Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LinkedIn - Creating a Cloud Security Policy

As security professionals in a dynamic, fast-growing enterprise, we faced significant challenges in enabling the business to move quickly while ensuring our corporate and member data is adequately protected. In order to meet this requirement, LinkedIn needed to put a framework in place to enable our employees to make informed decisions about how and where to use them. In this presentation we’ll share how we created a policy by combining industry best practices, resources from the Cloud Security Alliance, PCI-DSS, and other sources. This non-technical presentation is aimed at IT & Security directors and policymakers.

To download our policy, please visit: http://engineering.linkedin.com/security/security-policy-framework-help-companies-unlock-power-cloud

LinkedIn - Creating a Cloud Security Policy

  1. 1. ©2014 LinkedIn Corporation. All Rights Reserved. Chris Niggel, CISSP CCSK Charles Nwatu, GSLC November 2014 Creating a Cloud Security Policy
  2. 2. ©2014 LinkedIn Corporation. All Rights Reserved. About LinkedIn Our mission is to connect the world’s professionals to make them more productive and successful LinkedIn currently has over 332 million members worldwide Over 6,000 full-time employees in 30 cities worldwide
  3. 3. ©2014 LinkedIn Corporation. All Rights Reserved. New Security Challenges New enterprise applications can be bought with a corporate card, no need for procurement cycles Corporate data is now unmanaged Corporate security is still expected to provide Confidentiality, Integrity, and Availability IT can’t control what applications employees use, but we can make the approved apps more attractive than the alternatives
  4. 4. ©2014 LinkedIn Corporation. All Rights Reserved. Proposal to Create A Policy Existing policy not enforceable Not scalable to new cloud business needs Made executive management aware of shortcomings Develop plans to identify and resolve gaps
  5. 5. ©2014 LinkedIn Corporation. All Rights Reserved. Policy Timeline Q4 ‘13 Q1 ‘14 Q2 ‘14 Q3 ‘14 Q4 ‘14 Q1 ‘15 Review of New Applications Existing Application Gap Analysis Policy Initial Release Solution POC Vendor Selection Solution Deployment Vendor Demos Policy Review 12 Month Review Security Assurance Corporate IT Policy Authoring Team
  6. 6. ©2014 LinkedIn Corporation. All Rights Reserved. Resourcing Cloud Security Incident Response IT App Owner Security Corp IT Director, Security Director, IT VP, Security VP, Engineering Legal Review HR Review PMO Support
  7. 7. ©2014 LinkedIn Corporation. All Rights Reserved. AUTHORING THE POLICY
  8. 8. ©2014 LinkedIn Corporation. All Rights Reserved. 10,000 Foot Strategy
  9. 9. ©2014 LinkedIn Corporation. All Rights Reserved. Sample Data Types Resources: US NIST FIPS 199, NIST 800-60 Vol. 2 Customer Company Personal Limited Potential impact of release is limited Confidential Potential impact of release is serious Highly Confidential Potential impact of release is severe
  10. 10. ©2014 LinkedIn Corporation. All Rights Reserved. Level Mapping A tiered approach enables the creation of security controls that are appropriate for the types of content handled Consider the most restrictive requirements for each level Some content may not be allowed onto the cloud Define “Cloud” for your organization ComplexityRisk Level 1 Level 2 Level 3 DurationEffort
  11. 11. ©2014 LinkedIn Corporation. All Rights Reserved. Sample Assurance Levels Level 1 Data Classification Applications that handle data in the following categories are classified as Level 1 Personal Limited Company Limited Level 2 Data Classification Applications that handle data in the following categories are classified as Level 2 Personal Confidential Company Confidential Customer Confidential Level 3 Data Classification Applications that handle data in the following categories are classified as Level 3 Personal Highly Confidential Company Highly Confidential Customer Highly Confidential Not Classified We do not have any data in the following categories Customer Limited *These levels are not representative of LinkedIn policy
  12. 12. ©2014 LinkedIn Corporation. All Rights Reserved. Identify controls for Data Types CSA Security Guidelines PCI-DSS v3.0 AWS Security Whitepaper Google Security Whitepaper NIST SP 800-61
  13. 13. ©2014 LinkedIn Corporation. All Rights Reserved. Get From Here to There Domain 2: Governance and Enterprise Risk Domain 3: Legal Issues: Contracts and Electronic Discovery Domain 4: Compliance and Audit Management Domain 6: Interoperability and Portability Domain 7: Traditional Security, Business Continuity, & Disaster Recovery Domain 8: Data Center Operations Domain 9: Incident Response Domain 10: Application Security We focused on using the following domains to create categories important to LinkedIn. Authentication & Administration Auditing Business Continuity Data Security Communication Security Vendor Governance Brand Reputation
