Camilleri: Welcome to our talk on user adaptive security, where we’ll be exploring how Netflix is adapting to a changing landscape both inside the security industry and as a result of the chaos and variability introduced by 2020. In this session, we’ll talk about how we’ve had to readjust our bets and investments around user focused security tooling, and we’ll explore some new strategies towards a tiered access approach within endpoint security.
I’m Christina. I work on the studio and corporate security team at Netflix, where I focus on shaping our endpoint security strategy. I’ve been at Netflix just shy of one year. Prior to Netflix, I spent a lot of my career in pen testing and security education. The area I’ve enjoyed the most at Netflix is our heavy focus on the positive user experience when applying security controls, which is quite different to the pen testing universe. This area is something we’ll get into a lot in this presentation.
Kriss: I’m Jesse. I work on the enterprise security team. I’ve been working on various flavors of user focused security tools here at Netflix for a little over four years. This is actually my first job in security. Prior to Netflix, I did software design and development at NASA JPL, the Obama 2012 tech team, Figure 53, and IBM Research. My educational background is in music and human-computer interaction. I think that computers quite frequently increase the level of suffering in the world, and most of our systems and approaches are actively user hostile. I do my best to push in the other direction. Together, Christina and I work on the intersection between endpoint security and user experience. This is both a really exciting area and one that has plenty of room for improvement.
2020 Is Harnessing Chaos
Camilleri: You may have noticed that there’s a lot happening in 2020. I think it’ll be an understatement to say that perhaps a few things have not gone exactly according to plan. There’s a lot on our mind between adhering to our culture pillars, adapting to the pandemic, the unique challenges of working from home, all while trying to figure out how to do endpoint security here at Netflix.
Kriss: Netflix did pioneer chaos engineering. This is not what we meant. There are a huge number of companies figuring out how to make the shift to a predominantly or completely remote workforce. We’ve all been dealing with remote onboarding, hardware procurement, and figuring out what security controls are still effective when virtually nobody is in the office anymore. At Netflix, we’ve largely experienced the constraints of the pandemic as an accelerant, not a major shift in position. We’ve been making choices and investments in the right direction for a while, but the current conditions meant we’ve had to drive faster towards certain types of changes.
What Is Stethoscope?
We started our Stethoscope project, nearly five years ago, bringing a user focused approach and lighter weight tooling to endpoint security. We’ve talked about this category as user focused security, which to us means two things. First, we focus on the user as the key point of intersection for security. It’s ultimately people who have devices, access services, handle credentials, and take actions. Second, my analogy to user centered design, we approach the design of these systems knowing that if it doesn’t work for people in practice, it really won’t work at all. We look at the user experience of security as a primary concern, not as an afterthought. Stethoscope has gone through a few incarnations. First, there was a website that showed people information about their devices, as gathered by our endpoint management tooling, and gave them instructions for improving their security configuration. Next, was a desktop application that performed the checks itself, integrated into our single sign-on flow for device reporting, without relying on the presence of endpoint management tooling. Now it’s a browser extension and a small helper executable that together can do checks and reporting independent of other systems or flows. Beyond device security, there are other trends in how we’ve approached various parameters and controls. We’ve been driving a location independent security approach for a number of years, and moving towards identity and access controls that let us run services on the public internet, allowing access without VPN from any network.
These trends are new, of course, and they aren’t unique to Netflix. User focused security is an approach that is now championed by companies like Kolide and others. BeyondCorp started a new trend away from trusted networks and traditional VPNs. Zero trust architecture now has a proper NIST doc building on the direction started by Google over 10 years ago. What makes this different at Netflix? There are two things that have made Netflix different from a lot of large enterprises. We highly value employee freedom and individual responsibility. We’ve chosen to accept a relatively high amount of risk in order to minimize rules and complexity and maximize organizational focus and agility. These are the principles that among other things, led us down a path of a relatively lax stance towards device provisioning and endpoint security.
We Looked Inward and Made a Few Changes
Camilleri: It’s 2020 now, and a few things have changed in the last few years. Here’s how we’re refining and adapting our approach to better suit the current environment with endpoint security management, while respecting the culture pillars that Jesse mentioned earlier. With our changing landscape, we needed to address a few things. Our historical bets on focusing on transparency and freedom and responsibility didn’t really align well with a typical systems management approach. We felt that we didn’t want a system where we had invisible software with admin rights pushing up centrally managed policies. We adopted a model where we could check machine configuration at access time, give people clear guidance on how to make simple changes themselves, and not rely on strict inventory or a trusted bootstrapping process. Stethoscope gave us that ability, but some things have since changed, which made us revisit those bets.
Device Freedom at Netflix
One bet that we made with Stethoscope is that it should show not enforce what users should do, and nudge them in the right direction, like a buffer for changes to come. However, we found that this resulted in low adoption, so we needed a stronger assertion to help the user along and not rely on them too much. We wanted to focus on making the experience easier for the user. It’s also worth noting that we are a heavy BYOD shop with a strong 12,000 users and 15,400 devices. Not typically in the sense that we’re majority, bring your own device, but in that we treat our fleet of machines as customer machines. It should feel like your device, not a Netflix device. With that, it was particularly important as we still wanted a way to have confidence around fleet visibility, inventory control, and security while also not strictly controlling the inventory of devices that can connect to internal Netflix systems. For example, it’s totally fine for a Netflix employee to buy a laptop at the Apple Store and use it for work. We also have significant number of vendors, contractors, and other third parties who need to access our systems and we don’t want to enforce control on all of that hardware, even if we could. We aim to keep that freedom in devices as we highly value operational simplicity even at the expense of other things, which echoes something that Jesse once mentioned, in that responsible people thrive on freedom and are worthy of freedom. We wanted to avoid growing into a large company that felt like a large managed facility, because we strive to keep the user experience at the front of our minds. Operational costs are real costs…
Read More:User Adaptive Security