Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ALB User Authentication: Identity Management at Scale with Netflix (NET204) - AWS re:Invent 2018

537 views

Published on

In the zero-trust security environment at Netflix, identity management has historically been a challenge due to the reliance on its VPN for all application access. About one year ago, Netflix began exploring various identity solutions to alleviate the operational burden of maintaining its VPN. Additionally, it was looking for ways to provide a superior user experience. Join this chalk talk to learn how Netflix solved identity management at scale.

  • Be the first to comment

  • Be the first to like this

ALB User Authentication: Identity Management at Scale with Netflix (NET204) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ALB Authentication: Identity Management at Scale with Netflix Will Rose Senior Security Engineer Netflix Information Security N E T 2 0 4
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Netflix Identity Principles In Practice ALB Authentication Discussion
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principle Federate Everything Every. Single. App. Single Sign On Standards OpenID Connect and OAuth SAML Make It Easy To Do The Right Thing …and difficult to do it wrong
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principle Developer Self-Service Simple onboarding Expertise not required Immediately available No approval required
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principle Device Health Checks User Focused Security Engage with users to improve device security Stethoscope Open Source tool from Netflix to report on device health status Integrated with Netflix Identity Platform Influences user’s authentication experience
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principle Adaptive Multi-Factor Authentication Contextual step-up authentication using: Application Sensitivity Usage patterns and behaviors Device Health Status User Agent Recognition Geographic Location
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Landscape Hundreds of applications, growing daily With Great Freedom comes… Great Variability Languages and Frameworks galore
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity Challenges Just use Client Libraries to Federate! Always playing catch-up to new languages and frameworks Open source options of varying quality and completeness Developer friction around configuration
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity Challenges Ok, then just use Authenticating Proxies! Additional critical infrastructure to maintain Potential bottlenecks and new failure modes to address Additional infrastructure cost to operate Proxy Layer Application Layer
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please select one C. None of the above
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Crazy Talk Auth == Undifferentiated Heavy Lifting! Why not Application Load Balancers!? Let’s talk to Amazon! Please?
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Alphabet Soup Ingredients 1 x AWS 1 x ALB 1 x OIDC Simmer for 6 months Serves: everyone
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Under the Hood X-Amzn-OIDC-Identity: will.rose@domain.com X-Amzn-OIDC-Access-Token: 1waGF…YW50 X-Amzn-OIDC-Data: eyJhbG...y4MbQQ
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Adoption Native Spinnaker integration Fully self-service with only a few clicks No new infrastructure required Identical integration experience across all languages Our recommended integration path for all applications
  19. 19. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Will Rose wrose@netflix.com
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×