Abstract image of a woman sitting on books and studying on a laptop

SSL Certificate Expiration and Howler Monkey's Inception

R
royrapoport

The document discusses how Netflix moved from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) to permanently eliminate SSL certificate expiration as an issue. Netflix had dozens of certificates in various environments that needed monitoring and faced potential outages if certificates expired. The standard approach of tracking certificates manually in Excel worksheets was not feasible for Netflix's complex infrastructure.

Technology
Related topics:
Cloud Computing Insights
1 of 54
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
Technology Overview @royrapoport rsr@netflix.com Friday, March 22, 13
Technology Overview • SoA, REST, Mostly Java @royrapoport rsr@netflix.com Friday, March 22, 13
Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
Culture Overview @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
Culture Overview • Freedom and Responsibility @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
Culture Overview • Freedom and Responsibility • Distributed Operations @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
Culture Overview • Freedom and Responsibility • Distributed Operations • Get out of the way of Developers @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs • Totally Distributed Design @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Some Certificates Weren’t[sic] @royrapoport rsr@netflix.com Friday, March 22, 13 Some certificates weren’t even SSL certificates -- we have certificates we get from a partner that cannot be accessed via SSL, and for which the answer to the question “when does this expire?” require scraping a web page.
So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents • Events on public calendars @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
Let’s Do This Thing Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Start with a very simple model -- a Certificate entity, which is really just a combination of name, expiration date, and a series of locations where we can find this. It’d be trivial to feed this thing from my todo list, if I wanted to (but given the state of my todo list, probably a bad idea)
Let’s Do This Thing ELB Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Then start building location-aware spiders -- e.g. this spider that knows how to probe all our ELBs to see if they listen on 443 and gets their certificate if they do.
Let’s Do This Thing ELB Cassandra EC2 Instance Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Or this spider that knows how to talk to a specific kind of EC2 instance we have with some certificates.
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 etc ...
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem @royrapoport rsr@netflix.com Friday, March 22, 13
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 Once you have all this information, you can easily generate a web page showing certificates, where they are, and when they expire
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 And send out emails, too -- once we built the capability for teams to subscribe to emails for a given certificate and specify how many days before expiration they should start getting notified
Since Then @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Since Then • No Production Emergencies due to SSL certificate expiration @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design • Better Subscription Capabilities @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Soon ... @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless • Open Source @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Remember ... @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things • Don’t compete on their terms @royrapoport rsr@netflix.com Friday, March 22, 13
Questions? @royrapoport rsr@netflix.com Friday, March 22, 13

More Related Content

PDF
Cloud Tech III: Actionable Metrics
royrapoport
 
PDF
Python Through the Back Door: Netflix Presentation at CodeMash 2014
royrapoport
 
PDF
Operational Insight: Concepts and Examples (w/o Presenter Notes)
royrapoport
 
PDF
Operational Insight: Concepts and Examples
royrapoport
 
PPTX
Gluecon keynote
Adrian Cockcroft
 
PDF
Keeping Movies Running Amid Thunderstorms!
Sid Anand
 
PPTX
Gluecon 2013 - NetflixOSS Cloud Native Tutorial Introduction
Adrian Cockcroft
 
PDF
SV Forum Platform Architecture SIG - Netflix Open Source Platform
Adrian Cockcroft
 
Cloud Tech III: Actionable Metrics
royrapoport
 
Python Through the Back Door: Netflix Presentation at CodeMash 2014
royrapoport
 
Operational Insight: Concepts and Examples (w/o Presenter Notes)
royrapoport
 
Operational Insight: Concepts and Examples
royrapoport
 
Gluecon keynote
Adrian Cockcroft
 
Keeping Movies Running Amid Thunderstorms!
Sid Anand
 
Gluecon 2013 - NetflixOSS Cloud Native Tutorial Introduction
Adrian Cockcroft
 
SV Forum Platform Architecture SIG - Netflix Open Source Platform
Adrian Cockcroft
 

Viewers also liked (19)

