Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Security at Netflix

8,256 views

Published on

Published in: Technology, Business
  • Be the first to comment

Cloud Security at Netflix

  1. 1. Cloud Security @ Netflix Jason Chan chan@netflix.com SVForum Cloud and Virtualization SIG March 27, 2012
  2. 2. Jason Chan• Cloud Security Architect @ Netflix• Previously: • Most recently led security team at VMware • Primarily security consulting at @stake, iSEC Partners• Some presentations at: • http://www.slideshare.net/netflix
  3. 3. Agenda• Developing a “cloud appropriate” security model• Cloud security: challenges and advantages• APIs, Automation & the Security Monkey• A note on regulatory compliance• Takeaways
  4. 4. Developing a“Cloud Appropriate” Security Model
  5. 5. Word Association:Cloud & Security
  6. 6. Word Association:Cloud & Security
  7. 7. Word Association: Cloud & SecurityCloud• Agility• Self-service• Scale• Automation
  8. 8. Word Association: Cloud & SecurityCloud• Agility• Self-service• Scale• Automation
  9. 9. Word Association: Cloud & SecurityCloud Security• Agility • Gatekeeper• Self-service • Standards• Scale • Control• Automation • Centralized
  10. 10. General Guidelines
  11. 11. Risk-Based Approach• Not everything is equal• Understand what’s important and prioritize appropriately
  12. 12. Leverage Tooling• Build and deployment pipeline is a key point for security integration• Think integration vs. separation
  13. 13. Make Doing the Right Thing Easy • Sensible defaults • Libraries for common, but difficult, security tasks • Publish and evangelize reusable patterns
  14. 14. Embrace Self- Service, withsome Exceptions • SSL certificate management • Some firewall rules • VPC configuration • User and permissions management (IAM)
  15. 15. Cloud Security Challenges
  16. 16. SharedResponsibility• Incident response• Investigations• Compliance
  17. 17. ExistingSecurity Tools• Bad assumptions• Licensing• Node ephemerality• Thundering herd
  18. 18. KeyManagement• Untrusted infrastructure• Automated bootstrapping• Hardware security modules
  19. 19. Cloud Security Advantages
  20. 20. Build Standards& Vulnerability Management • Fewer “snowflakes” • Easier to identify problem systems • Push and kill vs. patch and nurse
  21. 21. Integrity and Activity Monitoring• No changes to running systems• Fewer production logins
  22. 22. Visibility &Reachability Analysis• Flat networking• “Nowhere to hide”• Firewall APIs
  23. 23. APIs, Automation, andthe Security Monkey
  24. 24. Common Challenges for Security Engineers
  25. 25. Common Challenges for Security Engineers• Lots of data from different sources, in different formats
  26. 26. Common Challenges for Security Engineers• Lots of data from different sources, in different formats• Too many administrative interfaces and disconnected systems
  27. 27. Common Challenges for Security Engineers• Lots of data from different sources, in different formats• Too many administrative interfaces and disconnected systems• Too few options for scalable automation
  28. 28. How do you . . .
  29. 29. How do you . . .• Add a user account?
  30. 30. How do you . . .• Add a user account?• Inventory systems?
  31. 31. How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?
  32. 32. How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?
  33. 33. How do you . . .• Add a user account?• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
  34. 34. How do you . . .• Add a user account? • CreateUser()• Inventory systems?• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
  35. 35. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config?• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
  36. 36. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis?• Disable a multi-factor authentication token?
  37. 37. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis? • CreateSnapshot()• Disable a multi-factor authentication token?
  38. 38. How do you . . .• Add a user account? • CreateUser()• Inventory systems? • DescribeInstances()• Change a firewall config? • AuthorizeSecurityGroup Ingress()• Snapshot a drive for forensic analysis? • CreateSnapshot()• Disable a multi-factor • DeactivateMFADevice() authentication token?
  39. 39. Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
  40. 40. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis
  41. 41. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis• Leverages AWS APIs and common security tools
  42. 42. Security Monkey• Certificate monitoring• Security group monitoring• Exposed instances/applications• Web application vulnerability scanning• Upcoming: • Policy analysis (firewall, user, S3, etc.)
  43. 43. A Note on Regulatory Compliance
  44. 44. Compliance
  45. 45. ComplianceBackground
  46. 46. ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy)
  47. 47. ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud
  48. 48. ComplianceBackground • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
  49. 49. ComplianceBackground Approach • Netflix has a variety of regulatory obligations (SOX, PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
  50. 50. ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • More conservative approach to the cloud • Some architectural components are “cloud unfriendly”
  51. 51. ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • Limit access and • More conservative increase auditing and approach to the cloud logging • Some architectural components are “cloud unfriendly”
  52. 52. ComplianceBackground Approach • Netflix has a variety • Segregate compliance- of regulatory sensitive cloud obligations (SOX, systems PCI, data privacy) • Limit access and • More conservative increase auditing and approach to the cloud logging • Some architectural • Leverage tooling for components are auditability and “cloud unfriendly” control integration
  53. 53. Takeaways
  54. 54. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud
  55. 55. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately
  56. 56. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately• The programmability of the cloud presents an unprecedented opportunity for security teams to focus and streamline efforts
  57. 57. Takeaways• Netflix has moved most of its service infrastructure, applications, and data to the public cloud• Taking full advantage of the cloud’s benefits requires a willingness to adapt security models and methods appropriately• The programmability of the cloud presents an unprecedented opportunity for security teams to focus and streamline efforts• Understand the constraints and limitations of both security tools and cloud vendors when planning and implementing controls
  58. 58. Thanks!Questions? chan@netflix.com
  59. 59. References• http://www.slideshare.net/netflix• http://techblog.netflix.com• https://cloudsecurityalliance.org/• http://www.nist.gov/itl/cloud/index.cfm• http://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud- computing-risk-assessment

×