SlideShare una empresa de Scribd logo

Ciso executive summit 2012

Bill Burns
Bill Burns

Evolution of Netflix's cloud security strategy. Includes cloud-based key management and hybrid security controls that span traditional datacenter and public cloud.

1 de 27
Descargar para leer sin conexión
Scaling the Cloud Bill Burns Director, Information Security & Networking CISO Executive Summit Nov 27, 2012 Thursday, November 29, 12
Agenda • Netflix Background and Culture • Why We Moved to the Cloud • InfoSec Challenges, Solutions in a hybrid DataCenter/ IaaS Cloud: C.I.A. • InfoSec Take-Aways: Running In The Cloud Thursday, November 29, 12
Netflix Business • 30+ million members globally • Streaming in 51 countries • 1B hours streamed/month • Watched on 1000+ devices • 33% of US peak evening Internet traffic (c) 2011 Sandvine Thursday, November 29, 12
Background and Context • High Performance Culture • Fail Fast, Learn Fast ... Get Results • Some core values: • “Freedom & Responsibility” • “Loosely-Coupled, Highly-Aligned” • “Context not control” Thursday, November 29, 12
Engineering- Centric Culture • Sought the Cloud for Availability, Capacity • ...and also found Agility • DevOps / NoOps means engineering teams own: • New deployments and upgrades • Capacity planning & procurement Thursday, November 29, 12
Freedom & Responsibility Thursday, November 29, 12
Demand vs Capacity 37x growth in 13 months Then-current DataCenter Capacity Thursday, November 29, 12
Demand 1 Cloud: On- Demand # Servers Capacity 2 1. Demand: Typical pattern of customer requests rise & fall over time Utilization 2. Reaction: System automatically adds, removes servers to the application pool 3 3. Result: Overall utilization stays constant Thursday, November 29, 12
Running In The Cloud :: InfoSec Perspective Thursday, November 29, 12
InfoSec In The Cloud :: Harder 1.“Your IP address attacked me yesterday. Please stop it!” 2.Dealing with other people’s traffic at your front door 3.Herding ephemeral instances with vendor applications 4.Trusting endpoints, infrastructure 5.Key management Thursday, November 29, 12
InfoSec In our Cloud :: Easier 1.Reacting to business velocity 6.Embedding security controls 2.Detecting instance changes 7.Least privilege enforcement 3.Application ownership, management 8.Testing/auditing for conformance 4.Patching, updating 5.Availability, in a environment 9.Consistency, conformity in you don’t control environment Thursday, November 29, 12
InfoSec DevOps :: Staying Relevant • “Communication is what the listener does” – Mark Horstman, Manager Tools podcast / Peter Drucker • My team’s goal: InfoSec program adds value, deeper part of the business’ success, not a “bolt-on” • Pain: Learning a new vocabulary, systems thinking • End result: We like this model a lot! Thursday, November 29, 12
InfoSec Confiden"ality' Challenges In An IaaS U"lity' Integrity' Cloud Authen"city' Availability' Possession' Thursday, November 29, 12
InfoSec Challenge in an IaaS Cloud :: Availability Thursday, November 29, 12
Availability :: Assume failures •You’re only good at what you regularly test for •If you fear a failure mode, find a way to automate a test for that •Chaos Monkey/Gorilla induce failures, help us practice recovery •Include security control systems in your failure testing too! (c) Courtesy Flikr - Winton Thursday, November 29, 12
The Netflix Simian Army & other Security Controls • Chaos Monkey - Randomly kills instances • Chaos Gorilla - Evacuates entire data centers • Striving for continuous • Janitor Monkey – Ensures a clean inventory testing, monitoring • Identify and test • Security Monkey – Various security checks common failure modes • Exploit Monkey – Under development • Automation everywhere • Critical Systems – File integrity monitoring, HIDS, WAF baked in as needed Thursday, November 29, 12
InfoSec Challenge in an IaaS Cloud :: Integrity Thursday, November 29, 12
Key: Automation Thursday, November 29, 12
Integrity :: Patching • Goal: Running instances do not get patched • Alternative: • Bake a new AMI for any change • Launch, test new instances in parallel • Kill the old instances Thursday, November 29, 12
Integrity :: Upgrades • Bake a new AMI for any change • Launch new instances in parallel • Kill the old instances Lesson Learned: Make the secure-and- consistent behavior the easier alternative. Thursday, November 29, 12
Embedding Security Controls • Controls baked into our templates • Places controls near the data • Automation ensures coverage as machines born, replaced • Security controls are “Data Center agnostic” • Provide a single view of attack surface • Evolving, work in progress Thursday, November 29, 12
Security Controls: WAF Example • Sample Control: Web Application Firewall • Software-only, baked-in AMI • Control spans all environments, regions • Consistent control, view • Zero effort for developer to add protection Thursday, November 29, 12
Automation = Conformity & Consistency • All apps, tiers are Highly Available • Secure defaults applied automatically • Replacement instances look just like the originals • Includes security controls Thursday, November 29, 12
InfoSec Challenge in an IaaS Cloud :: Confidentiality/ Possession Thursday, November 29, 12
Key Management :: Cloud Hardware Security Modules (HSMs) • Problem: • Need crypto keys near the Cloud • HSMs are in the data center • Can’t entirely trust our CSP • Motivation: • Want to decouple DC and Cloud • Want to trust our Cloud more fully • If we want this, others will probably want it too. • Solution: • A real HSM: FIPS 140-2 certified hardware • Keys stay in hardware • “HSM as a Service” Thursday, November 29, 12
InfoSec Cloud Take-Aways • Our cloud operations and DevOps models were disruptive to: • Engineering, Auditors, Vendors, and other Operations teams • Our InfoSec team: • Learned new cloud operational approaches, techniques, our PaaS • Wrote/consumed APIs and services, learned a new AWS alphabet soup • Had to tweak most software to fit this model; easier to start cloud first • Worked with partners to implement new security controls Thursday, November 29, 12
Thank you! @x509v3 Bill.Burns@Netflix.com Thursday, November 29, 12