PDF
Canary Analyze All the Things
royrapoport
 
PPTX
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
Adrian Cockcroft
 
PPTX
Traffic anomaly detection and attack
Qrator Labs
 
PPTX
Anomaly Detection for Security
Cody Rioux
 
PPTX
The Dark of Building an Production Incident Syste
Alois Reitbauer
 
PPTX
Cassandra Performance and Scalability on AWS
Adrian Cockcroft
 
PPTX
Anomaly Detection for Real-World Systems
Manojit Nandi
 
PPTX
Where is Data Going? - RMDC Keynote
Ted Dunning
 
PDF
Parallel Programming in Python: Speeding up your analysis
Manojit Nandi
 
PPTX
Monitoring large scale Docker production environments
Alois Reitbauer
 
PPTX
Can a monitoring tool pass the turing test
Alois Reitbauer
 
PPTX
The Dark Art of Production Alerting
Alois Reitbauer
 
PPTX
Monitoring without alerts
Alois Reitbauer
 
PPTX
PyGotham 2016
Manojit Nandi
 
PPTX
The definition of normal - An introduction and guide to anomaly detection.
Alois Reitbauer
 
PPTX
Monitoring Docker Application in Production
Alois Reitbauer
 
PPTX
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Alois Reitbauer
 
PPTX
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
tboubez
 
PDF
Anomaly Detection for Global Scale at Netflix
Extract Data Conference
 
Canary Analyze All the Things
royrapoport
 
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
Adrian Cockcroft
 
Traffic anomaly detection and attack
Qrator Labs
 
Anomaly Detection for Security
Cody Rioux
 
The Dark of Building an Production Incident Syste
Alois Reitbauer
 
Cassandra Performance and Scalability on AWS
Adrian Cockcroft
 
Anomaly Detection for Real-World Systems
Manojit Nandi
 
Where is Data Going? - RMDC Keynote
Ted Dunning
 
Parallel Programming in Python: Speeding up your analysis
Manojit Nandi
 
Monitoring large scale Docker production environments
Alois Reitbauer
 
Can a monitoring tool pass the turing test
Alois Reitbauer
 
The Dark Art of Production Alerting
Alois Reitbauer
 
Monitoring without alerts
Alois Reitbauer
 
PyGotham 2016
Manojit Nandi
 
The definition of normal - An introduction and guide to anomaly detection.
Alois Reitbauer
 
Monitoring Docker Application in Production
Alois Reitbauer
 
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Alois Reitbauer
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
tboubez
 
Anomaly Detection for Global Scale at Netflix
Extract Data Conference
 
Ad

Similar to SSL Certificate Expiration and Howler Monkey's Inception (20)

PDF
PyData Texas 2015 Keynote
Peter Wang
 
PPTX
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Software
jazoon13
 
PDF
Mastery
Gary Haran
 
PDF
Intro to Web3 and Polygon.pdf
TinaBregovi
 
PPTX
Understanding Blockchain
Tony Willenberg
 
PPTX
Crypto Miners in the Cloud
2nd Sight Lab
 
PPT
The Economies of Scaling Software
Abdelmonaim Remani
 
PPT
The economies of scaling software - Abdel Remani
jaxconf
 
PDF
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Дмитрий Плахов
 
PDF
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
PROIDEA
 
PDF
No sql findings
Christian van der Leeden
 
PPTX
Rest + Oauth Integration by Lightning By Mohammed Rizwan
BLRDEVX
 
PPTX
Blockchain in Photography
MariaKessler
 
PDF
Killing Shark-Riding Dinosaurs with ORM
Ortus Solutions, Corp
 
PDF
Introduction to Blockchain Technology By Professor Lili Saghafi
Professor Lili Saghafi
 
PPTX
03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged
VMUG IT
 
PDF
Gateway and secure micro services
Jordan Valdma
 
PDF
State of Pyramid - Brasilia 2013
plonepaul
 
PDF
Ethereum for visionary dummies
Sebastien Arbogast
 
PDF
Database Management for 
Real Estate Professionals
Doug Devitre
 
PyData Texas 2015 Keynote
Peter Wang
 
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Software
jazoon13
 
Mastery
Gary Haran
 
Intro to Web3 and Polygon.pdf
TinaBregovi
 
Understanding Blockchain
Tony Willenberg
 
Crypto Miners in the Cloud
2nd Sight Lab
 
The Economies of Scaling Software
Abdelmonaim Remani
 
The economies of scaling software - Abdel Remani
jaxconf
 
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Дмитрий Плахов
 
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
PROIDEA
 
No sql findings
Christian van der Leeden
 
Rest + Oauth Integration by Lightning By Mohammed Rizwan
BLRDEVX
 
Blockchain in Photography
MariaKessler
 
Killing Shark-Riding Dinosaurs with ORM
Ortus Solutions, Corp
 
Introduction to Blockchain Technology By Professor Lili Saghafi
Professor Lili Saghafi
 
