Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Platform Security at Netflix: Securing Microser...

Bryan Payne
July 08, 2015
Technology
0
5.8k

Platform Security at Netflix: Securing Microservices from the Ground Up

AWS Loft SF, July 2015. Deploying large-scale applications as a collection of loosely coupled microservices has many benefits. However, ensuring security across this kind of environment is challenging. This talk describes how the Platform Security team at Netflix is addressing these challenges without impacting developer velocity or adding unnecessary friction. We will discuss our
foundational security services that leverage trust from AWS, and how we build up from these services to improve security throughout the Netflix ecosystem.

https://www.youtube.com/watch?v=62TDmRR66KQ

Bryan Payne

July 08, 2015
Tweet

More Decks by Bryan Payne

See All by Bryan Payne
Fail, Learn, Fix: Improving Security The Old-Fashioned Way
bdpayne
0
260
BLESS: Better Security and Ops for SSH Access
bdpayne
3
740
Securing Containers the Netflix Way
bdpayne
1
2.3k
PKI at Scale Using Short-Lived Certificates
bdpayne
0
870
Platform Security Jobs at Netflix
bdpayne
0
870
Improving Cloud Security with Attacker Profiling
bdpayne
2
820
Key Management in AWS: How Netflix Secures Sensitive Data Without Its Own Data Center
bdpayne
4
1.9k
Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware
bdpayne
0
200
An Introduction to Virtual Machine Introspection Using LibVMI
bdpayne
0
610

Other Decks in Technology

See All in Technology
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
160
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
360
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
210
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
0
110
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
Amazon Personalizeの レコメンドシステム構築、実際何するの? 〜大体10分で具体的なイメージをつかむ〜
kniino
1
100
ドメイン名の終活について - JPAAWG 7th -
mikit
33
20k
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
490

Featured

See All Featured
Producing Creativity
orderedlist
PRO
341
39k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Building Adaptive Systems
keathley
38
2.3k
Designing the Hi-DPI Web
ddemaree
280
34k
A better future with KSS
kneath
238
17k
Faster Mobile Websites
deanohume
305
30k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
Become a Pro
speakerdeck
PRO
25
5k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Raft: Consensus for Rubyists
vanstee
136
6.6k
KATA
mclloyd
29
14k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k

Transcript

  1. Platform Security at Netflix Securing Microservices From The Ground Up

    Bryan D. Payne Engineering Manager, Platform Security

  2. Platform Security Overview Microservices in the Cloud Device or Browser

    Netflix Open Connect Appliance 1 2 - AWS Mgmt - Security Tools - Code Review - Forensics / IR - IT Security - Content Protection - Device Security Platform Security - Foundational Security Services - Security in Common Platform - Security by Default in base AMI

  3. Classic Security Trusted Services Great Unknown Hardware Platform Physical Security

    Malicious Insider Supply Chain Firmware Side Channel Leaks Untrusted Services Security Kernel (hardware) Security Kernel (software) Operating System Applications Users Adapted from Building A Secure Computer System by Morrie Gasser (1988)

  4. Classic Security via AWS CloudHSM Instance Metadata Signature Identity &

    Access Management Trusted Services (AWS) Great Unknown Hypervisor Hardware Platform Physical Security Malicious Insider Key Management Supply Chain Firmware Side Channel Leaks Trusted Services (Netflix) Secret Deployment Service Self-Service CA Crypto / Key Management Service

  5. Securing the Platform Eureka Server(s) Eureka Server(s) Eureka Server(s) App

    Service (auth-service) Karyon Web App Front End (Rest Services) Call “Auth Service” Ribbon REST client with Eureka Fallback Implementation Hystrix Microservice Implementation execute auth-service call

  6. Securing the Bakery Ubuntu Trusty Repository Deploy Baked Image AWS

    Account(s) AWS Account(s) AWS Account(s) Bakery Pipeline Lightweight Base OS Installation Netflix Common Dependencies Application Package

  7. Ubiquitous Security • Partner with other teams • Make security

    transparent (or easy) • Focus on common components • Also focus on strategic risks Platform Security Review Implement Im plem ent D eploy Report Service Creation Service Maintenance Security Audit IR / Forensics Plan Security Improvements Security Services Security Defaults

  8. Questions? bryanp@netflix.com https://www.linkedin.com/in/bdpayne [PS… I’m hiring!]