Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Platform Security at Netflix: Securing Microservices from the Ground Up

Platform Security at Netflix: Securing Microservices from the Ground Up

AWS Loft SF, July 2015. Deploying large-scale applications as a collection of loosely coupled microservices has many benefits. However, ensuring security across this kind of environment is challenging. This talk describes how the Platform Security team at Netflix is addressing these challenges without impacting developer velocity or adding unnecessary friction. We will discuss our
foundational security services that leverage trust from AWS, and how we build up from these services to improve security throughout the Netflix ecosystem.


Bryan Payne

July 08, 2015

More Decks by Bryan Payne

Other Decks in Technology


  1. Platform Security at Netflix Securing Microservices From The Ground Up

    Bryan D. Payne Engineering Manager, Platform Security
  2. Platform Security Overview Microservices in the Cloud Device or Browser

    Netflix Open Connect Appliance 1 2 - AWS Mgmt - Security Tools - Code Review - Forensics / IR - IT Security - Content Protection - Device Security Platform Security - Foundational Security Services - Security in Common Platform - Security by Default in base AMI
  3. Classic Security Trusted Services Great Unknown Hardware Platform Physical Security

    Malicious Insider Supply Chain Firmware Side Channel Leaks Untrusted Services Security Kernel (hardware) Security Kernel (software) Operating System Applications Users Adapted from Building A Secure Computer System by Morrie Gasser (1988)
  4. Classic Security via AWS CloudHSM Instance Metadata Signature Identity &

    Access Management Trusted Services (AWS) Great Unknown Hypervisor Hardware Platform Physical Security Malicious Insider Key Management Supply Chain Firmware Side Channel Leaks Trusted Services (Netflix) Secret Deployment Service Self-Service CA Crypto / Key Management Service
  5. Securing the Platform Eureka Server(s) Eureka Server(s) Eureka Server(s) App

    Service (auth-service) Karyon Web App Front End (Rest Services) Call “Auth Service” Ribbon REST client with Eureka Fallback Implementation Hystrix Microservice Implementation execute auth-service call
  6. Securing the Bakery Ubuntu Trusty Repository Deploy Baked Image AWS

    Account(s) AWS Account(s) AWS Account(s) Bakery Pipeline Lightweight Base OS Installation Netflix Common Dependencies Application Package
  7. Ubiquitous Security • Partner with other teams • Make security

    transparent (or easy) • Focus on common components • Also focus on strategic risks Platform Security Review Implement Im plem ent D eploy Report Service Creation Service Maintenance Security Audit IR / Forensics Plan Security Improvements Security Services Security Defaults