Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Cloud Security @ ScalePacSec 2014
Hi! I’m Ben Hagen
● 1996 - Exchange student, 佐賀県 ♥● 1999 - Exchange student, 山梨県 ♥● 2004 - Masters of Information Assurance from
Iowa State University● 2005 - SOC & Consultant at Motorola● 2010 - Consultant at Neohapsis● 2011 - InfoSec at the 2012 Obama Campaign● > 2013 < - Netflix Cloud Security
Today let’s talk about ...
● Netflix, the Cloud, and Security● Modern application deployment● Security problems and solutions for the Cloud
Netflix - The Business
● Subscription based video streaming service● 50,000,000+ Subscribers● Supporting 1,000+ devices● Service in 40+ countries● Concurrent delivery from 3 global regions● ~ 1/3 of US bandwidth at peak
Netflix - The Developers
● 100’s of developers● 100’s of applications● 200+ production pushes / day● 10,000’s of instances● Elastic scalabilities with a peak 2x the valley
Amazon Web Services
● Suite of “Cloud” services● Primarily “Elastic Compute Cloud” (EC2)
○ Virtual computing environment○ “Instances”
● Also ...○ Databases○ Queues○ DNS○ etc.
Some Important Concepts
● AutoScaling Groups (ASGs) / Load balancers (ELBs)● SecurityGroups● Regions / Availability Zones (AZs)● Identity Access Management (IAM)
>Let’s look at some code
Immutable Server Pattern
● Applications are deployed as system images● Once deployed they are never changed● Updates occur by deploying a new image
Deployment
1. Developers commit code to GIT (Open Source)2. Jenkins (Open Source) compiles and packages code
to an Ubuntu DEB3. The DEB is installed onto a Base Image and an AMI
snapshot is taken using the Bakery (Open Source)4. The AMI is deployed to AWS as an elastic cluster
using Asgard (Open Source)a. 3 regions, 3 availability zones per region
“Availability in the cloud isn't great. How can I architect around
it?”
Netflix's Simian Army
● Embrace the chaos○ Simulate when things go
wrong & force developers to deal with it
● Find things that are different
● Look for deviants● Security Monkey!● Open Sourced!
“What the @#(*$&) is going on!? How can I keep track of things?
How can I perform standard security tasks?”
Project Monterey
● Script-able, automate-able, chain-able, scalable security tool usage
● Python-based plugin and management framework● Designed to help gather large-scale environmental
data and perform common security tasks on it● React to changes in the Cloud environment● Will be open sourced “soon”
“Developers can deploy new applications at anytime. What's
important? How can I assign Risk?”
PenguinShortbread
● Automated application risk analysis● Look at an application holistically
○ What libraries are used?○ What network connections are created?○ What data does it have access to?○ What applications does it depend on, and which depend on it?
● Create a risk rating
“I have a lot of traffic. How can I find and track bad actors?”
LazyFalcon
● API oriented network address information
● Internal history of network space
● GeoIP and blacklist management
● Will be open sourced “soon”
“My network is complicated. How can I manage firewall rules and
ensure they are safe and consistent?”
SecurityGrouper
● Compare AWS SecurityGroups across accounts and regions
● Look for inconsistency and poorly architected rules
● Easily archive and apply standard rules
● Import / Export as JSON
“The Internet is a horrible place.”
Scumblr
● Open Source Intelligence gathering tool
● Searches through the places you want to search (Google, Twitter, Pastebin, etc.)
● Configurable workflows ● Open Sourced!
“The Internet is a horrible place ... to take screenshots.”
Sketchy Screenshotter
● API oriented, safe(ish), website screenshot tool
● Best effort at of taking screenshots of “modern” websites
● Scalable● A “safer” way to see
what’s on a website● Open Sourced!
Thanks!
http://netflix.github.iohttp://techblog.netflix.com
● [email protected]● [email protected]● @benhagen