Soumettre la recherche
Mettre en ligne
Netflix Cloud Security Overview
•
2 j'aime
•
1,967 vues
Amazon Web Services
Suivre
Will Bengtson, Netflix
Lire moins
Lire la suite
Signaler
Partager
Signaler
Partager
1 sur 57
Recommandé
Netflix Cloud Security Overview
Netflix Cloud Security Overview
Amazon Web Services
Serverless for Developers
Serverless for Developers
Amazon Web Services
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
Amazon Web Services
Developing Applications with the IoT Button - AWS Online Tech Talks
Developing Applications with the IoT Button - AWS Online Tech Talks
Amazon Web Services
Hands-on Lab: Amazon ElastiCache
Hands-on Lab: Amazon ElastiCache
Amazon Web Services
Digital Transformation with smart products - EVRYTHNG
Digital Transformation with smart products - EVRYTHNG
Amazon Web Services
Netflix Playback Licensing Engineering Leader Opportunity
Netflix Playback Licensing Engineering Leader Opportunity
Karen Casella
12 unknown facts about Netflix
12 unknown facts about Netflix
JyotiPatra7
Contenu connexe
Similaire à Netflix Cloud Security Overview
Linux journal
Linux journal
jony walker
Netflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open Source
aspyker
Netflix AIM Engineering Manager
Netflix AIM Engineering Manager
Karen Casella
Industrial light & magic success story case study iv (python based company)
Industrial light & magic success story case study iv (python based company)
Sting Chen
You, Mix and Kubee
You, Mix and Kubee
Fernand Galiana
Pol Vanbiervliet, Cisco: remove the barriers between space and time
Pol Vanbiervliet, Cisco: remove the barriers between space and time
Quadrant Communications
Google Fiber
Google Fiber
Aditya Shrimali
Zero To Cloud (OSCon 2014)
Zero To Cloud (OSCon 2014)
Justin Ryan
CineGrid: An Innovative High End Digital Media Collaboration
CineGrid: An Innovative High End Digital Media Collaboration
Larry Smarr
Netflix Research Paper Outline
Netflix Research Paper Outline
Kate Subramanian
OSDC 2016 - Another 7 Tools for your #devops Stack by Kris Buytaert
OSDC 2016 - Another 7 Tools for your #devops Stack by Kris Buytaert
NETWAYS
Another 7 tools for your #devops stack
Another 7 tools for your #devops stack
Kris Buytaert
Netflix Playback Access Team
Netflix Playback Access Team
Karen Casella
What's Now - Gustavo Carriquiry
What's Now - Gustavo Carriquiry
GeneXus
OpenSource SmartGrid: Teeters tail-of-possibilities 8dec11
OpenSource SmartGrid: Teeters tail-of-possibilities 8dec11
Stan Curtis
Netflix Playback Access Team
Netflix Playback Access Team
Karen Casella
Canary Analyze All the Things
Canary Analyze All the Things
royrapoport
IWMW 1999: Multimedia and the corporate web
IWMW 1999: Multimedia and the corporate web
IWMW
[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic
[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic
DataScienceConferenc1
OIT Technology, Communications, Japan
OIT Technology, Communications, Japan
Christos Makiyama
Similaire à Netflix Cloud Security Overview
(20)
Linux journal
Linux journal
Netflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open Source
Netflix AIM Engineering Manager
Netflix AIM Engineering Manager
Industrial light & magic success story case study iv (python based company)
Industrial light & magic success story case study iv (python based company)
You, Mix and Kubee
You, Mix and Kubee
Pol Vanbiervliet, Cisco: remove the barriers between space and time
Pol Vanbiervliet, Cisco: remove the barriers between space and time
Google Fiber
Google Fiber
Zero To Cloud (OSCon 2014)
Zero To Cloud (OSCon 2014)
CineGrid: An Innovative High End Digital Media Collaboration
CineGrid: An Innovative High End Digital Media Collaboration
Netflix Research Paper Outline
Netflix Research Paper Outline
OSDC 2016 - Another 7 Tools for your #devops Stack by Kris Buytaert
OSDC 2016 - Another 7 Tools for your #devops Stack by Kris Buytaert
Another 7 tools for your #devops stack
Another 7 tools for your #devops stack
Netflix Playback Access Team
Netflix Playback Access Team
What's Now - Gustavo Carriquiry
What's Now - Gustavo Carriquiry
OpenSource SmartGrid: Teeters tail-of-possibilities 8dec11
OpenSource SmartGrid: Teeters tail-of-possibilities 8dec11
Netflix Playback Access Team
Netflix Playback Access Team
Canary Analyze All the Things
Canary Analyze All the Things
IWMW 1999: Multimedia and the corporate web
IWMW 1999: Multimedia and the corporate web
[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic
[Cryptica 22] Tenderly - Your Lens To Blockchain - Nebojsa Urosevic
OIT Technology, Communications, Japan
OIT Technology, Communications, Japan
Plus de Amazon Web Services
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
Open banking as a service
Open banking as a service
Amazon Web Services
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
Computer Vision con AWS
Computer Vision con AWS
Amazon Web Services
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
Tools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
How to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
Building a web application without servers
Building a web application without servers
Amazon Web Services
Fundraising Essentials
Fundraising Essentials
Amazon Web Services
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
Plus de Amazon Web Services
(20)
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Open banking as a service
Open banking as a service
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Computer Vision con AWS
Computer Vision con AWS
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Tools for building your MVP on AWS
Tools for building your MVP on AWS
How to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Building a web application without servers
Building a web application without servers
Fundraising Essentials
Fundraising Essentials
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Netflix Cloud Security Overview
1.
