Presented by Andrew White and Jesse Kriss at ShmooCon 2017.
User Focused Security is an approach we are using to address employee information security at Netflix. If we provide employees with the right information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement.
Letting people retain control over their devices means that they can maintain flexibility and productivity and address security recommendations as appropriate to their levels of access. This approach will only be successful, though, if we can provide clear and specific action, and make it easy to do the right thing.
Stethoscope is a web-based tool that gives Netflix employees a view into the security state of their devices, with specific recommendations regarding disk encryption, firewalls, and other device settings. The website, in conjunction with email alerts, gives Netflix employees a straightforward way to see what actions they should take to remain safe.
Andrew White and Jesse Kriss are both members of the Information Security team at Netflix, where they work on designing and building software tools that help people make good decisions around corporate security.
Andrew holds a PhD in Computer Science from the University of North Carolina at Chapel Hill and a B.S. in Computer Science and B.A. in Mathematics from the University of Richmond.
Jesse (@jkriss) holds a Master’s in Human-Computer Interaction from Carnegie Mellon University and B.A. in Music from Carleton College. Prior to Netflix, he worked at NASA/JPL, Obama 2012, Figure 53, and IBM Research.
2. ● PhD from UNC in Fall 2015
● Researched side channels in
encrypted network traffic
● Software engineer at Netflix
Andrew White
3. ● Masters in HCI from Carnegie Mellon
● User experience
● Web development
● Information visualization
● Formerly: IBM Research, Figure 53,
Obama 2012, NASA/JPL
Jesse Kriss
50. ● Events
○ Google, Duo auth logs
○ Import from Elasticsearch
○ Augment with, e.g., geolocation data
● Accounts: Google
● Alerts/feedback: Elasticsearch/REST
Other information
51. ● Logging
○ Accesses: to Elasticsearch
○ Errors: to Atlas
● Auth: OpenID Connect
● Batch: to Elasticsearch/REST
Utilities
60. ● Inventory needs to be up-to-date and accurate
● Data sources can have different representations for identifiers
● Don’t always get a unique identifier for a device
Data quality
61. ● Different users need/want different levels of context
● “Make it turn green” works well for many people
Context
62. ● Additional notification channels
● Continuing user research (interviews, surveys)
● Measure long-term effectiveness
Future work
64. COME SAY HI
GET IN TOUCH
Thank you!
netflix.github.io
techblog.netflix.com
@NetflixOSS
Andrew White
andreww@netflix.com
Jesse Kriss
jkriss@netflix.com
Brooks Evans
brookse@netflix.com