Recomendados

Yow Conference Dec 2013 Netflix Workshop Slides with Notes
Yow Conference Dec 2013 Netflix Workshop Slides with NotesYow Conference Dec 2013 Netflix Workshop Slides with Notes
Yow Conference Dec 2013 Netflix Workshop Slides with NotesAdrian Cockcroft
 
Splunk Spark Integration
Splunk Spark IntegrationSplunk Spark Integration
Splunk Spark IntegrationGang Tao
 
Netflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open SourceNetflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open Sourceaspyker
 
Netflix Global Applications - NoSQL Search Roadshow
Netflix Global Applications - NoSQL Search RoadshowNetflix Global Applications - NoSQL Search Roadshow
Netflix Global Applications - NoSQL Search RoadshowAdrian Cockcroft
 
Intuit CTOF 2011 - Netflix for Mobile in the Cloud
Intuit CTOF 2011 - Netflix for Mobile in the CloudIntuit CTOF 2011 - Netflix for Mobile in the Cloud
Intuit CTOF 2011 - Netflix for Mobile in the CloudSid Anand
 
Dystopia as a Service
Dystopia as a ServiceDystopia as a Service
Dystopia as a ServiceAdrian Cockcroft
 
Netflix Cloud Platform Building Blocks
Netflix Cloud Platform Building BlocksNetflix Cloud Platform Building Blocks
Netflix Cloud Platform Building BlocksSudhir Tonse
 
Netflix Webkit-Based UI for TV Devices
Netflix Webkit-Based UI for TV DevicesNetflix Webkit-Based UI for TV Devices
Netflix Webkit-Based UI for TV DevicesMatt McCarthy
 

Recomendados

Yow Conference Dec 2013 Netflix Workshop Slides with Notes
Yow Conference Dec 2013 Netflix Workshop Slides with NotesYow Conference Dec 2013 Netflix Workshop Slides with Notes
Yow Conference Dec 2013 Netflix Workshop Slides with NotesAdrian Cockcroft
 
Splunk Spark Integration
Splunk Spark IntegrationSplunk Spark Integration
Splunk Spark IntegrationGang Tao
 
Netflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open SourceNetflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open Sourceaspyker
 
