Netflix deals with cloud security concerns

As Netflix commits its future to streaming movies to customers, it relies almost exclusively on cloud services for its infrastructure, raising security concerns that require a new way of thinking, the company's cloud security architect says.

Netflix develops software and pushes it into production via the cloud, which doesn't tolerate many of the characteristics of traditional data centers, says Jason Chan, whose presentation "Practical Cloud Security" was streamed live from United Security Summit in San Francisco. "There's just different ways of doing things in the cloud," Chan says.

For instance, traditionally, applications are long-lived and static. Configuration and code changes are pushed to running systems. In the cloud, new versions are written and they replace the old versions entirely with new instances. There are no patches or configuration pushes.

MORE CLOUD: 7 hot cloud companies to watch

In traditional data centers, different teams may have their own ways of deploying applications and updating them. Standard versions of applications may disappear as groups tweak them for individual use, creating slightly different versions that are impossible to sync. Cloud does not support these practices, he says.

Instead, cloud deployments have what he calls ephemeral nodes - instances that could disappear at any moment because as a customer of cloud services, Netflix has no control over the underlying network. "You have to build your architecture so you have survivability if an instance dies," he says.

Hardware is abstracted. It's no longer measured in servers but in numbers of CPUs and megabytes of RAM.

Viewing security changes as well. If applications are pushed and remain unchanged until they are replaced, there should be no file integrity problems. Any changes will stand out because there should be none, he says.

Activity monitoring goes way down because there are virtually no reasons for administrators to log in and out to patch, for example. Again, any such activity will stand out.

In traditional data centers, security staff needs to add user accounts, inventory systems, change firewall configurations and take snapshots of drives for analysis. This all takes multiple scripts to accomplish.

In the cloud, gleaning similar data is done via a single API, he says, allowing businesses to perform them all centrally.

Rather than traditional firewalls deployed at network chokepoints to filter traffic with rules based on IP addresses, in the cloud services are dropped into security groups and must follow the rules of that group that restrict what can connect with them and what they can connect with. So a rule might read let group A talk to group B via Port 80. The rules are policy driven, he says, and agnostic about the network itself. "A network diagram is irrelevant," he says.

Instead, security diagrams show what sources are allowed to hit what targets and what other destinations that target can talk to.

While cloud providers have offered some ways to address security concerns, some problems remain, Chan says. With hundreds of new nodes being created containing new codes and hundreds of others being taken down as they are replaced, administrators can no longer monitor IP addresses, he says.

Providers should offer an abstraction layer that shows the health of services overall and not attempt to show the health of every node, he says.

Netflix as a business started off mailing DVDs to customers. The main customer-facing infrastructure was Web servers taking customer movie orders and passing them along to a logistics machine that took care of delivery.

Chan says that as Netflix headed toward the streaming movies rather than mailing DVDs, it needed more and more infrastructure so rapidly that cloud services were the only option. "We really couldn't build data centers fast enough," says Chan. "We want to be able to use the cloud not invent the cloud."

Now traffic is more spikey as demand fluctuates. The introduction of a new Netflix application for iPhones can send traffic through the roof - temporarily. "That's what cloud is really intended for," he says. "Netflix.com is nearly 100% in the cloud."

Tags Internet-based applications and servicessecurityinternetnetflixvideo

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?