Scaling the Cloud - Cloud Security
-
Upload
bill-burns -
Category
Technology
-
view
9.745 -
download
1
description
Transcript of Scaling the Cloud - Cloud Security
![Page 1: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/1.jpg)
Scaling the Cloud
Bill BurnsSr. Manager, Networks & Security
CISO Executive ForumFebruary 26, 2012
Thursday, March 8, 12
![Page 2: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/2.jpg)
Agenda
•Netflix Background and Culture
•Why We Moved to the Cloud
• InfoSec Challenges in an IaaS Cloud
• InfoSec Perspective: Running In The Cloud
Thursday, March 8, 12
![Page 3: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/3.jpg)
NetflixBusiness
(c) 2011 SandvineThursday, March 8, 12
![Page 4: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/4.jpg)
NetflixBusiness
• 24+ million members globally
(c) 2011 SandvineThursday, March 8, 12
![Page 5: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/5.jpg)
NetflixBusiness
• 24+ million members globally
• Streaming in 47 countries
(c) 2011 SandvineThursday, March 8, 12
![Page 6: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/6.jpg)
NetflixBusiness
• 24+ million members globally
• Streaming in 47 countries
•Watch on more than 700 devices
(c) 2011 SandvineThursday, March 8, 12
![Page 7: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/7.jpg)
NetflixBusiness
• 24+ million members globally
• Streaming in 47 countries
•Watch on more than 700 devices
• 33% of US peak evening Internet traffic
(c) 2011 SandvineThursday, March 8, 12
![Page 8: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/8.jpg)
Background and Context
•High Performance Culture
•Fail Fast, Learn Fast ... Get Results
•Core Value: “Freedom & Responsibility”
Thursday, March 8, 12
![Page 9: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/9.jpg)
Engineering-Centric Culture
Thursday, March 8, 12
![Page 10: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/10.jpg)
Engineering-Centric Culture
•Sought the Cloud for Availability, Capacity
• ...and also found Agility
Thursday, March 8, 12
![Page 11: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/11.jpg)
Engineering-Centric Culture
•Sought the Cloud for Availability, Capacity
• ...and also found Agility
•DevOps / NoOps means engineering teams own:
•New deployments and upgrades
•Capacity planning & procurement
Thursday, March 8, 12
![Page 12: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/12.jpg)
Freedom&
Responsibility
Thursday, March 8, 12
![Page 13: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/13.jpg)
Freedom&
Responsibility
Thursday, March 8, 12
![Page 14: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/14.jpg)
Why Cloud?
•Transforming Netflix’s Core Business
•Availability, Capacity, Consistency
•Lower operational effort
•Mission Focus
•Agility
Thursday, March 8, 12
![Page 15: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/15.jpg)
Demand vs Capacity
Thursday, March 8, 12
![Page 16: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/16.jpg)
Demand vs Capacity
Thursday, March 8, 12
![Page 17: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/17.jpg)
Demand vs Capacity
37x growth in13 months
Thursday, March 8, 12
![Page 18: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/18.jpg)
Demand vs Capacity
37x growth in13 months
DataCenter Capacity
Thursday, March 8, 12
![Page 19: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/19.jpg)
Cloud:On-Demand Capacity
Thursday, March 8, 12
![Page 20: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/20.jpg)
Cloud:On-Demand Capacity
1. Demand: Typical pattern of customer requests rise & fall over time
1
Demand
Thursday, March 8, 12
![Page 21: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/21.jpg)
Cloud:On-Demand Capacity
1. Demand: Typical pattern of customer requests rise & fall over time
2. Reaction: System automatically adds, removes servers to the application pool
1
Demand
2
# Servers
Thursday, March 8, 12
![Page 22: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/22.jpg)
Cloud:On-Demand Capacity
1. Demand: Typical pattern of customer requests rise & fall over time
2. Reaction: System automatically adds, removes servers to the application pool
3. Result: Overall utilization stays constant
1
Demand
2
# Servers
3
Utilization
Thursday, March 8, 12
![Page 23: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/23.jpg)
InfoSec Challenges In An IaaS CloudU"lity'
Authen"city'
Possession'
Confiden"ality'
Integrity'
Availability'
Thursday, March 8, 12
![Page 24: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/24.jpg)
InfoSec Challenge in an IaaS Cloud :: Confidentiality
