Platform Security at Netflix Securing Microservices From The Ground Up Platform Security Overview Microservices in the Cloud Device or Browser Netflix Open Connect Appliance 1 2 - AWS Mgmt - Security Tools - Code Review - Forensics / IR - IT Security - Content Protection - Device Security Platform Security - Foundational Security Services - Security in Common Platform - Security by Default in base AMI Classic Security Trusted Services Great Unknown Hardware Platform Physical Security Malicious Insider Supply Chain Firmware Side Channel Leaks Untrusted Services Security Kernel (hardware) Security Kernel (software) Operating System Applications Users Adapted from Building A Secure Computer System by Morrie Gasser (1988) Classic Security via AWS CloudHSM Instance Metadata Signature Identity & Access Management Trusted Services (AWS) Great Unknown Hypervisor Hardware Platform Physical Security Malicious Insider Key Management Supply Chain Firmware Side Channel Leaks Trusted Services (Netflix) Secret Deployment Service Self-Service CA Crypto / Key Management Service Securing the Platform Eureka Server(s) Eureka Server(s) Eureka Server(s) App Service (auth-service) Karyon Web App Front End (Rest Services) Call “Auth Service” Ribbon REST client with Eureka Fallback Implementation Hystrix Microservice Implementation execute auth-service call Securing the Bakery Ubuntu Trusty Repository Deploy Baked Image AWS Account(s) AWS Account(s) AWS Account(s) Bakery Pipeline Lightweight Base OS Installation Netflix Common Dependencies Application Package Ubiquitous Security • Partner with other teams • Make security transparent (or easy) • Focus on common components • Also focus on strategic risks Platform Security Review Implement Implement Deploy Report Service Creation Service Maintenance Security Audit IR / Forensics Plan Security Improvements Security Services Security Defaults Platform Security Jobs at Netflix Security Software Engineer • Loves security and writing software • Enjoys designing and building production security services • https://jobs.netflix.com/jobs/407 Software Engineer • Loves writing software • Enjoys designing APIs and making code as simple as possible, but no simpler • https://jobs.netflix.com/jobs/860486 Looking for Two Backgrounds • Authentication and authorization for Netflix services • Securing and managing human access to instances • Cryptography , key management , secret management • Attestation of services/instances deployed at AWS • Operating system and application level hardening Solving Important Problems