The final assignment in the Information Security 365/765 course I teach at UW-Madison, is for teams of students to put together company focused IT security presentations, in which they take the concepts learned in class throughout the entire semester, and apply them to a real company. Here is a sample from Team Netflix! I am proud of the students, and feel that they have gained a solid foundation in the field of information security. Another semester come and gone!

1. Team 3
Dan Tan
Derek Weisman
Leah Wetzel
Shuruthy Yogarajah
Tyler Stump
Vanessa Voss

2. “Netflix is the world’s leading Internet television
network with over 86 million members in over 190
countries enjoying more than 125 million hours of
TV shows and movies per day, including original
series, documentaries and feature films.”

3. Evolution of Netflix

4. Yesterday - Netflix announces
‘Download and Go’
https://www.youtube.com/watch?v=7Bkz5awx
wYk

5. • Netflix was invented after Blockbuster charged
co-founder, Reed Hastings, a $40 late fee on his
‘Apollo 13’ rental
• Netflix envelopes are rectangular because square
envelopes cost more to mail via USPS. If these
envelopes were square, it would have cost Netflix
an additional 225M to mail DVDs in 2011
• Netflix gathers data from BitTorrent and other
illegal pirating sites to determine which content
they will purchase for distribution via their
streaming service
Fun Facts

7. Security Tools
• Every few months, Netflix unveils a new security tool
• These started with Security Monkey and include FIDO (Fully
Integrated Defense Operation), Lemur, and Sleepy Puppy
• Coming soon is Dirty Laundry as the tenth security release

8. Power of Automation
• Being such a large company, Netflix needs to find ways to move faster
when dealing with security threats
• Their solution is automation
• Automation helps them identify compromised accounts, respond to
security incidents, and monitor security configurations in a way that is
much quicker than a manual approach
• Security personnel are alerted when an issue is detected
• That way, personnel aren’t bogged down by being alerted to every
minuscule change in the system

9. Open Company
• No BYOD Policy
• OSS (Open Source Software) for a large
amount of their software and tools
• Also have looked into innovative physical
security

11. Information Security
• These are two-fold
• Netflix has both their company data to protect as
well as the information of their customers
• Company that is completely cloud based

12. • Netflix is proactive instead of reactive
• Search for compromised accounts on sites
like Pastebin in order to protect their users
• Collaboration between engineers and
product deployment (DevOps)
• Allows issues to be communicated earlier
before they become a serious problem

14. Getting Access to Movies
• 5-step process
• User Authentication - Makes sure that the viewer is indeed a
Netflix subscriber and has the right playback privileges
• Device Authorization - Identify the device that the user is
playing from, and to ensure that the limit of six is not
exceeded

15. • Instruction Fetching - The player gets
information from the Netflix servers about
how to play the movie, and where to get the
files (only happens after device is
authorized)
• License Acquisition - Controls DRM-encoded
video and audio files.
– It is the last security step before
playback can begin, basically getting
license to decrypt the video.
• Playback - Playback can finally take place
once these constraints have been enforced.
The player talks directly to the Netflix
Streaming servers, which in turn assume
that all security concerns have already been
taken care of by the other components.
• PROBLEM? Race Condition. Once you reach
the playback session, Netflix assumes that
everything is safe. (similar to the angry bird
reference)
Attached from“Lecture Five and Six”, Nicholas Davis

17. Layers of Security
• Requests user authentication before playing
the video
• Only allowing a maximum of six playback
devices per account
• Encrypts the video content
• Providing unique decryption keys per movie
and device

18. How do they do that?
• The security checks take place over the duration of the playback experience,
and delegated to several different Netflix components and servers, each with
distinct responsibilities. (Segregation of duties)
• Microsoft Silverlight prevents cross-site scripting and makes sure that the
player only talks to Netflix servers
• Microsoft DRM component gets an individualized key for each player and
coordinates with the License server to acquire keys that are unique to the
movie and the player

19. What’s so GREAT about these different
servers?
• Information is shared between these different
servers via cookies
• By delegating tasks, these servers and client
components can focus on the particular
constraints that they have to enforce, and
assume that other constraints are checked
somewhere else
• Security on each of these servers can be
tightened as desired, when Netflix detects a
breach at a particular point
• The encryption of the video files ensures that
only players with decryption algorithm (Netflix
player) can view them
• If one of those decryption keys is compromised
then the security threat is minor, because the
keys are individualized and can only be used by
one player

