As Netflix commits its future to streaming movies to customers, it relies almost exclusively on cloud services for its infrastructure, raising security concerns that require a new way of thinking, the company's cloud security architect says.
Netflix develops software and pushes it into production via the cloud, which doesn't tolerate many of the characteristics of traditional data centres, says Jason Chan, whose presentation "Practical Cloud Security" was streamed live from United Security Summit in San Francisco. "There's just different ways of doing things in the cloud," Chan says.
For instance, traditionally, applications are long-lived and static. Configuration and code changes are pushed to running systems. In the cloud, new versions are written and they replace the old versions entirely with new instances. There are no patches or configuration pushes.
In traditional data centres, different teams may have their own ways of deploying applications and updating them. Standard versions of applications may disappear as groups tweak them for individual use, creating slightly different versions that are impossible to sync. Cloud does not support these practices, he says.
Instead, cloud deployments have what he calls ephemeral nodes - instances that could disappear at any moment because as a customer of cloud services, Netflix has no control over the underlying network. "You have to build your architecture so you have survivability if an instance dies," he said.
Hardware is abstracted. It's no longer measured in servers but in numbers of CPUs and megabytes of RAM.
Viewing security changes as well. If applications are pushed and remain unchanged until they are replaced, there should be no file integrity problems. Any changes will stand out because there should be none, he says.
Activity monitoring goes way down because there are virtually no reasons for administrators to log in and out to patch, for example. Again, any such activity will stand out.
Data gleaned centrally
In traditional data centres, security staff needs to add user accounts, inventory systems, change firewall configurations and take snapshots of drives for analysis. This all takes multiple scripts to accomplish.
In the cloud, gleaning similar data is done via a single API, he says, allowing businesses to perform them all centrally.
Rather than traditional firewalls deployed at network chokepoints to filter traffic with rules based on IP addresses, in the cloud services are dropped into security groups and must follow the rules of that group that restrict what can connect with them and what they can connect with. So a rule might read let group A talk to group B via Port 80. He said that the rules are policy driven, he said, and agnostic about the network itself. He said: "A network diagram is irrelevant."
Instead, security diagrams show what sources are allowed to hit what targets and what other destinations that target can talk to.
While cloud providers have offered some ways to address security concerns, some problems remain, Chan said. With hundreds of new nodes being created containing new codes and hundreds of others being taken down as they are replaced, administrators can no longer monitor IP addresses, he said.
Providers should offer an abstraction layer that shows the health of services overall and not attempt to show the health of every node, he said.
Netflix as a business started off mailing DVDs to customers. The main customer-facing infrastructure was web servers taking customer movie orders and passing them along to a logistics machine that took care of delivery.
Chan said that as Netflix headed toward the streaming movies rather than mailing DVDs, it needed more and more infrastructure so rapidly that cloud services were the only option. "We really couldn't build data centres fast enough," explained Chan. "We want to be able to use the cloud not invent the cloud."
Now traffic is more spikey as demand fluctuates. The introduction of a new Netflix application for iPhones can send traffic through the roof - temporarily. "That's what cloud is really intended for," he said. "Netflix.com is nearly 100% in the cloud."