$30 off During Our Annual Pro Sale. View Details »

Platform Security at Netflix: Securing Microservices from the Ground Up

Bryan Payne
July 08, 2015
Technology
0
5.7k

Platform Security at Netflix: Securing Microservices from the Ground Up

AWS Loft SF, July 2015. Deploying large-scale applications as a collection of loosely coupled microservices has many benefits. However, ensuring security across this kind of environment is challenging. This talk describes how the Platform Security team at Netflix is addressing these challenges without impacting developer velocity or adding unnecessary friction. We will discuss our
foundational security services that leverage trust from AWS, and how we build up from these services to improve security throughout the Netflix ecosystem.

https://www.youtube.com/watch?v=62TDmRR66KQ

Bryan Payne

July 08, 2015
Tweet

More Decks by Bryan Payne

See All by Bryan Payne
Fail, Learn, Fix: Improving Security The Old-Fashioned Way
bdpayne
0
230
BLESS: Better Security and Ops for SSH Access
bdpayne
3
710
Securing Containers the Netflix Way
bdpayne
1
2.2k
PKI at Scale Using Short-Lived Certificates
bdpayne
0
830
Platform Security Jobs at Netflix
bdpayne
0
850
Improving Cloud Security with Attacker Profiling
bdpayne
2
810
Key Management in AWS: How Netflix Secures Sensitive Data Without Its Own Data Center
bdpayne
4
1.7k
Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware
bdpayne
0
190
An Introduction to Virtual Machine Introspection Using LibVMI
bdpayne
0
490

Other Decks in Technology

See All in Technology
SmartHRのマルチプロダクト戦略実行の苦悩と挑戦
h1kita
3
1.7k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
1.1k
負債と言わないことが負債と向き合うこと
kenchan
3
1.8k
サービスの1等地ホーム画面改善と効果的なステークホルダーマネジメント / Improvement of Prime Location Home Screen for Services and Effective Stakeholder Management
rilmayer
0
120
デザインシステム仕切り直し
chloe463
1
1.7k
異なる思想で書かれたコードの統一に動く -Terraformの場合-
coconala_engineer
0
180
eBPF for the rest of us - Golab 2023
fedepaol
0
280
FRONTEND CONFERENCE OKINAWA 2023 スポンサーセッション発表スライド/frontend-okinawa
nikkei_engineer_recruiting
1
2.1k
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
3.6k
生成AIでシステム開発はどう変わるか
etaroid
9
1.8k
走馬灯のIaCは考えておいて
nwiizo
6
3.1k
フロントエンドリアーキテクチャリングと開発チームのスキルトランスファーにおける9ヶ月間の奮闘記
wakamsha
5
3.9k

Featured

See All Featured
Why Our Code Smells
bkeepers
PRO
329
56k
Learning to Love Humans: Emotional Interface Design
aarron
265
39k
Robots, Beer and Maslow
schacon
154
7.7k
The Brand Is Dead. Long Live the Brand.
mthomps
48
6.1k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
13
5.9k
GraphQLとの向き合い方2022年版
quramy
26
12k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.6k
Mobile First: as difficult as doing things right
swwweet
214
8.3k
Building Applications with DynamoDB
mza
87
5.3k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.6k
The Mythical Team-Month
searls
214
41k

Transcript

  1. Platform Security at Netflix
    Securing Microservices From The Ground Up
    Bryan D. Payne Engineering Manager, Platform Security

    View Slide

  2. Platform
    Security
    Overview
    Microservices in the Cloud
    Device or
    Browser
    Netflix Open
    Connect Appliance
    1
    2
    - AWS Mgmt
    - Security Tools
    - Code Review
    - Forensics / IR
    - IT Security
    - Content Protection
    - Device Security
    Platform Security
    - Foundational Security Services
    - Security in Common Platform
    - Security by Default in base AMI

    View Slide

  3. Classic
    Security
    Trusted
    Services
    Great Unknown
    Hardware Platform
    Physical Security
    Malicious Insider
    Supply Chain
    Firmware Side Channel Leaks
    Untrusted
    Services
    Security Kernel (hardware)
    Security Kernel (software)
    Operating System
    Applications
    Users
    Adapted from Building A Secure Computer System by Morrie Gasser (1988)

    View Slide

  4. Classic
    Security
    via
    AWS
    CloudHSM
    Instance
    Metadata
    Signature
    Identity &
    Access
    Management
    Trusted Services
    (AWS)
    Great Unknown
    Hypervisor
    Hardware Platform
    Physical Security
    Malicious Insider
    Key Management
    Supply Chain
    Firmware
    Side Channel Leaks
    Trusted Services
    (Netflix)
    Secret Deployment
    Service
    Self-Service CA
    Crypto / Key
    Management Service

    View Slide

  5. Securing
    the
    Platform
    Eureka
    Server(s)
    Eureka
    Server(s)
    Eureka
    Server(s)
    App Service
    (auth-service)
    Karyon
    Web App
    Front End
    (Rest Services)
    Call “Auth Service”
    Ribbon REST client
    with Eureka
    Fallback
    Implementation
    Hystrix
    Microservice
    Implementation
    execute
    auth-service
    call

    View Slide

  6. Securing
    the
    Bakery
    Ubuntu
    Trusty
    Repository
    Deploy Baked
    Image
    AWS
    Account(s)
    AWS
    Account(s)
    AWS
    Account(s)
    Bakery Pipeline
    Lightweight
    Base OS
    Installation
    Netflix
    Common
    Dependencies
    Application
    Package

    View Slide

  7. Ubiquitous
    Security
    • Partner with other teams
    • Make security transparent (or easy)
    • Focus on common components
    • Also focus on strategic risks
    Platform Security
    Review
    Implement
    Im
    plem
    ent
    D
    eploy
    Report
    Service Creation
    Service Maintenance
    Security Audit
    IR / Forensics
    Plan Security
    Improvements
    Security Services
    Security Defaults

    View Slide

  8. Questions?
    bryanp@netflix.com
    https://www.linkedin.com/in/bdpayne
    [PS… I’m hiring!]

    View Slide