Upload
jason-chan
View
4.249
Download
0
Tags:
Embed Size (px)
Citation preview
Agenda
• Background and Disclaimers
• Netflix in the Cloud
• Model-Driven Deployment Architecture
• APIs, Automation, and the Security Monkey
• Cloud Firewall and Connectivity Analysis
• Practical Cloud Security Gaps
Tuesday, October 11, 2011
Background and Disclaimers
Tuesday, October 11, 2011
Background and Disclaimers
Tuesday, October 11, 2011
Background and Disclaimers
• No cloud definitions, but . . .
Tuesday, October 11, 2011
Background and Disclaimers
• No cloud definitions, but . . .
• Focus on IaaS
Tuesday, October 11, 2011
Background and Disclaimers
• No cloud definitions, but . . .
• Focus on IaaS
• Netflix uses Amazon Web Services
Tuesday, October 11, 2011
Background and Disclaimers
• No cloud definitions, but . . .
• Focus on IaaS
• Netflix uses Amazon Web Services
• Guidance should be generally applicable
Tuesday, October 11, 2011
Background and Disclaimers
• No cloud definitions, but . . .
• Focus on IaaS
• Netflix uses Amazon Web Services
• Guidance should be generally applicable
• Works in progress, still many problems to solve . . .
Tuesday, October 11, 2011
Netflix in the Cloud
Tuesday, October 11, 2011
Why is Netflix Using Cloud?
Tuesday, October 11, 2011
!"#"$%&'#&($
Tuesday, October 11, 2011
!"#"$%&'#&($
Netflix could not build data centers fast enough
Tuesday, October 11, 2011
!"#"$%&'#&($
Netflix could not build data centers fast enoughCapacity requirements accelerating, unpredictable
Tuesday, October 11, 2011
!"#"$%&'#&($
Netflix could not build data centers fast enoughCapacity requirements accelerating, unpredictableProduct launch spikes - iPhone, Wii, PS2, XBox
Tuesday, October 11, 2011
Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html
Netflix API: Growth in Requests
Tuesday, October 11, 2011
37x Growth 1/10 - 1/11
Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html
Netflix API: Growth in Requests
Tuesday, October 11, 2011
37x Growth 1/10 - 1/11
Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html
Netflix API: Growth in Requests
Tuesday, October 11, 2011
!"#"$%&#%'()"*"$+#,(
37x Growth 1/10 - 1/11
Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html
Netflix API: Growth in Requests
Tuesday, October 11, 2011
netflix.com is now ~100% Cloud
Tuesday, October 11, 2011
netflix.com is now ~100% Cloud
Remaining components being migrated
Tuesday, October 11, 2011
Netflix Model-Driven Architecture
Tuesday, October 11, 2011
Data Center Patterns
Tuesday, October 11, 2011
Data Center Patterns
• Long-lived, non-elastic systems
Tuesday, October 11, 2011
Data Center Patterns
• Long-lived, non-elastic systems
• Push code and config to running systems
Tuesday, October 11, 2011
Data Center Patterns
• Long-lived, non-elastic systems
• Push code and config to running systems
• Difficult to enforce deployment patterns
Tuesday, October 11, 2011
Data Center Patterns
• Long-lived, non-elastic systems
• Push code and config to running systems
• Difficult to enforce deployment patterns
• ‘Snowflake phenomenon’
Tuesday, October 11, 2011
Data Center Patterns
• Long-lived, non-elastic systems
• Push code and config to running systems
• Difficult to enforce deployment patterns
• ‘Snowflake phenomenon’
• Difficult to sync or reproduce environments (e.g. test and prod)
Tuesday, October 11, 2011
Cloud Patterns
Tuesday, October 11, 2011
Cloud Patterns
• Ephemeral nodes
Tuesday, October 11, 2011
Cloud Patterns
• Ephemeral nodes
• Dynamic scaling
Tuesday, October 11, 2011
Cloud Patterns
• Ephemeral nodes
• Dynamic scaling
• Hardware is abstracted
Tuesday, October 11, 2011
Cloud Patterns
• Ephemeral nodes
• Dynamic scaling
• Hardware is abstracted
• Orchestration vs. manual steps
Tuesday, October 11, 2011
Cloud Patterns
• Ephemeral nodes
• Dynamic scaling
• Hardware is abstracted
• Orchestration vs. manual steps
• Trivial to clone environments
Tuesday, October 11, 2011
When Moving to the Cloud, Leave Old Ways Behind . . .
Tuesday, October 11, 2011
When Moving to the Cloud, Leave Old Ways Behind . . .
Generic forklift is generally a mistake
Tuesday, October 11, 2011
When Moving to the Cloud, Leave Old Ways Behind . . .
Generic forklift is generally a mistakeAdapt development, deployment, and management
models appropriately
Tuesday, October 11, 2011
When Moving to the Cloud, Leave Old Ways Behind . . .
Generic forklift is generally a mistakeAdapt development, deployment, and management
models appropriately
Tuesday, October 11, 2011
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
Perforce
SCM
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
Perforce
SCM
Jenkins
ContinuousIntegration
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
Perforce
SCM
Jenkins
ContinuousIntegration
Artifactory
BinaryRepository
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
Artifactory
BinaryRepository
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
Artifactory
BinaryRepository
Bakery
Combine Base and App-Specific Configuration
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
AMI
Customized, Cloud-Ready
Image
Artifactory
BinaryRepository
Bakery
Combine Base and App-Specific Configuration
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
AMI
Customized, Cloud-Ready
Image
Artifactory
BinaryRepository
Bakery
Combine Base and App-Specific Configuration
ASG
DynamicScaling
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
AMI
Customized, Cloud-Ready
Image
Instance
Live System!
Artifactory
BinaryRepository
Bakery
Combine Base and App-Specific Configuration
ASG
DynamicScaling
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Tuesday, October 11, 2011
Perforce
SCM
Jenkins
ContinuousIntegration
Yum
App-SpecificPackages and Configuration
AMI
Customized, Cloud-Ready
Image
Instance
Live System!
Artifactory
BinaryRepository
Bakery
Combine Base and App-Specific Configuration
ASG
DynamicScaling
Netflix Build and Deployhttp://techblog.netflix.com/2011/08/building-with-legos.html
Every change is a new pushTuesday, October 11, 2011
Results
Tuesday, October 11, 2011
Results
• No changes to running systems
Tuesday, October 11, 2011
Results
• No changes to running systems
• No CMDB
Tuesday, October 11, 2011
Results
• No changes to running systems
• No CMDB
• No systems management infrastructure
Tuesday, October 11, 2011
Results
• No changes to running systems
• No CMDB
• No systems management infrastructure
• Fewer logins to prod systems
Tuesday, October 11, 2011
Impact on Security
Tuesday, October 11, 2011
Impact on Security
• File integrity monitoring
Tuesday, October 11, 2011
Impact on Security
• File integrity monitoring
• User activity monitoring
Tuesday, October 11, 2011
Impact on Security
• File integrity monitoring
• User activity monitoring
• Vulnerability management
Tuesday, October 11, 2011
Impact on Security
• File integrity monitoring
• User activity monitoring
• Vulnerability management
• Patch management
Tuesday, October 11, 2011
APIs, Automation, and the Security Monkey
Tuesday, October 11, 2011
Common Challenges forSecurity Engineers
Tuesday, October 11, 2011
Common Challenges forSecurity Engineers
• Lots of data from different sources, in different formats
Tuesday, October 11, 2011
Common Challenges forSecurity Engineers
• Lots of data from different sources, in different formats
• Too many administrative interfaces and disconnected systems
Tuesday, October 11, 2011
Common Challenges forSecurity Engineers
• Lots of data from different sources, in different formats
• Too many administrative interfaces and disconnected systems
• Too few options for scalable automation
Tuesday, October 11, 2011
Enter the Cloud . . .
Tuesday, October 11, 2011
How do you . . .
Tuesday, October 11, 2011
How do you . . .• Add a user account?
Tuesday, October 11, 2011
How do you . . .• Add a user account?
• Inventory systems?
Tuesday, October 11, 2011
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
Tuesday, October 11, 2011
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
Tuesday, October 11, 2011
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
Tuesday, October 11, 2011
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
• CreateUser()
Tuesday, October 11, 2011
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
• CreateUser()
• DescribeInstances()
Tuesday, October 11, 2011
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
• CreateUser()
• DescribeInstances()
• AuthorizeSecurityGroupIngress()
Tuesday, October 11, 2011
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
• CreateUser()
• DescribeInstances()
• AuthorizeSecurityGroupIngress()
• CreateSnapshot()
Tuesday, October 11, 2011
How do you . . .• Add a user account?
• Inventory systems?
• Change a firewall config?
• Snapshot a drive for forensic analysis?
• Disable a multi-factor authentication token?