Thursday, March 8, 12
![Page 25: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/25.jpg)
InfoSec Challenge in an IaaS Cloud :: Integrity
Thursday, March 8, 12
![Page 26: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/26.jpg)
InfoSec Challenge in an IaaS Cloud :: Availability
Thursday, March 8, 12
![Page 27: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/27.jpg)
InfoSec Challenge in an IaaS Cloud :: Possession/Control
Thursday, March 8, 12
![Page 28: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/28.jpg)
InfoSec Challenge in an IaaS Cloud :: Authenticity
Thursday, March 8, 12
![Page 29: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/29.jpg)
InfoSec Challenge in an IaaS Cloud :: Authenticity
Thursday, March 8, 12
![Page 30: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/30.jpg)
InfoSec Challenge in an IaaS Cloud :: Authenticity
Thursday, March 8, 12
![Page 31: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/31.jpg)
InfoSec Challenge in an IaaS Cloud :: Authenticity
Thursday, March 8, 12
![Page 32: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/32.jpg)
Running In The Cloud :: InfoSec Perspective
Thursday, March 8, 12
![Page 33: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/33.jpg)
Running In The Cloud :: InfoSec Perspective
Thursday, March 8, 12
![Page 34: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/34.jpg)
Running In The Cloud :: InfoSec Perspective
Thursday, March 8, 12
![Page 35: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/35.jpg)
Running In The Cloud :: InfoSec Perspective
Thursday, March 8, 12
![Page 36: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/36.jpg)
InfoSec In The Cloud :: Harder
Thursday, March 8, 12
![Page 37: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/37.jpg)
InfoSec In The Cloud :: Harder
1.“You’re host attacked me yesterday. Please stop!”
Thursday, March 8, 12
![Page 38: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/38.jpg)
InfoSec In The Cloud :: Harder
1.“You’re host attacked me yesterday. Please stop!”2.Dealing with other people’s traffic at your front door
Thursday, March 8, 12
![Page 39: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/39.jpg)
InfoSec In The Cloud :: Harder
1.“You’re host attacked me yesterday. Please stop!”2.Dealing with other people’s traffic at your front door 3.Herding ephemeral instances with vendor applications
Thursday, March 8, 12
![Page 40: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/40.jpg)
InfoSec In The Cloud :: Harder
1.“You’re host attacked me yesterday. Please stop!”2.Dealing with other people’s traffic at your front door 3.Herding ephemeral instances with vendor applications4.Trusting endpoints, infrastructure
Thursday, March 8, 12
![Page 41: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/41.jpg)
InfoSec In The Cloud :: Harder
1.“You’re host attacked me yesterday. Please stop!”2.Dealing with other people’s traffic at your front door 3.Herding ephemeral instances with vendor applications4.Trusting endpoints, infrastructure5.Key management
Thursday, March 8, 12
![Page 42: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/42.jpg)
InfoSec In The Cloud :: Easier
Thursday, March 8, 12
![Page 43: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/43.jpg)
InfoSec In The Cloud :: Easier
1.Reacting to business velocity
2.Detecting instance changes
3.Application ownership, management
4.Patching, updating
5.Availability, in a failure-prone environment
6.Embedding security controls
7.Least privilege enforcement
8.Testing/auditing for conformance
9.Consistency, conformity in build and launch
Thursday, March 8, 12
![Page 44: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/44.jpg)
Old IT way:Hand-Crafted configuration
(C) courtesy: Flikr (piper, viamoi)Thursday, March 8, 12
![Page 45: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/45.jpg)
Old IT way:Hand-Crafted configuration
(C) courtesy: Flikr (piper, viamoi)Thursday, March 8, 12
![Page 46: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/46.jpg)
New: Automation
Thursday, March 8, 12
![Page 47: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/47.jpg)
Change Controls ::Patching
• Goal: Running instances do not get patched• Alternative:
• Bake a new AMI for any change• Launch new instances in parallel• Kill the old instances
Thursday, March 8, 12
![Page 48: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/48.jpg)
Change Controls ::Upgrades• Bake a new AMI for any
change
• Launch new instances in parallel
• Kill the old instances
Lesson Learned: Make the secure, consistent behavior the easier alternative.
