LinkedIn - Creating a Cloud Security Policy

2. ©2014 LinkedIn Corporation. All Rights Reserved. About LinkedIn Our mission is to connect the world’s professionals to make them more productive and successful LinkedIn currently has over 332 million members worldwide Over 6,000 full-time employees in 30 cities worldwide

3. ©2014 LinkedIn Corporation. All Rights Reserved. New Security Challenges New enterprise applications can be bought with a corporate card, no need for procurement cycles Corporate data is now unmanaged Corporate security is still expected to provide Confidentiality, Integrity, and Availability IT can’t control what applications employees use, but we can make the approved apps more attractive than the alternatives

4. ©2014 LinkedIn Corporation. All Rights Reserved. Proposal to Create A Policy Existing policy not enforceable Not scalable to new cloud business needs Made executive management aware of shortcomings Develop plans to identify and resolve gaps

5. ©2014 LinkedIn Corporation. All Rights Reserved. Policy Timeline Q4 ‘13 Q1 ‘14 Q2 ‘14 Q3 ‘14 Q4 ‘14 Q1 ‘15 Review of New Applications Existing Application Gap Analysis Policy Initial Release Solution POC Vendor Selection Solution Deployment Vendor Demos Policy Review 12 Month Review Security Assurance Corporate IT Policy Authoring Team

6. ©2014 LinkedIn Corporation. All Rights Reserved. Resourcing Cloud Security Incident Response IT App Owner Security Corp IT Director, Security Director, IT VP, Security VP, Engineering Legal Review HR Review PMO Support

9. ©2014 LinkedIn Corporation. All Rights Reserved. Sample Data Types Resources: US NIST FIPS 199, NIST 800-60 Vol. 2 Customer Company Personal Limited Potential impact of release is limited Confidential Potential impact of release is serious Highly Confidential Potential impact of release is severe

10. ©2014 LinkedIn Corporation. All Rights Reserved. Level Mapping A tiered approach enables the creation of security controls that are appropriate for the types of content handled Consider the most restrictive requirements for each level Some content may not be allowed onto the cloud Define “Cloud” for your organization ComplexityRisk Level 1 Level 2 Level 3 DurationEffort

11. ©2014 LinkedIn Corporation. All Rights Reserved. Sample Assurance Levels Level 1 Data Classification Applications that handle data in the following categories are classified as Level 1 Personal Limited Company Limited Level 2 Data Classification Applications that handle data in the following categories are classified as Level 2 Personal Confidential Company Confidential Customer Confidential Level 3 Data Classification Applications that handle data in the following categories are classified as Level 3 Personal Highly Confidential Company Highly Confidential Customer Highly Confidential Not Classified We do not have any data in the following categories Customer Limited *These levels are not representative of LinkedIn policy

13. ©2014 LinkedIn Corporation. All Rights Reserved. Get From Here to There Domain 2: Governance and Enterprise Risk Domain 3: Legal Issues: Contracts and Electronic Discovery Domain 4: Compliance and Audit Management Domain 6: Interoperability and Portability Domain 7: Traditional Security, Business Continuity, & Disaster Recovery Domain 8: Data Center Operations Domain 9: Incident Response Domain 10: Application Security We focused on using the following domains to create categories important to LinkedIn. Authentication & Administration Auditing Business Continuity Data Security Communication Security Vendor Governance Brand Reputation

14. ©2014 LinkedIn Corporation. All Rights Reserved. Structure of a Domain 5. Communication Security Network Security Testing Application Security Testing Thick-Client or Physical Appliance Security Mobile Client Security Transport Layer Protection Data Loss Prevention 3rd Party Application Interoperability Storage at Rest Virtualization PCI-DSS 2.2.1 AWS Whitepaper Google Security Whitepaper LinkedIn Security Standards CSA 10.6.3 CSA 10.1.3 CSA 5.6.5 PCI-DSS 11.3

16. ©2014 LinkedIn Corporation. All Rights Reserved. Policy Challenges - OAuth When reviewing applications, consider 3rd party integrations What applications are people using? What permissions do those applications have? How will you whitelist or blacklist apps?

18. ©2014 LinkedIn Corporation. All Rights Reserved. SSO Integration Classes Class 0: Saved Password Class 1: SSO, with Username / Password Backdoor Class 2: SSO Access Only Class 3: SSO Access Only, with automatic account deprovisioning

20. ©2014 LinkedIn Corporation. All Rights Reserved. Execution Business Owner Corporate IT New Projects Team Corporate IT Support Security Assurance Legal / Procurement Identify New Solution Review Define Support Pilot Contract Negotiation Validate Production Develop Production Req’s Deployment PM Support

23. ©2014 LinkedIn Corporation. All Rights Reserved. CSIRT Teams Incident Response Teams need access to application assignment, ownership, and data type information quickly. They do not need configuration information

24. ©2014 LinkedIn Corporation. All Rights Reserved. Application Support Teams Application Support teams need to know how to recover applications quickly if there is a SSO platform failure, and who to contact during an outage

26. ©2014 LinkedIn Corporation. All Rights Reserved. Legal Documentation Part of our security controls are enforced through legal documents. Streamline this by adding requirements into the MSA This means defining terminology throughout the policy and documentation and being specific Help your legal team by making a playbook and offering flexibility

29. ©2014 LinkedIn Corporation. All Rights Reserved. Gap Analysis Priority Control Type 1 Platform Usage and Incident Response Security and Operational 2 Content Inspection and Compliance Security 3 Administration and Automation Operational 4 Availability and Performance Monitoring Operational 5 Content Encryption Security 6 Application Inventory Process Security and Operational

30. ©2014 LinkedIn Corporation. All Rights Reserved. Policy Review and Feedback Our data model was too limiting, had to soften Level 2 applications Level 3 applications are very challenging, but we haven’t done enough to fully evaluate A more hands-on approach was needed to guide customers through the process The review process is ongoing & will transition to annual

31. ©2014 LinkedIn Corporation. All Rights Reserved. Variance Process Considering the variance process at the outset will reduce the likelihood that you’re caught needing to push an app through unprepared Capture the compensating controls used for your next policy review When reviewing existing applications, track what are existing risks versus new risks

32. ©2014 LinkedIn Corporation. All Rights Reserved. Takeaways Start with a top-down approach and understand your data model The Cloud Security App space is very young. IAM is a quick win, followed by monitoring, but your requirements may be different Be flexible, this isn’t an HR policy – the business can and will roll over you. Make the process easy, and the corporate-supported apps easier