Netflix deals with cloud security concerns

As Netflix commits its future to streaming movies to customers, it relies almost exclusively on cloud services for its infrastructure, raising security concerns that require a new way of thinking, the company's cloud security architect says.

Netflix develops software and pushes it into production via the cloud, which doesn't tolerate many of the characteristics of traditional data centers, says Jason Chan, whose presentation "Practical Cloud Security" was streamed live from United Security Summit in San Francisco. "There's just different ways of doing things in the cloud," Chan says.

For instance, traditionally, applications are long-lived and static. Configuration and code changes are pushed to running systems. In the cloud, new versions are written and they replace the old versions entirely with new instances. There are no patches or configuration pushes.

MORE CLOUD: 7 hot cloud companies to watch

In traditional data centers, different teams may have their own ways of deploying applications and updating them. Standard versions of applications may disappear as groups tweak them for individual use, creating slightly different versions that are impossible to sync. Cloud does not support these practices, he says.

Instead, cloud deployments have what he calls ephemeral nodes - instances that could disappear at any moment because as a customer of cloud services, Netflix has no control over the underlying network. "You have to build your architecture so you have survivability if an instance dies," he says.

Hardware is abstracted. It's no longer measured in servers but in numbers of CPUs and megabytes of RAM.

Viewing security changes as well. If applications are pushed and remain unchanged until they are replaced, there should be no file integrity problems. Any changes will stand out because there should be none, he says.

Activity monitoring goes way down because there are virtually no reasons for administrators to log in and out to patch, for example. Again, any such activity will stand out.

In traditional data centers, security staff needs to add user accounts, inventory systems, change firewall configurations and take snapshots of drives for analysis. This all takes multiple scripts to accomplish.

In the cloud, gleaning similar data is done via a single API, he says, allowing businesses to perform them all centrally.

Rather than traditional firewalls deployed at network chokepoints to filter traffic with rules based on IP addresses, in the cloud services are dropped into security groups and must follow the rules of that group that restrict what can connect with them and what they can connect with. So a rule might read let group A talk to group B via Port 80. The rules are policy driven, he says, and agnostic about the network itself. "A network diagram is irrelevant," he says.

Instead, security diagrams show what sources are allowed to hit what targets and what other destinations that target can talk to.

While cloud providers have offered some ways to address security concerns, some problems remain, Chan says. With hundreds of new nodes being created containing new codes and hundreds of others being taken down as they are replaced, administrators can no longer monitor IP addresses, he says.

Providers should offer an abstraction layer that shows the health of services overall and not attempt to show the health of every node, he says.

Netflix as a business started off mailing DVDs to customers. The main customer-facing infrastructure was Web servers taking customer movie orders and passing them along to a logistics machine that took care of delivery.

Chan says that as Netflix headed toward the streaming movies rather than mailing DVDs, it needed more and more infrastructure so rapidly that cloud services were the only option. "We really couldn't build data centers fast enough," says Chan. "We want to be able to use the cloud not invent the cloud."

Now traffic is more spikey as demand fluctuates. The introduction of a new Netflix application for iPhones can send traffic through the roof - temporarily. "That's what cloud is really intended for," he says. " is nearly 100% in the cloud."

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicessecuritynetflixinternetvideo

More about AppleNetflix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts