User Focused Security at Netflix: Stethoscope
Post on 11-Apr-2017
420 Views
Preview:
Transcript
● PhD from UNC in Fall 2015
● Researched side channels in
encrypted network traffic
● Software engineer at Netflix
Andrew White
● Masters in HCI from Carnegie Mellon
● User experience
● Web development
● Information visualization
● Formerly: IBM Research, Figure 53,
Obama 2012, NASA/JPL
Jesse Kriss
Keep Netflix employees and information safe
Thousands of employees.
Even more devices.
Lots of people with access.
Worldwide offices.
All cloud everything
Streaming infrastructure is 100% cloud
> 100,000 EC2 instances
> 700 internal cloud applications
The timing seems right for a renewal of interest in synthesizing usability and security.”
Mary Ellen Zurko
“
, 1996
● Education
● Self service
● Personalized
● One place to go
● Actionable
● Complete the feedback loop
The approach.
● Forced updates
● Company-wide emails
● Information overload
● “This probably doesn’t apply to me...”
And avoiding...
● Back-end
○ Python using Twisted + Klein
○ Plugin architecture
● Front-end: React
● Nginx
○ Serves static files
○ Proxies requests to API server
● No persistence layer required
Technology stack
Security practices● Disk encryption
● Firewall
● Automatic updates
● Up-to-date OS/software
● Screen lock
● Not jailbroken/rooted
● Security software stack (e.g., Carbon Black)
● Events
○ Google, Duo auth logs
○ Import from Elasticsearch
○ Augment with, e.g., geolocation data
● Accounts: Google
● Alerts/feedback: Elasticsearch/REST
Other information
● Logging
○ Accesses: to Elasticsearch
○ Errors: to Atlas
● Auth: OpenID Connect
● Batch: to Elasticsearch/REST
Utilities
● Front-end source
○ React-scripts for simple setup, builds, test, etc.
○ Static resources
● Back-end source
○ Plugins previously mentioned
○ Tests, example configuration, etc.
● Nginx configuration
● Docker development configuration
What’s included
● Visualization at manager,
organization level
● Identifies groups for targeted
efforts
Individuals to organizations
● Nightly batch retrieval allows
tracking trends over time
● Identifies practices which
need particular attention
Are we making progress?
● Inventory needs to be up-to-date and accurate
● Data sources can have different representations for identifiers
● Don’t always get a unique identifier for a device
Data quality
● Different users need/want different levels of context
● “Make it turn green” works well for many people
Context
● Additional notification channels
● Continuing user research (interviews, surveys)
● Measure long-term effectiveness
Future work
top related