To my mind, the notion of fine-grained service in continuous deployment puts to rest the concept of a separate operations group responsible for putting applications into production and keeping them running. I believe Cockcroft is somewhat overstating the situation, as there are people tracking the service monitoring and ensuring that any performance and latency issues get addressed. The larger point is that the new model of applications requires a radical rethinking of application architectures, differing ways of moving fine-grained services through their individual lifecycle, differing ways of monitoring an "application," and differing ways of ensuring robustness. As I said last week, cloud computing requires rebuilding enterprise IT for a completely new operating model.
Well, if all that is changing, how is security handled in the Netflix environment? Jason Chan's presentation was eye-opening, to say the least. Chan has a long history in security. Before joining Netflix led the security team at VMware, so he knows whereof he speaks.
I found his perspective on security quite unusual for a "typical" security person. He led off by stressing that risk is the appropriate arbiter of what security practices should be implemented. Then he discussed how Netflix goes about implementing security. In light of Cockcroft's presentation, it seems appropriate that Netflix creates services to implement common security measures. Developers can self-service under this model, which keeps them productive while ensuring that what is implemented meets security requirements. And it should come as no surprise that there is a "security monkey" to validate security practices within Netflix services.
Chan went on to note that using a public cloud environment poses challenges to the traditional methods of implementing security, but that overall, Netflix does not feel it has compromised its security by using AWS. The specifics of how Netflix has achieved its security stance are contained in Chan's presentation, and reviewing it is well worth the time.
Perhaps the most interesting thing about Netflix is how it approached the overall proposition of using a cloud computing environment. It didn't focus on how to make the cloud support their established application architectures and IT processes. Instead, it evaluated its applications and operations to understand how the new environment would affect the compute infrastructure and redesigned the applications to address that. If your organization is looking to aggressively move into cloud computing and is willing to examine what is required to truly leverage a cloud environment, the Netflix story is a critical example to understand.