Thursday, March 8, 12
![Page 49: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/49.jpg)
Availability :: Never Launch One of Anything
(c) Courtesy Flikr - WintonThursday, March 8, 12
![Page 50: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/50.jpg)
Availability :: Never Launch One of Anything
•Chaos Monkey induces failures, helps us practice recovery
(c) Courtesy Flikr - WintonThursday, March 8, 12
![Page 51: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/51.jpg)
Availability :: Never Launch One of Anything
•Chaos Monkey induces failures, helps us practice recovery
•Balance across Availability Zones
(c) Courtesy Flikr - WintonThursday, March 8, 12
![Page 52: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/52.jpg)
Availability :: Never Launch One of Anything
•Chaos Monkey induces failures, helps us practice recovery
•Balance across Availability Zones
•Applications automatically scale-out, regenerate
(c) Courtesy Flikr - WintonThursday, March 8, 12
![Page 53: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/53.jpg)
Availability :: Never Launch One of Anything
•Chaos Monkey induces failures, helps us practice recovery
•Balance across Availability Zones
•Applications automatically scale-out, regenerate
•Conformity Monkey detects differences, improper settings
(c) Courtesy Flikr - WintonThursday, March 8, 12
![Page 54: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/54.jpg)
Identity Challenges :: Vendors Lagging
Thursday, March 8, 12
![Page 55: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/55.jpg)
Identity Challenges :: Vendors Lagging
• Cloud instances are ephemeral
• Customers cannot necessarily pick their IP addresses, ranges
• Instances need to base context on apps, services, tagging (not IPs)
• Vendors need better support for ephemeral licensing, stateless instances, self-config
Thursday, March 8, 12
![Page 56: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/56.jpg)
Identity Challenges :: Vendors Lagging
• Cloud instances are ephemeral
• Customers cannot necessarily pick their IP addresses, ranges
• Instances need to base context on apps, services, tagging (not IPs)
• Vendors need better support for ephemeral licensing, stateless instances, self-config
• Machine capacity is no longer a CapEx friction item.
Thursday, March 8, 12
![Page 57: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/57.jpg)
Conformity&Consistency
Thursday, March 8, 12
![Page 58: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/58.jpg)
Conformity&Consistency
Thursday, March 8, 12
![Page 59: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/59.jpg)
Automation =Conformity &Consistency
Thursday, March 8, 12
![Page 60: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/60.jpg)
Automation =Conformity &Consistency
• All apps, tiers are Highly Available
• Secure defaults applied automatically
• Replacement instances look just like the originals
Thursday, March 8, 12
![Page 61: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/61.jpg)
Automation =Conformity &Consistency
• All apps, tiers are Highly Available
• Secure defaults applied automatically
• Replacement instances look just like the originals
Thursday, March 8, 12
![Page 62: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/62.jpg)
Baked-In Security Controls :: Netflix Simian Army
• Cloud Ready Dashboard
• Identify and test common failure modes
• Continuous, aggressive monitoring, testing
• Mostly opt-In
Thursday, March 8, 12
![Page 63: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/63.jpg)
Baked-In Security Controls :: Netflix Simian Army
• Cloud Ready Dashboard
• Identify and test common failure modes
• Continuous, aggressive monitoring, testing
• Mostly opt-In
Thursday, March 8, 12
![Page 64: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/64.jpg)
Baked-In Security Controls :: Netflix Simian Army
• Cloud Ready Dashboard
• Identify and test common failure modes
• Continuous, aggressive monitoring, testing
• Mostly opt-In
• Chaos Monkey - Randomly kills instances
Thursday, March 8, 12
![Page 65: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/65.jpg)
Baked-In Security Controls :: Netflix Simian Army
• Cloud Ready Dashboard
• Identify and test common failure modes