• CreateUser()
• DescribeInstances()
• AuthorizeSecurityGroupIngress()
• CreateSnapshot()
• DeactivateMFADevice()
Tuesday, October 11, 2011
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
Tuesday, October 11, 2011
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Leverages cloud APIs
Tuesday, October 11, 2011
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Leverages cloud APIs
• Centralized framework for cloud security monitoring and analysis
Tuesday, October 11, 2011
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Leverages cloud APIs
• Centralized framework for cloud security monitoring and analysis
• Certificate and cipher monitoring
Tuesday, October 11, 2011
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Leverages cloud APIs
• Centralized framework for cloud security monitoring and analysis
• Certificate and cipher monitoring
• Firewall configuration checks
Tuesday, October 11, 2011
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Leverages cloud APIs
• Centralized framework for cloud security monitoring and analysis
• Certificate and cipher monitoring
• Firewall configuration checks
• User/group/policy monitoring
Tuesday, October 11, 2011
Cloud Firewall and Connectivity Analysis
Tuesday, October 11, 2011
Analyzing Traditional Firewalls
Tuesday, October 11, 2011
Analyzing Traditional Firewalls
• Positioned at network chokepoints, providing optimal internetwork visibility
Tuesday, October 11, 2011
Analyzing Traditional Firewalls
• Positioned at network chokepoints, providing optimal internetwork visibility
• Use tools like tcpdump, NetFlow, centralized logging to gather data
Tuesday, October 11, 2011
Analyzing Traditional Firewalls
• Positioned at network chokepoints, providing optimal internetwork visibility
• Use tools like tcpdump, NetFlow, centralized logging to gather data
• Review traffic patterns and optimize
Tuesday, October 11, 2011
AWS Firewalls (Briefly)
Tuesday, October 11, 2011
AWS Firewalls (Briefly)
• “Security Group” is unit of measure for firewalling
Tuesday, October 11, 2011
AWS Firewalls (Briefly)
• “Security Group” is unit of measure for firewalling
• Policy-driven and network-agnostic, configuration follows an instance
Tuesday, October 11, 2011
AWS Firewalls (Briefly)
• “Security Group” is unit of measure for firewalling
• Policy-driven and network-agnostic, configuration follows an instance
• Network diagram irrelevant
Tuesday, October 11, 2011
AWS Firewalls (Briefly)
• “Security Group” is unit of measure for firewalling
• Policy-driven and network-agnostic, configuration follows an instance
• Network diagram irrelevant
• Chokepoints and sniffing are not possible
Tuesday, October 11, 2011
AWS Firewalls (Briefly)
• “Security Group” is unit of measure for firewalling
• Policy-driven and network-agnostic, configuration follows an instance
• Network diagram irrelevant
• Chokepoints and sniffing are not possible
• Outbound connections not filterable (!)
Tuesday, October 11, 2011
Security Group Analysis
Tuesday, October 11, 2011
Security Group Analysis
• Use config and inventory to map reachability
Tuesday, October 11, 2011
Security Group Analysis
• Use config and inventory to map reachability
• Leverage APIs to evaluate reachability and detect violations:
Tuesday, October 11, 2011
Security Group Analysis
• Use config and inventory to map reachability
• Leverage APIs to evaluate reachability and detect violations:
• Security groups with no members
Tuesday, October 11, 2011
Security Group Analysis
• Use config and inventory to map reachability
• Leverage APIs to evaluate reachability and detect violations:
• Security groups with no members
• “Insecure” services (e.g. Telnet, FTP)
Tuesday, October 11, 2011
Security Group Analysis
• Use config and inventory to map reachability
• Leverage APIs to evaluate reachability and detect violations:
• Security groups with no members
• “Insecure” services (e.g. Telnet, FTP)
• Rules that use “any” keyword
Tuesday, October 11, 2011
Security Group Analysis
• Use config and inventory to map reachability
• Leverage APIs to evaluate reachability and detect violations:
• Security groups with no members
• “Insecure” services (e.g. Telnet, FTP)
• Rules that use “any” keyword
• Visualize config into data flow diagram
Tuesday, October 11, 2011
Reachability & Violation Analysis
Tuesday, October 11, 2011
Connectivity Analysis
Tuesday, October 11, 2011
Connectivity Analysis
• Reachability shows what “can” communicate
Tuesday, October 11, 2011
Connectivity Analysis
• Reachability shows what “can” communicate
• What about what is communicating?
Tuesday, October 11, 2011
Connectivity Analysis
• Reachability shows what “can” communicate
• What about what is communicating?
• Take same approach, leverage APIs for firewall and inventory and combine with host data
Tuesday, October 11, 2011
Connectivity Analysis
• Reachability shows what “can” communicate
• What about what is communicating?
