This document discusses the process of creating a cloud security policy at LinkedIn. It outlines reviewing existing applications and gaps, developing a new policy, authoring controls and requirements, and presenting the policy to various audiences. The timeline shows policy development and rollout over 18 months. Resources are assigned to policy authoring and implementation teams. Challenges addressed include third party applications, data types and classifications, and ensuring the policy is enforceable and scalable for cloud business needs. Lessons learned include taking a top-down approach, allowing flexibility, and ongoing review and feedback to improve the policy.

1. ©2014 LinkedIn Corporation. All Rights Reserved.
Chris Niggel, CISSP CCSK
Charles Nwatu, GSLC
November 2014
Creating a Cloud Security Policy

2. ©2014 LinkedIn Corporation. All Rights Reserved.
About LinkedIn
Our mission is to connect the world’s
professionals to make them more
productive and successful
LinkedIn currently has over 332 million
members worldwide
Over 6,000 full-time employees in 30
cities worldwide

3. ©2014 LinkedIn Corporation. All Rights Reserved.
New Security Challenges
New enterprise applications can be bought
with a corporate card, no need for
procurement cycles
Corporate data is now unmanaged
Corporate security is still expected to provide
Confidentiality, Integrity, and Availability
IT can’t control what
applications
employees use, but
we can make the
approved apps more
attractive than the
alternatives

4. ©2014 LinkedIn Corporation. All Rights Reserved.
Proposal to Create A Policy
Existing policy not enforceable
Not scalable to new cloud business needs
Made executive management aware of shortcomings
Develop plans to identify and resolve gaps

5. ©2014 LinkedIn Corporation. All Rights Reserved.
Policy Timeline
Q4 ‘13 Q1 ‘14 Q2 ‘14 Q3 ‘14 Q4 ‘14 Q1 ‘15
Review of New Applications
Existing Application Gap Analysis
Policy Initial Release
Solution POC
Vendor Selection
Solution Deployment
Vendor Demos
Policy Review 12 Month Review
Security Assurance
Corporate IT
Policy Authoring Team

6. ©2014 LinkedIn Corporation. All Rights Reserved.
Resourcing
Cloud
Security
Incident
Response
IT App
Owner
Security Corp IT
Director, Security Director,
IT
VP, Security
VP,
Engineering
Legal
Review
HR
Review
PMO
Support

7. ©2014 LinkedIn Corporation. All Rights Reserved.
AUTHORING THE POLICY

8. ©2014 LinkedIn Corporation. All Rights Reserved.
10,000 Foot Strategy

9. ©2014 LinkedIn Corporation. All Rights Reserved.
Sample Data Types
Resources: US NIST FIPS 199, NIST 800-60 Vol. 2
Customer Company Personal
Limited Potential impact of release is limited
Confidential Potential impact of release is serious
Highly
Confidential
Potential impact of release is severe

10. ©2014 LinkedIn Corporation. All Rights Reserved.
Level Mapping
A tiered approach enables the creation of security controls that are
appropriate for the types of content handled
Consider the most restrictive requirements for each level
Some content may not be allowed onto the cloud
Define “Cloud” for your organization
ComplexityRisk
Level 1
Level 2
Level 3
DurationEffort

11. ©2014 LinkedIn Corporation. All Rights Reserved.
Sample Assurance Levels
Level 1 Data Classification
Applications that handle data in the following categories are classified as Level 1
Personal Limited
Company Limited
Level 2 Data Classification
Applications that handle data in the following categories are classified as Level 2
Personal Confidential
Company Confidential
Customer Confidential
Level 3 Data Classification
Applications that handle data in the following categories are classified as Level 3
Personal Highly Confidential
Company Highly Confidential
Customer Highly Confidential
Not Classified
We do not have any data in the following categories
Customer Limited
*These levels are not representative of LinkedIn policy

12. ©2014 LinkedIn Corporation. All Rights Reserved.
Identify controls for Data Types
CSA Security Guidelines
PCI-DSS v3.0
AWS Security Whitepaper Google Security Whitepaper
NIST SP 800-61

13. ©2014 LinkedIn Corporation. All Rights Reserved.
Get From Here to There
Domain 2: Governance and Enterprise Risk
Domain 3: Legal Issues: Contracts and Electronic Discovery
Domain 4: Compliance and Audit Management
Domain 6: Interoperability and Portability
Domain 7: Traditional Security, Business Continuity, & Disaster Recovery
Domain 8: Data Center Operations
Domain 9: Incident Response
Domain 10: Application Security
We focused on using the following domains to create categories important to LinkedIn.
Authentication & Administration
Auditing
Business Continuity
Data Security
Communication Security
Vendor Governance
Brand Reputation