Netflix Global Applications - NoSQL Search Roadshow
Netflix Global Applications - NoSQL Search RoadshowNetflix Global Applications - NoSQL Search Roadshow
Netflix Global Applications - NoSQL Search RoadshowAdrian Cockcroft
 
Intuit CTOF 2011 - Netflix for Mobile in the Cloud
Intuit CTOF 2011 - Netflix for Mobile in the CloudIntuit CTOF 2011 - Netflix for Mobile in the Cloud
Intuit CTOF 2011 - Netflix for Mobile in the CloudSid Anand
 
Dystopia as a Service
Dystopia as a ServiceDystopia as a Service
Dystopia as a ServiceAdrian Cockcroft
 
Netflix Cloud Platform Building Blocks
Netflix Cloud Platform Building BlocksNetflix Cloud Platform Building Blocks
Netflix Cloud Platform Building BlocksSudhir Tonse
 
Netflix Webkit-Based UI for TV Devices
Netflix Webkit-Based UI for TV DevicesNetflix Webkit-Based UI for TV Devices
Netflix Webkit-Based UI for TV DevicesMatt McCarthy
 
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Amazon Web Services
 
(ISM301) Engineering Netflix Global Operations In The Cloud
(ISM301) Engineering Netflix Global Operations In The Cloud(ISM301) Engineering Netflix Global Operations In The Cloud
(ISM301) Engineering Netflix Global Operations In The CloudAmazon Web Services
 
Netflix and Open Source
Netflix and Open SourceNetflix and Open Source
Netflix and Open SourceAdrian Cockcroft
 
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...Amazon Web Services
 
Netflix in the Cloud
Netflix in the CloudNetflix in the Cloud
Netflix in the CloudAdrian Cockcroft
 
Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...
Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...
Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...Adrian Cockcroft
 
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...Amazon Web Services
 
Performance architecture for cloud connect
Performance architecture for cloud connectPerformance architecture for cloud connect
Performance architecture for cloud connectAdrian Cockcroft
 
Svc 202-netflix-open-source
Svc 202-netflix-open-sourceSvc 202-netflix-open-source
Svc 202-netflix-open-sourceRuslan Meshenberg
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...
NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...
NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...Amazon Web Services
 
AWS Innovation at Scale – Rodney Haywood
AWS Innovation at Scale – Rodney HaywoodAWS Innovation at Scale – Rodney Haywood
AWS Innovation at Scale – Rodney HaywoodAmazon Web Services
 
What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...
What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...
What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...Amazon Web Services
 
(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...
(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...
(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...Amazon Web Services
 
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017Amazon Web Services
 
AWS Summit Auckland - Smaller is Better - Microservices on AWS
AWS Summit Auckland - Smaller is Better - Microservices on AWSAWS Summit Auckland - Smaller is Better - Microservices on AWS
AWS Summit Auckland - Smaller is Better - Microservices on AWSAmazon Web Services
 
Netflix cloud architecture...continued
Netflix cloud architecture...continuedNetflix cloud architecture...continued
Netflix cloud architecture...continuedCloud Genius
 
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation ProjectsAmazon Web Services
 
The Lost Tales of Platform Design (February 2017)
The Lost Tales of Platform Design (February 2017)The Lost Tales of Platform Design (February 2017)
The Lost Tales of Platform Design (February 2017)Julien SIMON
 
AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...
AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...
AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...Amazon Web Services
 
Opinionated Analysis Development -- rstudio::conf
Opinionated Analysis Development -- rstudio::confOpinionated Analysis Development -- rstudio::conf
Opinionated Analysis Development -- rstudio::confHilary Parker
 
Agile Recruiting White Paper
Agile Recruiting White PaperAgile Recruiting White Paper
Agile Recruiting White PaperAmber Grewal
 

Más contenido relacionado

La actualidad más candente

Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Amazon Web Services
 
(ISM301) Engineering Netflix Global Operations In The Cloud
(ISM301) Engineering Netflix Global Operations In The Cloud(ISM301) Engineering Netflix Global Operations In The Cloud
(ISM301) Engineering Netflix Global Operations In The CloudAmazon Web Services
 
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...Amazon Web Services
 
Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...
Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...
Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...Adrian Cockcroft
 
