A Monkey and a Gun. Netflix’ Latest OSS Project – Security

Operating a highly available, secure SaaS solution in the AWS cloud is hard.  The problems faced by both large and small organizations are roughly the same.  Therefore it may be logical to assume that the solutions are as well.  The only real difference is scale.
Enter Netflix.  I have always been impressed by the depth and openness of Netflix relative to internally developed open source tools they make available through their Open Source Software Center.  Startups and emerging companies typically lack resources to utilize best of breed paid solutions for security, availability, cloud management etc.

Netflix has made a conscious decision to pay it forward and I for one appreciate their commitment.

Enter “Security Monkey“.  A Netflix security and audit tool for aggregating and reporting on configuration, specifically as it relates to state.  The last is important. As explained by Netflix:

“CloudTrail provides verbose data on API calls, but has no sense of state in terms of how a particular configuration item (e.g. security group) has changed over time. Security Monkey provides exactly this capability.”

Security Monkey adds another tool to the AWS security practitioners tool-belt to help mitigate operational risk and prove up our security posture at audit time.  Win-Win.

But never give a monkey a gun…  BAD security practice.

sm

sm

Dan Geer’s BlackHat 2014 Keynote Quotes

There are few opportunities more impactful then having the opportunity to be immersed for a time in a movement that transcends profession and helps to answer the question: “Why do I exist?”  Black Hat is one of those rare opportunities for me, Dan Geer is one of those men.  His humble thought leadership, vision and knowledge are both inspiring and impactful.

The full text of Dan’s 2014 keynote is available here.

Geer on humility

“There are three professions that beat their practitioners into a state of humility: farming, weather forecasting, and cyber security. I practice two of those, and, as such, let me assure you that the recommendations which follow are presented in all humility.”

Geer on cyber security

“Cyber security *is* being taken seriously, which, as you well know is not the same as being taken usefully, coherently, or lastingly.”

Geer talking about veteran (not old!) security pros

“Those of us who were in the game early enough and who have managed to retain an over-arching generalist knowledge can’t be replaced very easily because while absorbing most new information most of the time may have been possible when we began practice, no person starting from scratch can do that now.”

Geer on the expansion of government

“Over my lifetime the public expectation of what government can and should do has spectacularly broadened from guaranteeing that you may engage in the “pursuit of happiness” to guaranteeing happiness in and of itself.”

Geer on the right to be forgotten

“After a good amount of waffling, I conclude that a unitary, unfakeable digital identity is no bargain and that I don’t want one. I want to choose whether to misrepresent myself. I may rarely use that, but it is my right to do so. If that right vanishes into the panopticon, I have lost something and, in my view, gained next to nothing.”

Geer on abandonment

“If I abandon my storage locker, then it will be lost to me and may end up on reality TV.”