NetflixSecurityOverview 1 WillBengtsonSeniorCloudSecurityEngineer 1
2.
2 whoami ●SeniorSecurityEngineer-SecurityToolsandOperations ●Raytheon->Cigital->Lockheed->Nuna->Netflix ●SecurityBSides ●OWASPBayArea ●GoGiants!
3.
Welcometo IntheheartofSiliconValley Sourceofmajortechnologicalinnovation! NotaTechCompany! 3
4.
●100M+Subscribers ●1000sdevices ●Worldwidereach ●3globalregions ●GlobalCDN ●⅓ofUSBandwidthatPeak ●100M+hoursofTV ●NetflixOriginals 4 AboutUs
5.
WhatmakesNetflixcooland different?Ourculture -FreedomandResponsibility -ContextnotControl -LooselyCoupledyetHighlyAligned Seealso:NetflixCultureSlideDeckonjobs.netflix.com Culture 5
6.
100(0)’sofdevelopers 1000’sofapplications 100k+instances 200+codedeploymentsaday 6
7.
Security,theenabler! ●Notagatekeeper ●Partnerwithdevelopers ●Abstractdifficulties ●Findfaultsbeforetheyaredeployed ●FindfaultsASAPwhentheyaredeployed ●AutomateEverything 7
8.
Butwearen’tinthecloud! 8 Therealchallenges: Dynamicenvironment Hugescale Diverseapplications
9.
Traditional Firewall RBAC Cluster Syslog VLAN Datacenter 9 Myothercomputeristhe cloud AWS SecurityGroup IAMRole AutoScalingGroup Cloudwatch VPC Region
10.
Traditional Server BigServer Oracle/MySQL MessageQueue NoSQL/K:V Hadoop SourceCode 10 Myothercomputeristhe cloud AWS EC2Instance EC2Instance AWSRDS SQS/SNS Dynamo EMR GitHub*/CodeCommit
11.
Traditional RedHat/Ubuntu Windows LDAP,AAA,SSO Fileserver Everythingelse 11 Myothercomputeristhe cloud AWS RedHat/Ubuntu Windows LDAP,AAA,SSO VirtualFS,EFS,S3 ProbablyhasanAMI
12.
12 Typically,howdoyou: ●Createauseraccount ●Inventoryyoursystems ●Updateafirewallconfig ●Makeaforensicimage ●DisableaMFAtoken ●CreateUser() ●DescribeInstances() ●AuthorizeSecurityGroupIngress() ●CreateSnapshot() ●DeactivateMFADevice()
13.
KeyChallenges Manyapplications,manydifferentsecurityneeds Developershaveveryopenaccess,implementtheirownsecurity CloudSecurityhastomonitorupto100k+instances Smallsecurityteams,manycustomers 13
14.
14 Strategies/Bets ●FocusonenablingNetflixtoinnovatewhileeffectivelymanagingbusinessrisk ●Facilitateengineeringandoperationalagilitywithcreativesecuritysolutions ●Integratesecuritycontrolswithexistingtools,processes,systems,and constructs ●Guardrailsratherthangates-allowNetflixtomovefastwhilestayingsafeand minimizetheideaof‘securityapprovals’or‘roadblocks’
15.
