
• Inventory systems?
• Change a firewall config?
32. How do you . . .
• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for
forensic analysis?
33. How do you . . .
• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for
forensic analysis?
• Disable a multi-factor
authentication token?
34. How do you . . .
• Add a user account? • CreateUser()
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for
forensic analysis?
• Disable a multi-factor
authentication token?
35. How do you . . .
• Add a user account? • CreateUser()
• Inventory systems? • DescribeInstances()
• Change a firewall config?
• Snapshot a drive for
forensic analysis?
• Disable a multi-factor
authentication token?
36. How do you . . .
• Add a user account? • CreateUser()
• Inventory systems? • DescribeInstances()
• Change a firewall config? • AuthorizeSecurityGroup
Ingress()
• Snapshot a drive for
forensic analysis?
• Disable a multi-factor
authentication token?
37. How do you . . .
• Add a user account? • CreateUser()
• Inventory systems? • DescribeInstances()
• Change a firewall config? • AuthorizeSecurityGroup
Ingress()
• Snapshot a drive for
forensic analysis? • CreateSnapshot()
• Disable a multi-factor
authentication token?
38. How do you . . .
• Add a user account? • CreateUser()
• Inventory systems? • DescribeInstances()
• Change a firewall config? • AuthorizeSecurityGroup
Ingress()
• Snapshot a drive for
forensic analysis? • CreateSnapshot()
• Disable a multi-factor • DeactivateMFADevice()
authentication token?
46. Compliance
Background
• Netflix has a variety
of regulatory
obligations (SOX,
PCI, data privacy)
47. Compliance
Background
• Netflix has a variety
of regulatory
obligations (SOX,
PCI, data privacy)
• More conservative
approach to the cloud
48. Compliance
Background
• Netflix has a variety
of regulatory
obligations (SOX,
PCI, data privacy)
• More conservative
approach to the cloud
• Some architectural
components are
“cloud unfriendly”
49. Compliance
Background Approach
• Netflix has a variety
of regulatory
obligations (SOX,
PCI, data privacy)
• More conservative
approach to the cloud
• Some architectural
components are
“cloud unfriendly”
50. Compliance
Background Approach
• Netflix has a variety • Segregate compliance-
of regulatory sensitive cloud
obligations (SOX, systems
PCI, data privacy)
• More conservative
approach to the cloud
• Some architectural
components are
“cloud unfriendly”
51. Compliance
Background Approach
• Netflix has a variety • Segregate compliance-
of regulatory sensitive cloud
obligations (SOX, systems
PCI, data privacy)
• Limit access and
• More conservative increase auditing and
approach to the cloud logging
• Some architectural
components are
“cloud unfriendly”
52. Compliance
Background Approach
• Netflix has a variety • Segregate compliance-
of regulatory sensitive cloud
obligations (SOX, systems
PCI, data privacy)
• Limit access and
• More conservative increase auditing and
approach to the cloud logging
• Some architectural • Leverage tooling for
components are auditability and
“cloud unfriendly” control integration
54. Takeaways
• Netflix has moved most of its service infrastructure,
applications, and data to the public cloud
55. Takeaways
• Netflix has moved most of its service infrastructure,
applications, and data to the public cloud
• Taking full advantage of the cloud’s benefits requires a
willingness to adapt security models and methods
appropriately
56. Takeaways
• Netflix has moved most of its service infrastructure,
applications, and data to the public cloud
• Taking full advantage of the cloud’s benefits requires a
willingness to adapt security models and methods
appropriately
• The programmability of the cloud presents an
unprecedented opportunity for security teams to focus
and streamline efforts
57. Takeaways
• Netflix has moved most of its service infrastructure,
applications, and data to the public cloud
• Taking full advantage of the cloud’s benefits requires a
willingness to adapt security models and methods
appropriately
• The programmability of the cloud presents an
unprecedented opportunity for security teams to focus
and streamline efforts
• Understand the constraints and limitations of both
security tools and cloud vendors when planning and
implementing controls