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...Amazon Web Services
 
Performance architecture for cloud connect
Performance architecture for cloud connectPerformance architecture for cloud connect
Performance architecture for cloud connectAdrian Cockcroft
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...
NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...
NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...Amazon Web Services
 
AWS Innovation at Scale – Rodney Haywood
AWS Innovation at Scale – Rodney HaywoodAWS Innovation at Scale – Rodney Haywood
AWS Innovation at Scale – Rodney HaywoodAmazon Web Services
 
What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...
What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...
What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...Amazon Web Services
 
(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...
(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...
(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...Amazon Web Services
 
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017Amazon Web Services
 
AWS Summit Auckland - Smaller is Better - Microservices on AWS
AWS Summit Auckland - Smaller is Better - Microservices on AWSAWS Summit Auckland - Smaller is Better - Microservices on AWS
AWS Summit Auckland - Smaller is Better - Microservices on AWSAmazon Web Services
 
Netflix cloud architecture...continued
Netflix cloud architecture...continuedNetflix cloud architecture...continued
Netflix cloud architecture...continuedCloud Genius
 
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation ProjectsAmazon Web Services
 
The Lost Tales of Platform Design (February 2017)
The Lost Tales of Platform Design (February 2017)The Lost Tales of Platform Design (February 2017)
The Lost Tales of Platform Design (February 2017)Julien SIMON
 
AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...
AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...
AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...Amazon Web Services
 

La actualidad más candente (20)

Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
 
(ISM301) Engineering Netflix Global Operations In The Cloud
(ISM301) Engineering Netflix Global Operations In The Cloud(ISM301) Engineering Netflix Global Operations In The Cloud
(ISM301) Engineering Netflix Global Operations In The Cloud
 
Netflix and Open Source
Netflix and Open SourceNetflix and Open Source
Netflix and Open Source
 
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
 
Netflix in the Cloud
Netflix in the CloudNetflix in the Cloud
Netflix in the Cloud
 
Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...
Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...
Monitorama - Please, no more Minutes, Milliseconds, Monoliths or Monitoring T...
 
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
 
Performance architecture for cloud connect
Performance architecture for cloud connectPerformance architecture for cloud connect
Performance architecture for cloud connect
 
Svc 202-netflix-open-source
Svc 202-netflix-open-sourceSvc 202-netflix-open-source
Svc 202-netflix-open-source
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...
NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...
NEW LAUNCH! Delivering Powerful Graphics-Intensive Applications from the AWS ...
 
AWS Innovation at Scale – Rodney Haywood
AWS Innovation at Scale – Rodney HaywoodAWS Innovation at Scale – Rodney Haywood
AWS Innovation at Scale – Rodney Haywood
 
What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...
What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...
What an Enterprise Can Learn from Netflix, a Cloud-native Company (ENT203) | ...
 
(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...
(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...
(SPOT302) Under the Covers of AWS: Core Distributed Systems Primitives That P...
 
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
 
AWS Summit Auckland - Smaller is Better - Microservices on AWS
AWS Summit Auckland - Smaller is Better - Microservices on AWSAWS Summit Auckland - Smaller is Better - Microservices on AWS
AWS Summit Auckland - Smaller is Better - Microservices on AWS
 
Netflix cloud architecture...continued
Netflix cloud architecture...continuedNetflix cloud architecture...continued
Netflix cloud architecture...continued
 
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
 
The Lost Tales of Platform Design (February 2017)
The Lost Tales of Platform Design (February 2017)The Lost Tales of Platform Design (February 2017)
The Lost Tales of Platform Design (February 2017)
 
AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...
AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...
AWS re:Invent 2016: Hardware-Accelerating Graphics Desktop Workloads with Ama...
 