03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged
VMUG IT
 
Gateway and secure micro services
Jordan Valdma
 
State of Pyramid - Brasilia 2013
plonepaul
 
Ethereum for visionary dummies
Sebastien Arbogast
 
Database Management for 
Real Estate Professionals
Doug Devitre
 
Ad

Recently uploaded (20)

PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 

SSL Certificate Expiration and Howler Monkey's Inception

  • 1. SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
  • 2. SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
  • 3. Technology Overview @royrapoport rsr@netflix.com Friday, March 22, 13
  • 4. Technology Overview • SoA, REST, Mostly Java @royrapoport rsr@netflix.com Friday, March 22, 13
  • 5. Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
  • 6. Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
  • 7. Culture Overview @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 8. Culture Overview • Freedom and Responsibility @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 9. Culture Overview • Freedom and Responsibility • Distributed Operations @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 10. Culture Overview • Freedom and Responsibility • Distributed Operations • Get out of the way of Developers @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 11. So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13
  • 12. So Certificates ... • Dozens of Certificates @royrapoport rsr@netflix.com Friday, March 22, 13
  • 13. So Certificates ... • Dozens of Certificates • Different kinds of places @royrapoport rsr@netflix.com Friday, March 22, 13
  • 14. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private @royrapoport rsr@netflix.com Friday, March 22, 13
  • 15. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB @royrapoport rsr@netflix.com Friday, March 22, 13
  • 16. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs @royrapoport rsr@netflix.com Friday, March 22, 13
  • 17. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 @royrapoport rsr@netflix.com Friday, March 22, 13
  • 18. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control @royrapoport rsr@netflix.com Friday, March 22, 13
  • 19. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs @royrapoport rsr@netflix.com Friday, March 22, 13
  • 20. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs • Totally Distributed Design @royrapoport rsr@netflix.com Friday, March 22, 13
  • 21. So Certificates ... • Some Certificates Weren’t[sic] @royrapoport rsr@netflix.com Friday, March 22, 13 Some certificates weren’t even SSL certificates -- we have certificates we get from a partner that cannot be accessed via SSL, and for which the answer to the question “when does this expire?” require scraping a web page.
  • 22. So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 23. So Certificates ... • SSL Certificates expire @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 24. So Certificates ... • SSL Certificates expire • Millions of people can’t stream @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 25. So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 26. So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 27. So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 28. So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 29. So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents • Events on public calendars @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 30. Let’s Do This Thing Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Start with a very simple model -- a Certificate entity, which is really just a combination of name, expiration date, and a series of locations where we can find this. It’d be trivial to feed this thing from my todo list, if I wanted to (but given the state of my todo list, probably a bad idea)
  • 31. Let’s Do This Thing ELB Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Then start building location-aware spiders -- e.g. this spider that knows how to probe all our ELBs to see if they listen on 443 and gets their certificate if they do.
  • 32. Let’s Do This Thing ELB Cassandra EC2 Instance Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Or this spider that knows how to talk to a specific kind of EC2 instance we have with some certificates.
  • 33. Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 etc ...
  • 34. Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem @royrapoport rsr@netflix.com Friday, March 22, 13
  • 35. Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13
  • 36. Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 Once you have all this information, you can easily generate a web page showing certificates, where they are, and when they expire
  • 37. Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 And send out emails, too -- once we built the capability for teams to subscribe to emails for a given certificate and specify how many days before expiration they should start getting notified
  • 38. Since Then @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 39. Since Then • No Production Emergencies due to SSL certificate expiration @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 40. Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 41. Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design • Better Subscription Capabilities @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 42. Soon ... @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 43. Soon ... • Customized, automated alerting @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 44. Soon ... • Customized, automated alerting • Automated renewal @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 45. Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 46. Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 47. Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless • Open Source @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 48. Remember ... @royrapoport rsr@netflix.com Friday, March 22, 13
  • 49. Remember ... • Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
  • 50. Remember ... • Be Lazy • Help Others Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
  • 51. Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans @royrapoport rsr@netflix.com Friday, March 22, 13
  • 52. Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things @royrapoport rsr@netflix.com Friday, March 22, 13
  • 53. Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things • Don’t compete on their terms @royrapoport rsr@netflix.com Friday, March 22, 13
  • 54. Questions? @royrapoport rsr@netflix.com Friday, March 22, 13