cloud security @ scale - pacsec€¦ · cloud security @ scale ... 2011 - infosec at the 2012 obama...

Cloud Security @ ScalePacSec 2014

Hi! I’m Ben Hagen

● 1996 - Exchange student, 佐賀県 ♥● 1999 - Exchange student, 山梨県 ♥● 2004 - Masters of Information Assurance from

Iowa State University● 2005 - SOC & Consultant at Motorola● 2010 - Consultant at Neohapsis● 2011 - InfoSec at the 2012 Obama Campaign● > 2013 < - Netflix Cloud Security

Today let’s talk about ...

● Netflix, the Cloud, and Security● Modern application deployment● Security problems and solutions for the Cloud

Netflix - The Business

● Subscription based video streaming service● 50,000,000+ Subscribers● Supporting 1,000+ devices● Service in 40+ countries● Concurrent delivery from 3 global regions● ~ 1/3 of US bandwidth at peak

Netflix - The Developers

● 100’s of developers● 100’s of applications● 200+ production pushes / day● 10,000’s of instances● Elastic scalabilities with a peak 2x the valley

Amazon Web Services

● Suite of “Cloud” services● Primarily “Elastic Compute Cloud” (EC2)

○ Virtual computing environment○ “Instances”

● Also ...○ Databases○ Queues○ DNS○ etc.

Some Important Concepts

● AutoScaling Groups (ASGs) / Load balancers (ELBs)● SecurityGroups● Regions / Availability Zones (AZs)● Identity Access Management (IAM)

>Let’s look at some code

Immutable Server Pattern

● Applications are deployed as system images● Once deployed they are never changed● Updates occur by deploying a new image

Deployment

1. Developers commit code to GIT (Open Source)2. Jenkins (Open Source) compiles and packages code

to an Ubuntu DEB3. The DEB is installed onto a Base Image and an AMI

snapshot is taken using the Bakery (Open Source)4. The AMI is deployed to AWS as an elastic cluster

using Asgard (Open Source)a. 3 regions, 3 availability zones per region

“Availability in the cloud isn't great. How can I architect around

it?”

Netflix's Simian Army

● Embrace the chaos○ Simulate when things go

wrong & force developers to deal with it

● Find things that are different

● Look for deviants● Security Monkey!● Open Sourced!

“What the @#(*$&) is going on!? How can I keep track of things?

How can I perform standard security tasks?”

Project Monterey

● Script-able, automate-able, chain-able, scalable security tool usage

● Python-based plugin and management framework● Designed to help gather large-scale environmental

data and perform common security tasks on it● React to changes in the Cloud environment● Will be open sourced “soon”

“Developers can deploy new applications at anytime. What's

important? How can I assign Risk?”

PenguinShortbread

● Automated application risk analysis● Look at an application holistically

○ What libraries are used?○ What network connections are created?○ What data does it have access to?○ What applications does it depend on, and which depend on it?

● Create a risk rating

“I have a lot of traffic. How can I find and track bad actors?”

LazyFalcon

● API oriented network address information

● Internal history of network space

● GeoIP and blacklist management

● Will be open sourced “soon”

“My network is complicated. How can I manage firewall rules and

ensure they are safe and consistent?”

SecurityGrouper

● Compare AWS SecurityGroups across accounts and regions

● Look for inconsistency and poorly architected rules

● Easily archive and apply standard rules

● Import / Export as JSON

“The Internet is a horrible place.”

Scumblr

● Open Source Intelligence gathering tool

● Searches through the places you want to search (Google, Twitter, Pastebin, etc.)

● Configurable workflows ● Open Sourced!

“The Internet is a horrible place ... to take screenshots.”

Sketchy Screenshotter

● API oriented, safe(ish), website screenshot tool

● Best effort at of taking screenshots of “modern” websites

● Scalable● A “safer” way to see

what’s on a website● Open Sourced!

Thanks!

http://netflix.github.iohttp://techblog.netflix.com

● bhagen@netflix.com● benhagen@gmail.com● @benhagen