15 Strategies/Bets ●Seektoseamlesslyintegratepreventivetechniques,enablebroaddetective capabilities,andmaintaintheabilitytorapidlyrespondtoandrecoverfrom securityincidents ●Usearisk-basedapproachtoallocateresourcesandprioritizeefforts-inother words,noteverythingcanbeprotectedequally,andtrade-offsmustbemade (andwemakethesetrade-offsexplicit) ●Emphasizeinternalandexternalcommunicationanddatasharingtobenefit efficacy,cross-pollination,teamdevelopment,andrecruiting
16.
SuccessfulMethodologies Gatherasmuchdataaswecan,automatically Keepthatdataupdated,automatically Analyzethedataandalertonhighestriskorinterestissues Providefeedbackmechanismstodevelopers Determinewhatwehaven’tautomatedyet Determinewhatwehaven’tmadeeasierforourdevelopersyet 16
17.
17 AWSOrganizations
18.
18 RootAccountMFA
19.
19 IAM ●BaselineIAMPolicyforallapplications ●Erroronpermissivesideanddialbacklater ●Maintainconsistencyacrossaccounts
20.
20 Spinnaker ContinuousDeploymentfortheEnterprise
21.
21 ImmutableInfrastructure
22.
22 BaseAMI
23.
23 CloudTrail
24.
24 VPCFlowLogs
25.
25 SecurityGroups ●CentralServices ●Cluster ●ELB
26.
26 ELB/ALB
27.
27 CloudwatchEventRules
28.
28 Lambda ●Dangerous ●ScalesNicely ●CarefulwithVPCLambda
29.
29 ChatOps
30.
30
31.
31
32.
32
33.
33
34.
34
35.
Strongsetoftools,stillgrowing Variousgroupsdevelopnewtools ManyareOpenSourced 35
36.
Cryptex Cryptoframework ProvidesAPIsfordevelopers ProvidessimpleraccesstohostedHardwareSecurityModules 36
37.
Awwwdit/Overwatch Collectsmetadatafromallouraccounts Reportsaboutallofourenvironment 37
38.
LazyFalcon APIToaccessIPaddressinformation Interfaceswiththreatintelfeeds GeoIPandblacklistmanagement 38
39.
SketchyScreenshotter APIoriented,safe(ish),websitescreenshottool Besteffortatoftakingscreenshotsof“modern”websites Scalable A“safer”waytoseewhat’sonawebsite OpenSourced! 39
40.
SleepyPuppy XSSScriptingscanningframework AsyncXSStriggerlisteningserver Massivefunctionality Opensourced! 40
41.
FIDO Automatesmuchoftheinitialincidenceresponseofsystems OpenSourced! 41
42.
Speedbump Realtimeanalysisofedgetraffic Identifieshostiletraffic,pushesrulestotheedgefor blocking/throttling 42
43.
OngoingResearchandDevelopment 43
44.
Summary Whatisoldisnewagain The“cloud”isjustanotherdatacenterimplementation,justbigger Automateeverything Monitortowatchforunexpectedchanges Analyzeexistingcontrol,derivenewcontrols Scaneverything,andthenscanitagain KeepaneyeoutwardsforOSINT Makethingseasierondevelopers--ifitiseasy,theywilluseit 44
45.
45 Questions? https://www.github.com/netflix https://www.github.com/netflix-skunkworks
46.
ChaosMonkey -Killsinstances,developersdevelopfor failure -Killsentireregions,developersdevelopfor massivefailure 46
47.
SecurityMonkey Monitorsthesecurityenvironment Alertsonchanges Alertsonbadthings Provideshistory 47
48.
RepoMan Monitorsactualusagebyroles/users Identifieswhatcanbeminimizedforleased privileges 48
49.
MakesAWSAccessAdvisorinformationavailable viaAPIforusebyRepokid Aardvark 49
50.
Identifieswhatcanberight-sizedforleastprivilege Repokid 50
51.
SecurityGrouper SecurityGroupmanagementtool Objectmodelforsecuritygroup Identifieserrorswithsecuritygroups archives,syncs,andbuildssecuritygroups 51
52.
Lemur x509Certificatemanagementpackage InternalCA ExternalCA InterfaceswithServices Supersimplefordevelopers 52
53.
RolliePollie ManagesrolesoverourAWSaccounts 53
54.
Monterey -Discoversthealloftheservicesandsystems -Scansthesystems,constantly -Pluginsfornmap,Arachni -Scaleable,chainable 54
55.
Scumblr Initially,FrameworkforgatheringOSINT Growingframeworkforworkflows IntegrateswithMontereyandotherscanningsources 55
56.
PenguinShortbread Automatedriskanalysistool Analyzessystemdependenciesandappliesriskprofiles 56
57.
57 Meechum SingleSign-On