The final assignment in the Information Security 365/765 course I teach at UW-Madison, is for teams of students to put together company focused IT security presentations, in which they take the concepts learned in class throughout the entire semester, and apply them to a real company. Here is a sample from Team Netflix! I am proud of the students, and feel that they have gained a solid foundation in the field of information security. Another semester come and gone!
An Informative Presentation on Netflix.
Includes
1. History
2. Several business plans of Netflix over the time of its inception to the present scenario
3. S.W.O.T analysis
4. Present Challenges.
An Informative Presentation on Netflix.
Includes
1. History
2. Several business plans of Netflix over the time of its inception to the present scenario
3. S.W.O.T analysis
4. Present Challenges.
Netflix - Globalization and business expansion case studyBenoît Prentout
Case study I did in 2017 for my business school's english class.
English is not my mothertongue, hence the simplicity of these slides.
I have no affiliation with Netflix whatsoever. Any material created by Netflix is used here on educative purpose only.
Case study over current position of Netflix and where it is heading. AFI framework was used to provide insight into new viable strategies with recommendations on how Netflix can maintain a competitive advantage in the future.
This case study was done as a part of my class assignment for Introduction of Analytics. It explains how Netflix uses Big Data and why is so successful.
Why I chose Netflix
Netflix: Stepping into Streaming
CLV used in Netflix
How Netflix uses Big Data and Analytics
Latest Relevant News!!
Conclusion
Netflix Inc. Marketing, Strategy & Planning
This report examines Netflix Inc.'s marketing, strategy and planning from the perspective of a marketing manager. Investigating marketing findings is outlined, relevant strategies aligned for competitive advantages in planning the firm's operation for market entry in the UK.
Researched Netflix's existing market and recommended strategies for them to develop.
Conducted SWOT analysis, product and market analysis
Based on their market growth ad financial overview, developed marketing strategies
Developed BCG Matrix and understood Porter 5 forces to estimate the competitive strategy
The IT Security Jungle of Higher EducationNicholas Davis
This presentation discusses the differences in IT security in higher education, when compared with private enterprise. The presentation uses Eduroam as an example of how federation can be a superior solution, when compared to centralized authentication solutions.
UW-Madison Information Systems 365 -- Physical Security -- Lecture 9 Nicholas Davis
These are the lecture slides I created, to teach the topic of Physical Security to the students of the Information Systems 365/765 Information Security course I teach at UW-Madison. Physical security is a critical component of effective information security, but is often not given enough consideration.
Netflix - Globalization and business expansion case studyBenoît Prentout
Case study I did in 2017 for my business school's english class.
English is not my mothertongue, hence the simplicity of these slides.
I have no affiliation with Netflix whatsoever. Any material created by Netflix is used here on educative purpose only.
Case study over current position of Netflix and where it is heading. AFI framework was used to provide insight into new viable strategies with recommendations on how Netflix can maintain a competitive advantage in the future.
This case study was done as a part of my class assignment for Introduction of Analytics. It explains how Netflix uses Big Data and why is so successful.
Why I chose Netflix
Netflix: Stepping into Streaming
CLV used in Netflix
How Netflix uses Big Data and Analytics
Latest Relevant News!!
Conclusion
Netflix Inc. Marketing, Strategy & Planning
This report examines Netflix Inc.'s marketing, strategy and planning from the perspective of a marketing manager. Investigating marketing findings is outlined, relevant strategies aligned for competitive advantages in planning the firm's operation for market entry in the UK.
Researched Netflix's existing market and recommended strategies for them to develop.
Conducted SWOT analysis, product and market analysis
Based on their market growth ad financial overview, developed marketing strategies
Developed BCG Matrix and understood Porter 5 forces to estimate the competitive strategy
The IT Security Jungle of Higher EducationNicholas Davis
This presentation discusses the differences in IT security in higher education, when compared with private enterprise. The presentation uses Eduroam as an example of how federation can be a superior solution, when compared to centralized authentication solutions.
UW-Madison Information Systems 365 -- Physical Security -- Lecture 9 Nicholas Davis
These are the lecture slides I created, to teach the topic of Physical Security to the students of the Information Systems 365/765 Information Security course I teach at UW-Madison. Physical security is a critical component of effective information security, but is often not given enough consideration.
Information Systems 365 Lecture Six -- Access ControlNicholas Davis
This is a sample slide deck from the Information Security 365/765, Fall 2016 semester class, which I teach at the University of Wisconsin-Madison. The audience has no previous background in Information Security and this class is taught as a survey course.
