[Music] hi i'm steve schmidt i'm the chief information security officer here at aws i'd like to welcome you to verified presented by aws reinforce where we'll be discussing the latest in cyber security privacy and the cloud with me today i've got jason chan who's the vp of information security at netflix thanks for joining us jason thanks steve it's great to be here jason could you give me a little bit of information on your background uh how you ended up in information security at netflix and and what drives you sure i think like many folks in
security i got started in technology pretty early as a kid and i'd originally wanted to go into law enforcement but my eyesight was so bad that kind of stopped that career path but i think the idea of cops and robbers and chasing adversaries especially mixing that with technology made security a pretty nice second alternative and my first few years after college i was in general software general i.t and then i started in security in the defense industry and spend probably the first half of my career doing security consulting a lot of assessment and the design
work and then the last half or so building and leading security programs and i've now been here at netflix for about nine and a half years you've spoken in the past about the human element of security uh how do you believe the human factor influences a security culture and the strategy of an organization yeah i think the human is really the key to security we we talk about it all the time but if you think about every company or every organization has its own unique culture the way it wants to do business the way it
wants to make decisions it's risk tolerance and the thing i talk about a lot with my team or with folks that i'm interviewing candidates it's really about it's our job as security professionals and security leaders to to take the body of knowledge around security and the way we understand how to solve problems and then apply that uniquely to our own company's culture and that's really it's all about human decision making and human judgments doesn't that also sort of apply to the flip side of the problem where a lot of people in security focus on the
the technical elements of intrusions the tools that were used by the adversaries the techniques that they applied etc but in many ways the person behind the keyboard the adversary who is the human is one of the more interesting problems we've got what motivates them what drives them to do what they do how does that influence the way that that you apply your security techniques sure yeah that's critically important is to reason about what motivates your adversaries in addition to what resources they have available and of course most of the time we are we're making informed
judgments about what motivates them but you might have some folks motivated by money some folks motivated by revenge or disruption so depending on their own motivations their own techniques that's going to tend to drive how you invest in defending against it so shifting gears a little bit let's talk about the humans on our side of the fence how do you practice inclusion at netflix sure yeah inclusion to me it's it's super important to me personally it's also a core value at netflix and i think at its most basic inclusion is about belonging and making sure
that folks feel comfortable at work they feel like they can be themselves that they don't need to cover any aspect or any dimension of their identity if they don't want to and they're certainly not going to be discriminated against for it and when folks feel safe when they feel comfortable at work that's when they're going to do their best work so it's i think it's the right thing to do human-wise it's the right thing from a business perspective and in terms of how how does inclusion actually get practiced it's i think it starts with understanding
that we all have biases so that's it's impossible to not have bias but we have to commit to understanding how that bias impacts the way we make decisions and the way we work and then putting into place specific actions that are going to counter that so it could be things like how you run a meeting to make sure that folks that have different styles can interact fully it could be when you're interviewing candidates making sure that the folks the panelists understand their own biases and can evaluate candidates fairly so it's it's all about inclusion so
what are the the some of the key qualifiers for the next generation of talent do you think what are the things that we should be looking for i think one of the things that's gotten a lot of attention in the last five years or so is there's been a lot of push that this idea that everybody who's in security needs to be able to write code and i mean i certainly software engineering is a big part of security but as we know it's not just a technology problem so there's ethics there's law there's we just
talked about communication so to me we want to get folks from all different kinds of disciplines like there's so much need as you know steve it's it's incredibly hard to hire security folks so we want folks from all different backgrounds you've been in the the security business at netflix uh pretty much from the beginning um could you tell me a little bit about your key achievements there what are the things that you're most proud of when you built the program sure and i mean really for context when i started in 2011 it was as you'd
imagine a much smaller company it was about about 600 folks and while we were in our early days of streaming in our early days of using aws it was really principally a dvd by mail company we were really shipping movies on dvds to our customers so we what we were really trying to figure out in those early days was how do we build a large-scale consumer streaming video service in the public cloud and how do you do that in a secure way and there wasn't really a ton of expertise or experience in that so when
i was building the team i really thought about like how do we bring folks from a variety of backgrounds some folks that were more generalists that could tackle those problems and that's really where we started how do you measure success and you know roi for example in an organization like the one that you run how do you think about that every day sure yeah i think i think security roi is is a really interesting topic i think it's difficult to have like a pure equation around that so what we try to spend our time doing
is really making sure that we as a team are aligned on what is the most important what are the most important assets to protect what are the most critical risks that we're trying to prevent and then make sure that leadership is aligned with that because that's as we all know it's there's not unlimited resources so let's talk a little bit about the application of humans in the real world and and that revolves a lot around culture so how did you build a culture when you migrated netflix into the cloud you know what was the the
thing that you focused on there i took a lot from if you think about the original definition of cloud computing and some of those core characteristics around self-service and around elasticity we were used to having approvals and and doing you know having a doing more thorough evaluations so the idea that you could call an api and provision resources and have those immediately available was kind of scary but i also knew like there was a strong business reason that we were moving to the cloud and we wanted to be able to preserve those core characteristics so
when we really created the culture it was about preserving those characteristics versus inserting ourselves into them and we talk a lot about this idea of guardrails right we want people to be able to move fast but also be safe and so guardrails seem to lead one to the theory that automation can help in a lot of the spaces there so how do you think about security automation and how should others focus on that as their part of a migration journey or operations sure we we i think you you generically think of automation as a time
saver as a way to reduce errors to reduce manual work and i think that applies to security as well but i think where where i would focus with automation in the security space is where you can find things that both improve security but also improve overall operations for those who are just beginning the journey out there into xeros trust networks what do you think are the important pieces the important components that you've had to build as part of moving to zero trust zero trust is around it's really about getting context around how your users are
interacting with your system so where are they coming from what systems are they originating from what what data are they accessing what applications are they accessing because it's all those elements which are going to then lead you to make some kind of decision about whether you're going to provide access or not for example if it's a really sensitive application you might have more stringent requirements on the endpoint that is accessing it might have to have certain security configuration or a certain update level and you can really only make those decisions by having that visibility so
i think first you want to seek to get visibility about your endpoints about your users around your applications and then you're going to have to build the plumbing and the capabilities to then make decisions based on that jason 2020 has been an interesting year for all of us in many different ways it's brought a lot of firsts for companies so are you seeing anything unusual anything different uh happening this year oh yeah 2020 it's been it feels like it's been a decade so far well i think at netflix we were i think reasonably fortunate and
that we had begun investing in some of the technologies and approaches we believe that this idea of work from anywhere and more distributed work was coming so we had invested in this journey where we're really trying to think of keeping sensitive data in central places primarily cloud-based a lot of it in aws a lot of sas and we want to really think about endpoints the way we have thought about mobile devices historically which is really that it's it's a screen that gets you access to data that's really somewhere else and we think that that's the
right approach for endpoints broadly so for laptops you want to have this idea where you have secure and hardened endpoints that are accessing essentially secured and centrally monitored data and i think that's a that's a pretty durable model but yeah the whole idea of folks working from home they're talking about sensitive topics again generally in trustworthy situations i mean i personally i live alone but i've had a number of cases where i've had the cats kind of walking on the keyboard so that's kind of an interesting uh unique threat model that i have cats are
always super helpful when it comes to keyboards or cameras jason thanks so much for visiting with us today it's been an awesome conversation i really appreciate your insights my pleasure steve thanks for having me [Music] you