  14. 14. ©2014 LinkedIn Corporation. All Rights Reserved. Structure of a Domain 5. Communication Security Network Security Testing Application Security Testing Thick-Client or Physical Appliance Security Mobile Client Security Transport Layer Protection Data Loss Prevention 3rd Party Application Interoperability Storage at Rest Virtualization PCI-DSS 2.2.1 AWS Whitepaper Google Security Whitepaper LinkedIn Security Standards CSA 10.6.3 CSA 10.1.3 CSA 5.6.5 PCI-DSS 11.3
  15. 15. ©2014 LinkedIn Corporation. All Rights Reserved. Structure of a Control ISC2 PCI 2.2.1 CSA 13.1.8
  16. 16. ©2014 LinkedIn Corporation. All Rights Reserved. Policy Challenges - OAuth When reviewing applications, consider 3rd party integrations What applications are people using? What permissions do those applications have? How will you whitelist or blacklist apps?
  17. 17. ©2014 LinkedIn Corporation. All Rights Reserved. More Policy Challenges Off Site Backups Key Management Drive Destruction David Gard/Star Ledger/Corbis
  18. 18. ©2014 LinkedIn Corporation. All Rights Reserved. SSO Integration Classes Class 0: Saved Password Class 1: SSO, with Username / Password Backdoor Class 2: SSO Access Only Class 3: SSO Access Only, with automatic account deprovisioning
  19. 19. ©2014 LinkedIn Corporation. All Rights Reserved. PRESENTING THE POLICY
  20. 20. ©2014 LinkedIn Corporation. All Rights Reserved. Execution Business Owner Corporate IT New Projects Team Corporate IT Support Security Assurance Legal / Procurement Identify New Solution Review Define Support Pilot Contract Negotiation Validate Production Develop Production Req’s Deployment PM Support
  21. 21. ©2014 LinkedIn Corporation. All Rights Reserved. Understanding your Audience Employees / End-Users Incident Response Teams Application Support Teams Security Assurance Team Legal
  22. 22. ©2014 LinkedIn Corporation. All Rights Reserved. End Users - Service Catalog Employees want to know where they can store their data, and how to access those tools when they need them
  23. 23. ©2014 LinkedIn Corporation. All Rights Reserved. CSIRT Teams Incident Response Teams need access to application assignment, ownership, and data type information quickly. They do not need configuration information
  24. 24. ©2014 LinkedIn Corporation. All Rights Reserved. Application Support Teams Application Support teams need to know how to recover applications quickly if there is a SSO platform failure, and who to contact during an outage
  25. 25. ©2014 LinkedIn Corporation. All Rights Reserved. Assurance Team - Worksheets Assurance teams need tools to quickly evaluate new applications
  26. 26. ©2014 LinkedIn Corporation. All Rights Reserved. Legal Documentation Part of our security controls are enforced through legal documents. Streamline this by adding requirements into the MSA This means defining terminology throughout the policy and documentation and being specific Help your legal team by making a playbook and offering flexibility
  27. 27. ©2014 LinkedIn Corporation. All Rights Reserved. LESSONS LEARNED
  28. 28. ©2014 LinkedIn Corporation. All Rights Reserved. Cloud Security Solutions
  29. 29. ©2014 LinkedIn Corporation. All Rights Reserved. Gap Analysis Priority Control Type 1 Platform Usage and Incident Response Security and Operational 2 Content Inspection and Compliance Security 3 Administration and Automation Operational 4 Availability and Performance Monitoring Operational 5 Content Encryption Security 6 Application Inventory Process Security and Operational
  30. 30. ©2014 LinkedIn Corporation. All Rights Reserved. Policy Review and Feedback Our data model was too limiting, had to soften Level 2 applications Level 3 applications are very challenging, but we haven’t done enough to fully evaluate A more hands-on approach was needed to guide customers through the process The review process is ongoing & will transition to annual
  31. 31. ©2014 LinkedIn Corporation. All Rights Reserved. Variance Process Considering the variance process at the outset will reduce the likelihood that you’re caught needing to push an app through unprepared Capture the compensating controls used for your next policy review When reviewing existing applications, track what are existing risks versus new risks
  32. 32. ©2014 LinkedIn Corporation. All Rights Reserved. Takeaways Start with a top-down approach and understand your data model The Cloud Security App space is very young. IAM is a quick win, followed by monitoring, but your requirements may be different Be flexible, this isn’t an HR policy – the business can and will roll over you. Make the process easy, and the corporate-supported apps easier
  33. 33. ©2014 LinkedIn Corporation. All Rights Reserved.©2014 LinkedIn Corporation. All Rights Reserved.©2014 LinkedIn Corporation. All Rights Reserved.

×