• Take same approach, leverage APIs for firewall and inventory and combine with host data
• Visualize data into connectivity diagram
Tuesday, October 11, 2011
Connectivity Analysis
Tuesday, October 11, 2011
‘Practical’ Cloud Security Gaps
Tuesday, October 11, 2011
Common Security Product Model
Tuesday, October 11, 2011
Common Security Product Model
• Examples - AV, FIM, etc.
Tuesday, October 11, 2011
Common Security Product Model
• Examples - AV, FIM, etc.
• “Management” station with client “nodes”
Tuesday, October 11, 2011
Common Security Product Model
• Examples - AV, FIM, etc.
• “Management” station with client “nodes”
• Limited tagging or abstraction
Tuesday, October 11, 2011
Common Security Product Model
• Examples - AV, FIM, etc.
• “Management” station with client “nodes”
• Limited tagging or abstraction
• Strong “manager” and “managed” model
Tuesday, October 11, 2011
Common Security Product Model
• Examples - AV, FIM, etc.
• “Management” station with client “nodes”
• Limited tagging or abstraction
• Strong “manager” and “managed” model
• Push and pull approaches
Tuesday, October 11, 2011
Common Security Product Model
• Examples - AV, FIM, etc.
• “Management” station with client “nodes”
• Limited tagging or abstraction
• Strong “manager” and “managed” model
• Push and pull approaches
• Per node licensing
Tuesday, October 11, 2011
“Thundering Herd”
Tuesday, October 11, 2011
“Thundering Herd”
• Mass deployments
Tuesday, October 11, 2011
“Thundering Herd”
• Mass deployments
• “Red/Black” push - concurrent clusters of 500+ nodes
Tuesday, October 11, 2011
“Thundering Herd”
• Mass deployments
• “Red/Black” push - concurrent clusters of 500+ nodes
• Elasticity related to traffic spikes
Tuesday, October 11, 2011
“Thundering Herd”
• Mass deployments
• “Red/Black” push - concurrent clusters of 500+ nodes
• Elasticity related to traffic spikes
• Licensing constraints
Tuesday, October 11, 2011
Node Ephemerality and Service Abstraction
Tuesday, October 11, 2011
Node Ephemerality and Service Abstraction
• Data related to individual nodes becomes less important
Tuesday, October 11, 2011
Node Ephemerality and Service Abstraction
• Data related to individual nodes becomes less important
• Dealing with short-lived systems, IP and ID reuse
Tuesday, October 11, 2011
Node Ephemerality and Service Abstraction
• Data related to individual nodes becomes less important
• Dealing with short-lived systems, IP and ID reuse
• Event and log archives and data relationships
Tuesday, October 11, 2011
Resource Usage Logging and Auditing
Tuesday, October 11, 2011
Resource Usage Logging and Auditing
• Public-facing APIs make access controls more difficult and more important
Tuesday, October 11, 2011
Resource Usage Logging and Auditing
• Public-facing APIs make access controls more difficult and more important
• Programmable infrastructure needs robust logging and auditing capabilities
Tuesday, October 11, 2011
Resource Usage Logging and Auditing
• Public-facing APIs make access controls more difficult and more important
• Programmable infrastructure needs robust logging and auditing capabilities
• Can metering data be repurposed?
Tuesday, October 11, 2011
Identity Integration
Tuesday, October 11, 2011
Identity Integration
• Federation use cases
Tuesday, October 11, 2011
Identity Integration
• Federation use cases
• On-instance credentials
Tuesday, October 11, 2011
“Trusted Cloud”
Tuesday, October 11, 2011
“Trusted Cloud”
• Various components related to providing higher assurance/trust levels in the cloud
Tuesday, October 11, 2011
“Trusted Cloud”
• Various components related to providing higher assurance/trust levels in the cloud
• Virtual TPM / hardware root of trust
Tuesday, October 11, 2011
“Trusted Cloud”
• Various components related to providing higher assurance/trust levels in the cloud
• Virtual TPM / hardware root of trust
• Controlled execution
Tuesday, October 11, 2011
“Trusted Cloud”
• Various components related to providing higher assurance/trust levels in the cloud
• Virtual TPM / hardware root of trust
• Controlled execution
• HSM in the cloud
Tuesday, October 11, 2011
References
• http://www.slideshare.net/adrianco
• http://aws.amazon.com
• http://techblog.netflix.com
• http://nordsecmob.tkk.fi/Thesisworks/Soren%20Bleikertz.pdf
• https://cloudsecurityalliance.org/
• http://www.nist.gov/itl/cloud/index.cfm
Tuesday, October 11, 2011