Destacado

Opinionated Analysis Development -- rstudio::conf
Opinionated Analysis Development -- rstudio::confOpinionated Analysis Development -- rstudio::conf
Opinionated Analysis Development -- rstudio::confHilary Parker
 
Agile Recruiting White Paper
Agile Recruiting White PaperAgile Recruiting White Paper
Agile Recruiting White PaperAmber Grewal
 
AWS Re:Invent - High Availability Architecture at Netflix
AWS Re:Invent - High Availability Architecture at NetflixAWS Re:Invent - High Availability Architecture at Netflix
AWS Re:Invent - High Availability Architecture at NetflixAdrian Cockcroft
 
python-twitterを用いたTwitterデータ収集
python-twitterを用いたTwitterデータ収集python-twitterを用いたTwitterデータ収集
python-twitterを用いたTwitterデータ収集Hikaru Takemura
 
[Community Open Camp] 給 PHP 開發者的 VS Code 指南
[Community Open Camp] 給 PHP 開發者的 VS Code 指南[Community Open Camp] 給 PHP 開發者的 VS Code 指南
[Community Open Camp] 給 PHP 開發者的 VS Code 指南Shengyou Fan
 
Building High-level Features Using Large Scale Unsupervised Learning
Building High-level Features Using Large Scale Unsupervised LearningBuilding High-level Features Using Large Scale Unsupervised Learning
Building High-level Features Using Large Scale Unsupervised LearningTakuya Minagawa
 
Mgt 425 Week 1 Instructor Guidance
Mgt 425 Week 1 Instructor GuidanceMgt 425 Week 1 Instructor Guidance
Mgt 425 Week 1 Instructor GuidanceAshford University
 

Destacado (8)

Opinionated Analysis Development -- rstudio::conf
Opinionated Analysis Development -- rstudio::confOpinionated Analysis Development -- rstudio::conf
Opinionated Analysis Development -- rstudio::conf
 
Agile Recruiting White Paper
Agile Recruiting White PaperAgile Recruiting White Paper
Agile Recruiting White Paper
 
Bdd Introduction
Bdd IntroductionBdd Introduction
Bdd Introduction
 
AWS Re:Invent - High Availability Architecture at Netflix
AWS Re:Invent - High Availability Architecture at NetflixAWS Re:Invent - High Availability Architecture at Netflix
AWS Re:Invent - High Availability Architecture at Netflix
 
python-twitterを用いたTwitterデータ収集
python-twitterを用いたTwitterデータ収集python-twitterを用いたTwitterデータ収集
python-twitterを用いたTwitterデータ収集
 
[Community Open Camp] 給 PHP 開發者的 VS Code 指南
[Community Open Camp] 給 PHP 開發者的 VS Code 指南[Community Open Camp] 給 PHP 開發者的 VS Code 指南
[Community Open Camp] 給 PHP 開發者的 VS Code 指南
 
Building High-level Features Using Large Scale Unsupervised Learning
Building High-level Features Using Large Scale Unsupervised LearningBuilding High-level Features Using Large Scale Unsupervised Learning
Building High-level Features Using Large Scale Unsupervised Learning
 
Mgt 425 Week 1 Instructor Guidance
Mgt 425 Week 1 Instructor GuidanceMgt 425 Week 1 Instructor Guidance
Mgt 425 Week 1 Instructor Guidance
 

Similar a Ciso executive summit 2012

Open Cloud System Networking Vision
Open Cloud System Networking VisionOpen Cloud System Networking Vision
Open Cloud System Networking VisionRandy Bias
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityBill Burns
 
Dbdes mnn cloud_oct2012
Dbdes mnn cloud_oct2012Dbdes mnn cloud_oct2012
Dbdes mnn cloud_oct2012Steven Backman
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Alert Logic
 
Cloud computing.pptx
Cloud computing.pptxCloud computing.pptx
Cloud computing.pptxandrewbourget
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
stackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeestackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeeGaurav "GP" Pal
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016Shannon Lietz
 
Spatial Cloud Computing And Gis Web Version, Urisa October 2012
Spatial Cloud Computing And Gis Web Version, Urisa October 2012Spatial Cloud Computing And Gis Web Version, Urisa October 2012
Spatial Cloud Computing And Gis Web Version, Urisa October 2012HughPW
 
Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211hdmchughgmailcom
 
Ciso executive forum 2013
Ciso executive forum 2013Ciso executive forum 2013
Ciso executive forum 2013Bill Burns
 
Symantec Appliances Strategy Launch
Symantec Appliances Strategy LaunchSymantec Appliances Strategy Launch
Symantec Appliances Strategy LaunchSymantec
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Considering The Cloud? Thinking Beyond The Readme File
Considering The Cloud? Thinking Beyond The Readme FileConsidering The Cloud? Thinking Beyond The Readme File
Considering The Cloud? Thinking Beyond The Readme FileBill Malchisky Jr.
 
