SLIDE 1
Fast Forward
Reflecting on a Life of Watching Movies and a Career in Security
Jason Chan VP, Information Security @ Netflix @chanjbs
Fast Forward Reflecting on a Life of Watching Movies and a Career - - PowerPoint PPT Presentation
Fast Forward Reflecting on a Life of Watching Movies and a Career - - PowerPoint PPT Presentation
Fast Forward Reflecting on a Life of Watching Movies and a Career in Security Jason Chan VP, Information Security @ Netflix @chanjbs Credit: @LoulouHoltz So . . . what does this have to do with security? Credit: @matt_tesauro Back to the
SLIDE 2
SLIDE 3
SLIDE 4
Credit: @LoulouHoltz
SLIDE 5
SLIDE 6
SLIDE 7
SLIDE 8
SLIDE 9
So . . . what does this have to do with security?
SLIDE 10
SLIDE 11
SLIDE 12
SLIDE 13
SLIDE 14
SLIDE 15
SLIDE 16
SLIDE 17
Credit: @matt_tesauro
SLIDE 18
Back to the movies . . .
SLIDE 19
SLIDE 20
Core Functionality Security Migrations Upgrades Other Campaigns Change Deployment Infrastructure Technology Standards Operations Basics Observability Performance Reliability Scalability Non-Functional Requirements
SLIDE 21
Reducing Cognitive Load for Developers
SLIDE 22
SLIDE 23
SLIDE 24
SLIDE 25
Simplifying the Security Interface for Developers
SLIDE 26
Are you trying to make your engineers security experts? Or do you just want them to build and
- perate secure systems?
SLIDE 27
What security functions can we abstract to simplify the developer experience?
SLIDE 28
Netflix Studio Engineering
SLIDE 29
SLIDE 30
SLIDE 31
Netflix Studio Engineering
Optimize production from “pitch to play” Lots of innovation and iteration
SLIDE 32
Netflix Studio User
Studio LOB App A Studio LOB App N
Netflix Studio Apps
SLIDE 33
Simplify and Improve Security through Functionality Abstraction
SLIDE 34
Leverage Netflix OSS - Zuul
“built to enable dynamic routing, monitoring, resiliency and security”
https://github.com/Netflix/zuul/wiki
SLIDE 35
Netflix Studio User
Studio LOB App A Studio LOB App N
Netflix Studio Apps with Zuul and Wall-E
Wall-E
Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters
SLIDE 36
SLIDE 37
Results
Lower cognitive load for
- nboarding security
Centralized and managed functionality Frees developers to build the Netflix Studio!
SLIDE 38
SLIDE 39
Monolith to microservices: network Immutable infra: OS, custom app, middleware Infra as code: Everything!
Blurring Lines: App and Infra
SLIDE 40
Tackling App and Infra Integration: Seamless Least Privilege
SLIDE 41
Instances Hadoop Email Services Storage Database Message Queue
The Magic of IaaS
SLIDE 42
Ex: Cloud Based Word Processor
SLIDE 43
Ex: Cloud Based Word Processor
{
"Effect": "Allow", "Action": ["*:*"] "Resource": "*"
}
SLIDE 44
Ex: Cloud Based Word Processor
{
"Effect": "Allow", "Action": ["s3:*"] "Resource": "*"
}
SLIDE 45
Ex: Cloud Based Word Processor
{
"Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"] "Resource": "*"
}
SLIDE 46
Ex: Cloud Based Word Processor
{
"Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"] "Resource": "arn:aws:s3:::wp_bucket"
}
SLIDE 47
SLIDE 48
AWS provides data about API use This data acts as a basis for action
SLIDE 49
When a new application is created, we provide a base set of permissions
s3:GetObject s3:PutObject ... ... ... ... sqs:ReceiveMessage
SLIDE 50
We observe the application to see which permissions are actually used
SLIDE 51
We then remove unused permissions
s3:GetObject s3:PutObject ... ... ... ... sqs:ReceiveMessage
SLIDE 52
We then remove unused permissions
s3:GetObject s3:PutObject ... ... ... ... sqs:ReceiveMessage
SLIDE 53
Available as OSS - Repokid
https://github.com/Netflix/repokid
SLIDE 54
SLIDE 55
Results
Low-risk access reduction Transparent and versioned ops Innovation and high-velocity development without friction
SLIDE 56
SLIDE 57
Potential for “Controlled” Anarchy
Microservices YBIYRI Polyglot and multiple tech stacks Independent deployments Intentionally decentralized governance leads to increased attack surface
SLIDE 58
SLIDE 59
SLIDE 60
Managing the Anarchy
SLIDE 61
SLIDE 62
- Well-supported solutions from central teams
- Clarifies and evangelizes successful patterns and
practices
- Automated observation and evaluation of adoption
- Provides a standard way of interfacing with engineering
teams about security
- Uncover risk and reward operational excellence
The Security Paved Road
SLIDE 63
Security Paved Road (ex.)
Example Solutions & Measures Per-app IAM role Per-app Security Group No secrets in code Instance identity Updated machine image
SLIDE 64
Security Paved Road
Quarterly Change Cycle Commit to update once per quarter to pull in upgrades, library changes, and modifications to paved road components
SLIDE 65
SLIDE 66
Security Paved Road
Security Brain Make our expectations, asks, and recommendations explicit and easy to navigate
SLIDE 67
Customized view for the user Open security issues Recommended practices
SLIDE 68
Most security backlog is standard; explicitly limit bespoke/custom backlog
SLIDE 69
SLIDE 70
SLIDE 71
In closing . . .
SLIDE 72
Overall Takeaways
Stay attuned to trends Simplify and standardize Favor transparent decisions Measure adoption and uptake Get comfortable with tradeoffs
SLIDE 73