A naukri.com initiative
Fb
2d
296
Image Credit: Fb
How Meta built large-scale cryptographic monitoring
- Meta has shared insightful details from their own cryptographic monitoring system with the industry, including challenges faced during its implementation. The system has helped their engineers detect and remove weak cryptographic algorithms and have assisted with general change safety and reliability efforts. This has been instrumental in ensuring its reliability as well as in helping their engineers understand how cryptography is used at Meta so they can make informed development decisions. To avoid introducing any sampling, in which most logs would be omitted, the logging uses a “buffering and flushing” strategy on a preconfigured interval.
- The strategy of aggregation during buffering maintains a count for every unique cryptographic event. When it comes time to flush, this count is exported along with the log. Since machines often compute millions of cryptographic operations per day, this strategy can lead to significant compute savings in production.
- Thanks to our long retention window, our monitoring service provides data insights to preemptively identify clients using cryptography in risky ways and work with them to mitigate these issues before they become real security vulnerabilities. We can also detect key overuse and rotate keys proactively. Furthermore, we can monitor what versions of our library are running across our fleet in real-time.
- Supporting cryptographic logging at Meta’s scale has challenges, including occasional increased load on Scribe and Scuba, which have been managed through design optimizations. A few more optimizations are planned to optimize Scribe throughput and Scuba storage utilization.
- Additional challenges of flushing logs when a job is being shut down have been addressed to support cryptographic monitoring at scale.
- In summary, Meta’s cryptographic monitoring system using a “buffering and flushing” strategy has been instrumental in helping the engineers in detecting and removing weak cryptographic algorithms at scale, aiding infrastructure reliability and ensuring the security posture of cryptographic apps.
Read Full Article
17 Likes
For uninterrupted reading, download the app