14. ©2014 LinkedIn Corporation. All Rights Reserved.
Structure of a Domain
5. Communication Security
Network Security Testing
Application Security Testing
Thick-Client or Physical Appliance Security
Mobile Client Security
Transport Layer Protection
Data Loss Prevention
3rd Party Application Interoperability
Storage at Rest
Virtualization
PCI-DSS 2.2.1
AWS Whitepaper
Google Security
Whitepaper
LinkedIn Security
Standards
CSA 10.6.3
CSA 10.1.3
CSA 5.6.5
PCI-DSS 11.3

15. ©2014 LinkedIn Corporation. All Rights Reserved.
Structure of a Control
ISC2
PCI
2.2.1
CSA
13.1.8

16. ©2014 LinkedIn Corporation. All Rights Reserved.
Policy Challenges - OAuth
When reviewing applications, consider 3rd party integrations
What applications are people using?
What permissions do those applications have?
How will you whitelist or blacklist apps?

17. ©2014 LinkedIn Corporation. All Rights Reserved.
More Policy Challenges
Off Site Backups
Key Management
Drive Destruction
David Gard/Star Ledger/Corbis

18. ©2014 LinkedIn Corporation. All Rights Reserved.
SSO Integration Classes
Class 0: Saved Password
Class 1: SSO, with Username / Password Backdoor
Class 2: SSO Access Only
Class 3: SSO Access Only, with automatic
account deprovisioning

19. ©2014 LinkedIn Corporation. All Rights Reserved.
PRESENTING THE POLICY

20. ©2014 LinkedIn Corporation. All Rights Reserved.
Execution
Business Owner
Corporate IT
New Projects Team
Corporate IT Support
Security Assurance
Legal / Procurement
Identify
New
Solution
Review
Define Support
Pilot
Contract Negotiation
Validate Production
Develop Production Req’s
Deployment PM Support

21. ©2014 LinkedIn Corporation. All Rights Reserved.
Understanding your Audience
Employees / End-Users
Incident Response Teams
Application Support Teams
Security Assurance Team
Legal

22. ©2014 LinkedIn Corporation. All Rights Reserved.
End Users - Service Catalog
Employees want to know where they can store their data, and how to
access those tools when they need them

23. ©2014 LinkedIn Corporation. All Rights Reserved.
CSIRT Teams
Incident Response Teams need access to application assignment,
ownership, and data type information quickly. They do not need configuration
information

24. ©2014 LinkedIn Corporation. All Rights Reserved.
Application Support Teams
Application Support teams need to know
how to recover applications quickly if there is
a SSO platform failure, and who to contact
during an outage

25. ©2014 LinkedIn Corporation. All Rights Reserved.
Assurance Team - Worksheets
Assurance teams need tools to quickly
evaluate new applications

26. ©2014 LinkedIn Corporation. All Rights Reserved.
Legal Documentation
Part of our security controls are enforced
through legal documents. Streamline this
by adding requirements into the MSA
This means defining terminology
throughout the policy and documentation
and being specific
Help your legal team by making a
playbook and offering flexibility

27. ©2014 LinkedIn Corporation. All Rights Reserved.
LESSONS LEARNED

28. ©2014 LinkedIn Corporation. All Rights Reserved.
Cloud Security Solutions

29. ©2014 LinkedIn Corporation. All Rights Reserved.
Gap Analysis
Priority Control Type
1 Platform Usage and Incident Response Security and Operational
2 Content Inspection and Compliance Security
3 Administration and Automation Operational
4 Availability and Performance Monitoring Operational
5 Content Encryption Security
6 Application Inventory Process Security and Operational

30. ©2014 LinkedIn Corporation. All Rights Reserved.
Policy Review and Feedback
Our data model was too limiting, had to soften Level 2 applications
Level 3 applications are very challenging, but we haven’t done enough to
fully evaluate
A more hands-on approach was needed to guide
customers through the process
The review process is ongoing & will transition to annual

31. ©2014 LinkedIn Corporation. All Rights Reserved.
Variance Process
Considering the variance process at the outset will reduce the likelihood that
you’re caught needing to push an app through unprepared
Capture the compensating controls used for your next policy review
When reviewing existing applications, track what are existing risks versus
new risks

32. ©2014 LinkedIn Corporation. All Rights Reserved.
Takeaways
Start with a top-down approach and understand your data model
The Cloud Security App space is very young. IAM is a quick win, followed by
monitoring, but your requirements may be different
Be flexible, this isn’t an HR policy – the business can and will roll over you.
Make the process easy, and the corporate-supported apps easier

33. ©2014 LinkedIn Corporation. All Rights Reserved.©2014 LinkedIn Corporation. All Rights Reserved.©2014 LinkedIn Corporation. All Rights Reserved.