Information Security 365 -- Policies, Data Classification, Employee Training ...Nicholas Davis
This is a sample of a lecture from the Information Security 365/765 semester long course, which I am teaching at the University of Wisconsin-Madison, this Fall.
As a guest speaker, I gave this presentation, last night, to the Association of Information Systems Professionals (AISP), an Information Systems student group at the University of Wisconsin-Madison. Demystifying Professional Certifications provides an overview of what professional certifications are, why they matter, how to choose which ones to pursue, how to get certified and how to keep the certifications is good standing.
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.
Cloud Security and Bring Your Own Device (BYOD) SecurityNicholas Davis
Today, in the Information Security survey course I teach at the University of Wisconsin-Madison, the lecture topics were Cloud Computing Security and Bring Your Own Device (BYOD) Security. Both of these topics are areas in which organizations continue to struggle, relative to identifying appropriate security controls. It is challenging to teach a class in which many of the students do not have an Information Technology background. My goal is assist them in seeing the big issues that they will face as managers, rather than focus on granular technical details. This presentation is intended to provide a survey view of background and challenges faced in these two areas.
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
Tune in to the full webinar recording here: https://www.beyondtrust.com/resources/webinar/defense-depth-implementing-layered-privileged-password-security-strategy/?access_code=eb6de71b465f16507cadfb2347a9d98f
In this presentation from the live webinar of security expert and TechVangelist Founder/Chief, Nick Cavalancia explores how to apply the defense-in-depth, layered security approach to enterprise password management. Also included in this webinar is an overview of BeyondTrust's PowerBroker Password Safe, the leading solution for enterprise password management.
Layered Security / Defense in Depth
One area that I have found that even seasoned security professionals have a problem with articulating is layered security (defense in depth). Most are familiar with their area of expertise (servers, networks, pen testing, etc.), but have never viewed security as a heterogeneous process. In my presentation I use a layered diagram to highlight what controls are in what layers, what controls interact across layers, and what a complete layered security model would look like vs. what a more typical company security model does look like.
Nathan Shepard
CISSP, CISM, CRISC, CISA
33 Years in IT.
21 Years in Information Security.
Information Security consulting at the corporate governance level.
Information Security management for outsourced InfoSec delivery.
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
This is a presentation on information security and its importance. It talks about ISO 27001 in later part.
http://www.ifour-consultancy.com - software outsourcing company in india
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you?
This talk will focus on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk will also sensitive the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.
Siauw Nam Khong's presentation at SGU Seminar and Focus Grup Discussion with theme 'Data Governance and Management for Digital Transformation, industry 4.0, and Internet of Thing'
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
What is DRM?
DRM standards
Microsoft Playready , Apple FairPlay , OMA DRM
DRM Techniques
Streaming standards
HTTP live stream, MPEG DASH etc.
DRM content playback
Silverlight, Flash, HTML5 Premium Video Extensions
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
Ведущий: Джефф Кац
По прогнозам Cisco, в этом году 25 млрд устройств будут подключены к интернету, а к 2020 году число увеличится вдвое. Планируя разработку решения в сфере Интернета вещей (IoT), вы должны подумать о том, что в один прекрасный день к вам нагрянет ФСБ . Вопрос безопасности пользователей нужно продумать заранее, не следует откладывать его на потом. Докладчик расскажет, как использовать преимущества IoT-продуктов, не ущемляя личных прав ваших клиентов. Доклад сопровождается примерами услуг, в которых конфиденциальность и безопасность были обеспечены в начале разработки.
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
Join the CASC Wednesday April 30 for a Google+ hangout on the Heartbleed Bug. We’ll cover everything from what the bug does to how to tell if your site is at risk and how certificate authorities are responding.
Panel of CASC members:
• Robin Alden- Comodo
• Jeremy Rowley- DigiCert
• Bruce Morton- Entrust
• Rick Andrews- Symantec
• Wayne Thayer- Go Daddy
Watch the recording: http://bit.ly/1jAQCtk
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
In today's ever-evolving cybersecurity landscape, organizations face an increasing number of threats. Conducting a NIST Cybersecurity Framework (CSF) assessment can be a valuable tool to identify, manage, and mitigate these risks. Let's explore how it can benefit your organization.
A NIST CSF assessment is not just about compliance; it's about proactively managing your cybersecurity posture. By identifying and addressing your vulnerabilities, you can reduce the likelihood and impact of cyberattacks. Additionally, the framework can help you communicate your security efforts effectively to internal and external stakeholders.
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
Today, is Information Systems 371, I am lecturing about Decision Support Systems. In addition to covering the basics at a conceptual level, I am trying to get the students to think about the impact of IoT, 5G, and Artificial Intelligence, in terms of how Decision Support Systems are changing and what the new demands placed upon them will be.