21. Location
• Los Gatos, California
– Floods, earthquakes, tropical storms
• Railroad Tracks
• Highway

22. Exterior
• Light Posts
• Sidewalks
• Landscape
• Walls
• Road Entrance
• Cameras

23. Interior
• Glass Walls and Doors
– Territorial Reinforcement
• Cameras
• Front Desk Employee
– Natural Surveillance

24. Mobile Access
• From Keyfobs to Smartphones
– Digital key
• Have to know…
– Phone can be used as key
– Passcode to the phone
– How to activate the key with the app

26. Automatic Approaches
• Security Monkey
– Monitors internal security configurations
• Scumbler
– Automatic web searches
• Fully Integrated Defense Operation
– Automatic incident response

27. Detecting the Host
• Problem
– With FIDO, there hasn’t been a focus on detecting the
host
• Suggestion
– Timely DNS Resolution

29. HTTPS
• HTTP vs. HTTPS
• Encryption is critical
for ensuring safe
communication – and
personalized
communication

30. MLS
• MLS is the Best
• Superior flexibility for cross-communication

31. The Future
• Offline Mode?!?
• Potential Problem: data gaps?

33. AWS Outage
• Cloud computing

34. • What went well?
– Multiple zones – hot zones
– S3 storage
• What failed?
– Manual operations – shifting services out of zones
– ELB Load Balancing – servers down? Service lost!

35. • Chaos Monkey
– Constant simulated failures so that Netflix systems
know how to react
• Chaos Gorilla
– Total service failure as opposed to smaller,
localized breaches

37. Restrictive Legal, Regulatory, and
Compliance
• Financial
– Securities Exchange Act of 1934
– Sarbanes Oxley
• Payment Processing
– PCI DSS (Payment Card Industry Data Security Standard) Compliance
(Same)
• Content, IP, Licensing, Distribution
– Licensing contracts with TV Shows, Networks, and Studios
• 10/18/2016 - Relativity Media sued Netflix for breach of contract and libel
• NOT subject to Federal Communication Commission (FCC)
regulation
– FCC - “It is outside of open internet.”

38. Netflix’s Response to Regulation and
Compliance
• 2012 – Formed Political Action
Committee ‘FLIXPAC’
– Net Neutrality
– Bandwidth Caps
– Usage-based Billing (Canada)
– VPPA, Video Privacy Protection Act
(US)
• Supported 2012 Amendments, which
allowed video rental companies to
share rental information on social
networking sites, with customer
permission

39. Protective Legal, Regulatory, and
Compliance
• Proprietary Intellectual Property
– Protected by Patent, Trademark, Copyright, Trade
Secret Laws, Confidentiality Agreements
• Stop Online Piracy Act (SOPA)
• Protect IP Act (PIPA)
• Computer Fraud and Abuse Act (CFAA)

41. Application Overview
• Data Collected by the App:
– Sign Up - Personally Identifiable
Information (Name, Postal Address,
Email Address, Telephone Number)
– Payments - Payment Information
(Credit Card Number, Expiration,
Security Code)
– User Preferences/Profiles - Reviews,
Ratings, Account Settings
– Use Data -
• Interactions with User Interface and
Advertising
• Computer, device, and software data
• Title selections, watch history, search
queries

42. Application Security
• Application Security Best Practices:
– Container-based development > simplified development
experience
– NetflixEverywhere Global Architecture> service availability,
latency, data replication, compute capacity, and efficiency
– HTTPS > secure video streams
– Integration with Amazon Web Services
• S3 > Big Data
• Simple Email Service > Customer Emails
• ECS > Container Scheduling, Execution, and Integration
– Netflix is committed to open source.
• Big Data, Build and Delivery Tools, Common Runtime Services and
Libraries, Content Encoding, Data Persistence, Insight, Reliability,
Performance, Security, User Interface

43. External Security
• External Security Considerations
– Device
– Browser
– Internet Service Providers
– 3rd Parties
10/14/16 - “As part of our regular security monitoring, we
discovered that credentials that match your Netflix email
address and password were included in a release of email
addresses and passwords from a breach at another
company.”

