Netflix Streams Secure, Seamless
Sign-on for Employees and Partners
Netflix was also in transition from a perimeter based security architecture to a zero trust model inspired by Google’s Beyondcorp. This meant that identity defined micro-perimeters for users, devices and applications were critical. The goal was to enable adaptive access security for every application allowing users to connect from anywhere, no VPNs, no hard tokens.
In addition, they wanted to solve for the resource-intensive, time-consuming process of onboarding new applications. With around 40 SaaS apps and over 600 engineering, studio and customer service applications, the identity team was being bombarded with daily requests to add or make changes to connections. Engineers were also building unique identity stores and login experiences for individual apps. Over the years, the custom creation of policies and clients created incongruence across the organization.
It was also critical to Netflix that the identity company they selected would not only follow standards but actually act as a leader in driving those standards, so it could evolve with the organization over time.
Netflix first implemented Ping to provide single sign-on for the company’s employees and partners. Those identities exist across multiple IdP layers, and PingFederate bridges Netflix’s six Google domains and two partner directories.
Using the PingFederate SDK, Sr. Security Software Engineer Tejas Dharamshi then led the effort to build a self-service layer on top of PingFederate, which allows their engineers the complete freedom to configure applications, update redirects, and plug apps into the Netflix ecosystem on their own.
Today, Ping’s technology is a framework that the IAM team builds all of their identity services on. “We use Ping to extend where we want to take our pluggable identity solution. We can develop custom adapters and custom data stores on top of it. Because all of this can be achieved via API, it allows the organization to be extremely agile,” said Tejas Dharamshi.
PingFederate provides information that allows Netflix to achieve adaptive authentication based on factors like the sensitivity of the application or the device from which users are connecting. Whether it’s engineering, financial or corporate applications, all of Netflix’s apps are able to leverage three levels of adaptive authentication based on roles and user groups, access history and anomalies. At any point, step-up authentication ensures the right person gets access.
Netflix now provides employees and partners with a rich and seamless, UI-driven sign-on that balances both user experience and security.
As a result of the self-service tool powered by PingFederate, the IAM engineering team now fields little to no requests for client management, freeing up their time to work on other identity initiatives. Engineers are able to add and configure their own applications with only limited knowledge of the underlying identity infrastructure. “Because of the extensibility of the Ping platform, we were able to significantly boost the productivity of our engineering users and reduce the burden on the operations side,” said Jonathan Hurd, Identity and Access Engineering Manager.
Ping’s leadership in driving modern standards future-proofs Netflix’s identity program as it evolves.
More About Netflix
Netflix is the world's leading internet entertainment service, with 104 million members in over 190 countries enjoying more than 125 million hours of TV shows and movies per day, including original series, documentaries and feature films. Members can watch as much as they want, anytime, anywhere, on nearly any internet-connected screen. Learn more at https://media.netflix.com/en/about-netflix.