• Continuous, aggressive monitoring, testing
• Mostly opt-In
• Chaos Monkey - Randomly kills instances
• Conformity Monkey - Various policy checks
Thursday, March 8, 12
![Page 66: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/66.jpg)
Baked-In Security Controls :: Netflix Simian Army
• Cloud Ready Dashboard
• Identify and test common failure modes
• Continuous, aggressive monitoring, testing
• Mostly opt-In
• Chaos Monkey - Randomly kills instances
• Conformity Monkey - Various policy checks
• Latency Monkey – Induces random latency
Thursday, March 8, 12
![Page 67: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/67.jpg)
Baked-In Security Controls :: Netflix Simian Army
• Cloud Ready Dashboard
• Identify and test common failure modes
• Continuous, aggressive monitoring, testing
• Mostly opt-In
• Chaos Monkey - Randomly kills instances
• Conformity Monkey - Various policy checks
• Latency Monkey – Induces random latency
• Janitor Monkey – Kills orphaned instances
Thursday, March 8, 12
![Page 68: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/68.jpg)
Baked-In Security Controls :: Netflix Simian Army
• Cloud Ready Dashboard
• Identify and test common failure modes
• Continuous, aggressive monitoring, testing
• Mostly opt-In
• Chaos Monkey - Randomly kills instances
• Conformity Monkey - Various policy checks
• Latency Monkey – Induces random latency
• Janitor Monkey – Kills orphaned instances
• Security Monkey – Various security checks
Thursday, March 8, 12
![Page 69: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/69.jpg)
Baked-In Security Controls :: Netflix Simian Army
• Cloud Ready Dashboard
• Identify and test common failure modes
• Continuous, aggressive monitoring, testing
• Mostly opt-In
• Chaos Monkey - Randomly kills instances
• Conformity Monkey - Various policy checks
• Latency Monkey – Induces random latency
• Janitor Monkey – Kills orphaned instances
• Security Monkey – Various security checks
• Exploit Monkey – Vuln Scans / Pen Tests
Thursday, March 8, 12
![Page 70: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/70.jpg)
Baked-In Security Controls :: Netflix Simian Army
• Cloud Ready Dashboard
• Identify and test common failure modes
• Continuous, aggressive monitoring, testing
• Mostly opt-In
• Chaos Monkey - Randomly kills instances
• Conformity Monkey - Various policy checks
• Latency Monkey – Induces random latency
• Janitor Monkey – Kills orphaned instances
• Security Monkey – Various security checks
• Exploit Monkey – Vuln Scans / Pen Tests
• Unnamed – File integrity monitoring, HIDS
Thursday, March 8, 12
![Page 71: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/71.jpg)
Embedded Security Controls
Thursday, March 8, 12
![Page 72: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/72.jpg)
Embedded Security Controls
• Controls baked into the “base AMI”
• Controls placed near the data
• Applied as machines die/reborn
Thursday, March 8, 12
![Page 73: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/73.jpg)
Embedded Security Controls
• Controls baked into the “base AMI”
• Controls placed near the data
• Applied as machines die/reborn
• Security controls are “Data Center agnostic”
• Provide a “single pane of glass” awareness
• Span all regions, data centers
Thursday, March 8, 12
![Page 74: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/74.jpg)
CISO ForumTake-Aways
Thursday, March 8, 12
![Page 75: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/75.jpg)
CISO ForumTake-Aways
1. The public cloud / IaaS is not just a technology.
2. Cloud IaaS is disruptive to Operations, Engineering, Vendors, Auditors.
3. Your Data is your new perimeter.
4. Design for failures in everything.
5. IaaS providers care about their infrastructure.
6. Public cloud Information Security is still about the basics, but in a new context.
7. There’s still plenty left to resolve, like trusted infrastructure, strong key management, COTS support.
Thursday, March 8, 12
![Page 76: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/76.jpg)
Questions
Thursday, March 8, 12
![Page 77: Scaling the Cloud - Cloud Security](https://reader030.fdocuments.net/reader030/viewer/2022020217/554c5cc7b4c905452e8b5193/html5/thumbnails/77.jpg)
Questions
Thursday, March 8, 12