44. Availability is a Priority
• On Integrity/Confidentiality:
– “We believe we use reasonable
administrative, logical, physical and
managerial measures to safeguard your
personal information against loss, theft
and unauthorized access, use and
modification. Unfortunately, no measures
can be guaranteed to provide 100%
security. Accordingly, we cannot
guarantee the security of your
information.”
• On Availability:
– “ Members can watch as much as they
want, anytime, anywhere, on nearly any
Internet-connected screen. Members can
play, pause and resume watching, all
without commercials or commitments.”

46. • Current Netflix Operations Security in place to monitor
day to day work and use are:
– Creating and maintaining user accounts and access for
data access
– Carrying out security assessments
– Limiting excessive customer data
• Customer name and billing Information aka credit card numbers-
Sensitive Customer Data
– Service Level Agreement with third party operations
provider--Indicating acceptable and unacceptable
performance and recovery baseline agreements in the
case of a breach within Netflix customer data from the
third party
• Sensitive customer data is also maintained in third parties used in
Operations for Netflix, one of their third parties is Amazon Web
Services (AWS)

47. • No threats have CURRENTLY been discovered
at Netflix concerning Operations Security
• Periodic Vulnerability Testing
– Check for new threats
– Confirm old threats
– Helps evaluate company's security posture

49. • Moved from vertically scaled operation (data centers) to
horizontally scaled highly reliable system (cloud)
– August 2008 - Netflix Database Corruptions stops operations,
could not ship DVDs
– January 2016 - Netflix operates completely on cloud
• 7 Year process to finally finish
– 8 times as many streaming members
– Cloud has supported the rapid growth
– Elasticity of Cloud allows Netflix to add thousands of virtual
servers and create storage
– Cloud cost per streaming is way cheaper then in a data center
– Can Now Stream Netflix Worldwide

50. • There were a number of outages in data
centers---reason for moving to cloud BUT
there were outages in cloud as well
– Christmas Eve of 2012
– Had issues with AWS that routes network traffic to
Netflix
– Now resolved

52. BYOD
• Netflix wants to maintain a corporate culture
that is based off of freedom and trust
• Do not incorporate BYOD security or Mobile
Device Management (MDM) software and
policies
• Netflix does not want to govern employee
owned devices
• Their tactic is to only protect the data
• Believe that extreme IT security actions will
lead to under the table action by employees

53. Threats
• Information gets transferred where it should
not be - lost devices, memorized passwords,
malware infections
• How will they address security concerns
without containerization and virtualization
through MDM

54. Problems and Suggested Change
• Problem:
– Employees may not be aware of the correct rules and
standards in which to abide for BYOD and therefore
information may end up in the wrong hands if
employees are not correctly education
• Suggestion for change:
– Set guidelines and educate employees of BYOD
expectations as a part of training and then expect
employees to follow through. Explain it is just a part of
the process of using BYOD
– Should not interrupt the corporate culture of trust
and freedom by educating employees

55. References
https://www.hidglobal.com/doclib/files/resource_files/netflix-pilot-cs-en-2012-09-24.pdf
http://blogs.wsj.com/cio/2015/06/01/how-netflix-manages-security-in-the-age-of-devops/
https://informationdiscoverydigest.com/2013/09/19/netflix-protecting-data-over-devices-byod-and-ediscovery/
http://fieldguide.gizmodo.com/stop-netflix-youtube-spotify-and-more-from-eating-u-1759395052
http://arstechnica.com/information-technology/2016/02/netflix-finishes-its-massive-migration-to-the-amazon-cloud/
https://media.netflix.com/en/company-blog/completing-the-netflix-cloud-migration
http://techblog.netflix.com/2012/12/a-closer-look-at-christmas-eve-outage.html
http://www.worldtvpc.com/blog/amazon-want-100-of-netflix-streaming-on-their-cloud/
https://ir.netflix.com/index.cfm
https://media.netflix.com/en/about-netflix
https://twitter.com/netflix/status/803962377997688832?ref_src=twsrc%5Etfw
https://www.cnet.com/news/blockbuster-laughed-at-netflix-partnership-offer/
https://www.quora.com/Why-is-the-Netflix-DVD-envelope-rectangular
http://www.forbes.com/sites/timworstall/2013/09/16/how-clever-netflix-monitors-bittorrent-to-purchase-
shows/#3b4e4b4c38cd
https://pomelollc.files.wordpress.com/2009/04/pomelo-tech-report-netflix.pdf
https://github.com/Netflix/msl/wiki/Netflix-ID-Cookies-User-Authentication
https://netflix.github.io/
https://ir.netflix.com/index.cfm