During the Spring semester, I teach a 3 credit survey course in software development, at UW-Madison (IS 371), which is the first in the series of courses in the Information Systems major track. As part of this course, I devote an entire lecture to discussing different types of software development (Agile, Waterfall, Extreme, Spiral, etc.) I hope it helps the students better understand the different types of software development styles, as well as the benefits and drawbacks of each. In my opinion, they need to learn early on that there is more than one way to go about a software development challenge, and they need to figure out which style works best for them.
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
Today, in class, I will be covering the topics of Cloud and BYOD Information Security. The intent of the lecture is to introduce students to the general issues surrounding information security in these two areas.
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
A presentation about cyberwar basics, the past, present and future directions of cyberwar and some needed changes in technology and long standing societal attitudes, to combat this escalating threat
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
Last day of lecture, a summary presentation of everything the students learned this semester, in the information security class I teach at the University of Wisconsin-Madison
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
Absorbing information does no good, unless you are able to apply what you have learned. Each semester, I give my information security students a team project, in which they must use all the knowledge acquired during the semester, in combination with their ability to do Internet research, to deliver an overall information security assessment of a company of their choosing. To make it a challenge, I make them grade all the other teams in the class, but only give them enough points to distribute so that the average is 90. In grading their peers, they must make decisions about which presentations are excellent, and which are not.
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
Horrible things happen on the Deep Web. It is important for information security professionals to know about this topic, so that we can help to stop the problem. Silence is acquiescence----If you see something horribly wrong, you have got to speak up and be part of the solution to stop it. Contact the FBI or local law enforcement.
A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
Today's topic in the Information Security 365/765 class, which I teach at the University of Wisconsin-Madison.
Computer crimes and computer laws, Motives and profiles of attackers, Various types of evidence, Laws and acts to fight computer crime, Computer crime investigation process, Incident handling procedures, Ethics and best practices
Spooky Halloween IT Security Lecture -- The Deep WebNicholas Davis
On the occasion of Halloween, I like to give the students in my IS 365 Information Security class at the University of Wisconsin-Madison, a break from the normal course material. Therefore, today, I presented a class lecture on the Deep Web (the hidden, scary and dark side of the Internet) Appropriate for this spooky time of year. While it was intended to be fun, it also sparked good conversation within the class, and they learned some solid concepts about ways in which people try to evade IT security controls, to preserve anonymity.
Scary Halloween Cybersecurity Lecture -- The Deep WebNicholas Davis
The Information Security class I teach at the University of Wisconsin-Madison, is a broad survey course. To be honest, sometimes the material gets a bit dry. Therefore, tomorrow's lecture, which was supposed to be about secure network architecture, will now instead be about the Deep Web, the scary and mysterious part of the Internet, dedicated to spooky, nefarious and illegal activity. I think it is good to give the students a break from classic course material, and spend some time on this tangentially related topic. I am putting together a class discussion exercise to go along with it.
Managing the Threat of Trade Secret and Intellectual Property (IP) Theft in t...Nicholas Davis
This presentation discusses how information systems employees can help prevent Trade Secret and Intellectual Property theft within their company. The presentation/lecture, is part of the Information Security (IS 365/765) course, which I am teaching at the University of Wisconsin-Madison, throughout the Fall semester, 2016.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Italy Agriculture Equipment Market Outlook to 2027
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-Madison
1. Team 3
Dan Tan
Derek Weisman
Leah Wetzel
Shuruthy Yogarajah
Tyler Stump
Vanessa Voss
2. “Netflix is the world’s leading Internet television
network with over 86 million members in over 190
countries enjoying more than 125 million hours of
TV shows and movies per day, including original
series, documentaries and feature films.”
4. Yesterday - Netflix announces
‘Download and Go’
https://www.youtube.com/watch?v=7Bkz5awx
wYk
5. • Netflix was invented after Blockbuster charged
co-founder, Reed Hastings, a $40 late fee on his
‘Apollo 13’ rental
• Netflix envelopes are rectangular because square
envelopes cost more to mail via USPS. If these
envelopes were square, it would have cost Netflix
an additional 225M to mail DVDs in 2011
• Netflix gathers data from BitTorrent and other
illegal pirating sites to determine which content
they will purchase for distribution via their
streaming service
Fun Facts
6.