DBTA Data Summit : Eliminating the data constraint in Application Development
DBTA Data Summit : Eliminating the data constraint in Application DevelopmentDBTA Data Summit : Eliminating the data constraint in Application Development
DBTA Data Summit : Eliminating the data constraint in Application DevelopmentKyle Hailey
 
Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Dell World
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010graywilliams
 

Similar a Ciso executive summit 2012 (20)

Cloud computing
Cloud computingCloud computing
Cloud computing
 
Open Cloud System Networking Vision
Open Cloud System Networking VisionOpen Cloud System Networking Vision
Open Cloud System Networking Vision
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud Security
 
Dbdes mnn cloud_oct2012
Dbdes mnn cloud_oct2012Dbdes mnn cloud_oct2012
Dbdes mnn cloud_oct2012
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017
 
Cloud computing.pptx
Cloud computing.pptxCloud computing.pptx
Cloud computing.pptx
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
stackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeestackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfee
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
 
Spatial Cloud Computing And Gis Web Version, Urisa October 2012
Spatial Cloud Computing And Gis Web Version, Urisa October 2012Spatial Cloud Computing And Gis Web Version, Urisa October 2012
Spatial Cloud Computing And Gis Web Version, Urisa October 2012
 
Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211
 
Ciso executive forum 2013
Ciso executive forum 2013Ciso executive forum 2013
Ciso executive forum 2013
 
Symantec Appliances Strategy Launch
Symantec Appliances Strategy LaunchSymantec Appliances Strategy Launch
Symantec Appliances Strategy Launch
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Considering The Cloud? Thinking Beyond The Readme File
Considering The Cloud? Thinking Beyond The Readme FileConsidering The Cloud? Thinking Beyond The Readme File
Considering The Cloud? Thinking Beyond The Readme File
 
DBTA Data Summit : Eliminating the data constraint in Application Development
DBTA Data Summit : Eliminating the data constraint in Application DevelopmentDBTA Data Summit : Eliminating the data constraint in Application Development
DBTA Data Summit : Eliminating the data constraint in Application Development
 
Encryption in the Cloud
Encryption in the CloudEncryption in the Cloud
Encryption in the Cloud
 
Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010
 

Ciso executive summit 2012

  • 1. Scaling the Cloud Bill Burns Director, Information Security & Networking CISO Executive Summit Nov 27, 2012 Thursday, November 29, 12
  • 2. Agenda • Netflix Background and Culture • Why We Moved to the Cloud • InfoSec Challenges, Solutions in a hybrid DataCenter/ IaaS Cloud: C.I.A. • InfoSec Take-Aways: Running In The Cloud Thursday, November 29, 12
  • 3. Netflix Business • 30+ million members globally • Streaming in 51 countries • 1B hours streamed/month • Watched on 1000+ devices • 33% of US peak evening Internet traffic (c) 2011 Sandvine Thursday, November 29, 12
  • 4. Background and Context • High Performance Culture • Fail Fast, Learn Fast ... Get Results • Some core values: • “Freedom & Responsibility” • “Loosely-Coupled, Highly-Aligned” • “Context not control” Thursday, November 29, 12
  • 5. Engineering- Centric Culture • Sought the Cloud for Availability, Capacity • ...and also found Agility • DevOps / NoOps means engineering teams own: • New deployments and upgrades • Capacity planning & procurement Thursday, November 29, 12
  • 6. Freedom & Responsibility Thursday, November 29, 12
  • 7. Demand vs Capacity 37x growth in 13 months Then-current DataCenter Capacity Thursday, November 29, 12
  • 8. Demand 1 Cloud: On- Demand # Servers Capacity 2 1. Demand: Typical pattern of customer requests rise & fall over time Utilization 2. Reaction: System automatically adds, removes servers to the application pool 3 3. Result: Overall utilization stays constant Thursday, November 29, 12
  • 9. Running In The Cloud :: InfoSec Perspective Thursday, November 29, 12
  • 10. InfoSec In The Cloud :: Harder 1.“Your IP address attacked me yesterday. Please stop it!” 2.Dealing with other people’s traffic at your front door 3.Herding ephemeral instances with vendor applications 4.Trusting endpoints, infrastructure 5.Key management Thursday, November 29, 12
  • 11. InfoSec In our Cloud :: Easier 1.Reacting to business velocity 6.Embedding security controls 2.Detecting instance changes 7.Least privilege enforcement 3.Application ownership, management 8.Testing/auditing for conformance 4.Patching, updating 5.Availability, in a environment 9.Consistency, conformity in you don’t control environment Thursday, November 29, 12
  • 12. InfoSec DevOps :: Staying Relevant • “Communication is what the listener does” – Mark Horstman, Manager Tools podcast / Peter Drucker • My team’s goal: InfoSec program adds value, deeper part of the business’ success, not a “bolt-on” • Pain: Learning a new vocabulary, systems thinking • End result: We like this model a lot! Thursday, November 29, 12
  • 13. InfoSec Confiden"ality' Challenges In An IaaS U"lity' Integrity' Cloud Authen"city' Availability' Possession' Thursday, November 29, 12
  • 14. InfoSec Challenge in an IaaS Cloud :: Availability Thursday, November 29, 12
  • 15. Availability :: Assume failures •You’re only good at what you regularly test for •If you fear a failure mode, find a way to automate a test for that •Chaos Monkey/Gorilla induce failures, help us practice recovery •Include security control systems in your failure testing too! (c) Courtesy Flikr - Winton Thursday, November 29, 12
  • 16. The Netflix Simian Army & other Security Controls • Chaos Monkey - Randomly kills instances • Chaos Gorilla - Evacuates entire data centers • Striving for continuous • Janitor Monkey – Ensures a clean inventory testing, monitoring • Identify and test • Security Monkey – Various security checks common failure modes • Exploit Monkey – Under development • Automation everywhere • Critical Systems – File integrity monitoring, HIDS, WAF baked in as needed Thursday, November 29, 12
  • 17. InfoSec Challenge in an IaaS Cloud :: Integrity Thursday, November 29, 12
  • 19. Integrity :: Patching • Goal: Running instances do not get patched • Alternative: • Bake a new AMI for any change • Launch, test new instances in parallel • Kill the old instances Thursday, November 29, 12
  • 20. Integrity :: Upgrades • Bake a new AMI for any change • Launch new instances in parallel • Kill the old instances Lesson Learned: Make the secure-and- consistent behavior the easier alternative. Thursday, November 29, 12
  • 21. Embedding Security Controls • Controls baked into our templates • Places controls near the data • Automation ensures coverage as machines born, replaced • Security controls are “Data Center agnostic” • Provide a single view of attack surface • Evolving, work in progress Thursday, November 29, 12
  • 22. Security Controls: WAF Example • Sample Control: Web Application Firewall • Software-only, baked-in AMI • Control spans all environments, regions • Consistent control, view • Zero effort for developer to add protection Thursday, November 29, 12
  • 23. Automation = Conformity & Consistency • All apps, tiers are Highly Available • Secure defaults applied automatically • Replacement instances look just like the originals • Includes security controls Thursday, November 29, 12
  • 24. InfoSec Challenge in an IaaS Cloud :: Confidentiality/ Possession Thursday, November 29, 12
  • 25. Key Management :: Cloud Hardware Security Modules (HSMs) • Problem: • Need crypto keys near the Cloud • HSMs are in the data center • Can’t entirely trust our CSP • Motivation: • Want to decouple DC and Cloud • Want to trust our Cloud more fully • If we want this, others will probably want it too. • Solution: • A real HSM: FIPS 140-2 certified hardware • Keys stay in hardware • “HSM as a Service” Thursday, November 29, 12
  • 26. InfoSec Cloud Take-Aways • Our cloud operations and DevOps models were disruptive to: • Engineering, Auditors, Vendors, and other Operations teams • Our InfoSec team: • Learned new cloud operational approaches, techniques, our PaaS • Wrote/consumed APIs and services, learned a new AWS alphabet soup • Had to tweak most software to fit this model; easier to start cloud first • Worked with partners to implement new security controls Thursday, November 29, 12
  • 27. Thank you! @x509v3 Bill.Burns@Netflix.com Thursday, November 29, 12