7. Security Tools
• Every few months, Netflix unveils a new security tool
• These started with Security Monkey and include FIDO (Fully
Integrated Defense Operation), Lemur, and Sleepy Puppy
• Coming soon is Dirty Laundry as the tenth security release
8. Power of Automation
• Being such a large company, Netflix needs to find ways to move faster
when dealing with security threats
• Their solution is automation
• Automation helps them identify compromised accounts, respond to
security incidents, and monitor security configurations in a way that is
much quicker than a manual approach
• Security personnel are alerted when an issue is detected
• That way, personnel aren’t bogged down by being alerted to every
minuscule change in the system
9. Open Company
• No BYOD Policy
• OSS (Open Source Software) for a large
amount of their software and tools
• Also have looked into innovative physical
security
10.
11. Information Security
• These are two-fold
• Netflix has both their company data to protect as
well as the information of their customers
• Company that is completely cloud based
12. • Netflix is proactive instead of reactive
• Search for compromised accounts on sites
like Pastebin in order to protect their users
• Collaboration between engineers and
product deployment (DevOps)
• Allows issues to be communicated earlier
before they become a serious problem
13.
14. Getting Access to Movies
• 5-step process
• User Authentication - Makes sure that the viewer is indeed a
Netflix subscriber and has the right playback privileges
• Device Authorization - Identify the device that the user is
playing from, and to ensure that the limit of six is not
exceeded
15. • Instruction Fetching - The player gets
information from the Netflix servers about
how to play the movie, and where to get the
files (only happens after device is
authorized)
• License Acquisition - Controls DRM-encoded
video and audio files.
– It is the last security step before
playback can begin, basically getting
license to decrypt the video.
• Playback - Playback can finally take place
once these constraints have been enforced.
The player talks directly to the Netflix
Streaming servers, which in turn assume
that all security concerns have already been
taken care of by the other components.
• PROBLEM? Race Condition. Once you reach
the playback session, Netflix assumes that
everything is safe. (similar to the angry bird
reference)
Attached from“Lecture Five and Six”, Nicholas Davis
16.
17. Layers of Security
• Requests user authentication before playing
the video
• Only allowing a maximum of six playback
devices per account
• Encrypts the video content
• Providing unique decryption keys per movie
and device
18. How do they do that?
• The security checks take place over the duration of the playback experience,
and delegated to several different Netflix components and servers, each with
distinct responsibilities. (Segregation of duties)
• Microsoft Silverlight prevents cross-site scripting and makes sure that the
player only talks to Netflix servers
• Microsoft DRM component gets an individualized key for each player and
coordinates with the License server to acquire keys that are unique to the
movie and the player
19. What’s so GREAT about these different
servers?
• Information is shared between these different
servers via cookies
• By delegating tasks, these servers and client
components can focus on the particular
constraints that they have to enforce, and
assume that other constraints are checked
somewhere else
• Security on each of these servers can be
tightened as desired, when Netflix detects a
breach at a particular point
• The encryption of the video files ensures that
only players with decryption algorithm (Netflix
player) can view them
• If one of those decryption keys is compromised
then the security threat is minor, because the
keys are individualized and can only be used by
one player
20.
21. Location
• Los Gatos, California
– Floods, earthquakes, tropical storms
• Railroad Tracks
• Highway
23. Interior
• Glass Walls and Doors
– Territorial Reinforcement
• Cameras
• Front Desk Employee
– Natural Surveillance
24. Mobile Access
• From Keyfobs to Smartphones
– Digital key
• Have to know…
– Phone can be used as key
– Passcode to the phone
– How to activate the key with the app
34. • What went well?
– Multiple zones – hot zones
– S3 storage
• What failed?
– Manual operations – shifting services out of zones
– ELB Load Balancing – servers down? Service lost!
35. • Chaos Monkey
– Constant simulated failures so that Netflix systems
know how to react
• Chaos Gorilla
– Total service failure as opposed to smaller,
localized breaches
36.
37. Restrictive Legal, Regulatory, and
Compliance
• Financial
– Securities Exchange Act of 1934
– Sarbanes Oxley
• Payment Processing
– PCI DSS (Payment Card Industry Data Security Standard) Compliance
(Same)
• Content, IP, Licensing, Distribution
– Licensing contracts with TV Shows, Networks, and Studios
• 10/18/2016 - Relativity Media sued Netflix for breach of contract and libel
• NOT subject to Federal Communication Commission (FCC)
regulation
– FCC - “It is outside of open internet.”
38. Netflix’s Response to Regulation and
Compliance
• 2012 – Formed Political Action
Committee ‘FLIXPAC’
– Net Neutrality
– Bandwidth Caps
– Usage-based Billing (Canada)
– VPPA, Video Privacy Protection Act
(US)
• Supported 2012 Amendments, which
allowed video rental companies to
share rental information on social
networking sites, with customer
permission
39. Protective Legal, Regulatory, and
Compliance
• Proprietary Intellectual Property
– Protected by Patent, Trademark, Copyright, Trade
Secret Laws, Confidentiality Agreements
• Stop Online Piracy Act (SOPA)
• Protect IP Act (PIPA)
• Computer Fraud and Abuse Act (CFAA)
40.
41. Application Overview
• Data Collected by the App:
– Sign Up - Personally Identifiable
Information (Name, Postal Address,
Email Address, Telephone Number)
– Payments - Payment Information
(Credit Card Number, Expiration,
Security Code)
– User Preferences/Profiles - Reviews,
Ratings, Account Settings
– Use Data -
• Interactions with User Interface and
Advertising
• Computer, device, and software data
• Title selections, watch history, search
queries
42. Application Security
• Application Security Best Practices:
– Container-based development > simplified development
experience
– NetflixEverywhere Global Architecture> service availability,
latency, data replication, compute capacity, and efficiency
– HTTPS > secure video streams
– Integration with Amazon Web Services
• S3 > Big Data
• Simple Email Service > Customer Emails
• ECS > Container Scheduling, Execution, and Integration
– Netflix is committed to open source.
• Big Data, Build and Delivery Tools, Common Runtime Services and
Libraries, Content Encoding, Data Persistence, Insight, Reliability,
Performance, Security, User Interface
43. External Security
• External Security Considerations
– Device
– Browser
– Internet Service Providers
– 3rd Parties
10/14/16 - “As part of our regular security monitoring, we
discovered that credentials that match your Netflix email
address and password were included in a release of email
addresses and passwords from a breach at another
company.”
44. Availability is a Priority
• On Integrity/Confidentiality:
– “We believe we use reasonable
administrative, logical, physical and
managerial measures to safeguard your
personal information against loss, theft
and unauthorized access, use and
modification. Unfortunately, no measures
can be guaranteed to provide 100%
security. Accordingly, we cannot
guarantee the security of your
information.”
• On Availability:
– “ Members can watch as much as they
want, anytime, anywhere, on nearly any
Internet-connected screen. Members can
play, pause and resume watching, all
without commercials or commitments.”
45.
46. • Current Netflix Operations Security in place to monitor
day to day work and use are:
– Creating and maintaining user accounts and access for
data access
– Carrying out security assessments
– Limiting excessive customer data
• Customer name and billing Information aka credit card numbers-
Sensitive Customer Data
– Service Level Agreement with third party operations
provider--Indicating acceptable and unacceptable
performance and recovery baseline agreements in the
case of a breach within Netflix customer data from the
third party
• Sensitive customer data is also maintained in third parties used in
Operations for Netflix, one of their third parties is Amazon Web
Services (AWS)
47. • No threats have CURRENTLY been discovered
at Netflix concerning Operations Security
• Periodic Vulnerability Testing
– Check for new threats
– Confirm old threats
– Helps evaluate company's security posture
48.
49. • Moved from vertically scaled operation (data centers) to
horizontally scaled highly reliable system (cloud)
– August 2008 - Netflix Database Corruptions stops operations,
could not ship DVDs
– January 2016 - Netflix operates completely on cloud
• 7 Year process to finally finish
– 8 times as many streaming members
– Cloud has supported the rapid growth
– Elasticity of Cloud allows Netflix to add thousands of virtual
servers and create storage
– Cloud cost per streaming is way cheaper then in a data center
– Can Now Stream Netflix Worldwide
50. • There were a number of outages in data
centers---reason for moving to cloud BUT
there were outages in cloud as well
– Christmas Eve of 2012
– Had issues with AWS that routes network traffic to
Netflix
– Now resolved
51.
52. BYOD
• Netflix wants to maintain a corporate culture
that is based off of freedom and trust
• Do not incorporate BYOD security or Mobile
Device Management (MDM) software and
policies
• Netflix does not want to govern employee
owned devices
• Their tactic is to only protect the data
• Believe that extreme IT security actions will
lead to under the table action by employees
53. Threats
• Information gets transferred where it should
not be - lost devices, memorized passwords,
malware infections
• How will they address security concerns
without containerization and virtualization
through MDM
54. Problems and Suggested Change
• Problem:
– Employees may not be aware of the correct rules and
standards in which to abide for BYOD and therefore
information may end up in the wrong hands if
employees are not correctly education
• Suggestion for change:
– Set guidelines and educate employees of BYOD
expectations as a part of training and then expect
employees to follow through. Explain it is just a part of
the process of using BYOD
– Should not interrupt the corporate culture of trust
and freedom by educating employees