Download pdf - LinkedIn - Creating a Cloud Security Policy

©2014 LinkedIn Corporation. All Rights Reserved.

Chris Niggel, CISSP CCSK

Charles Nwatu, GSLC

November 2014

Creating a Cloud Security Policy


About LinkedIn

Our mission is to connect the world’s

professionals to make them more

productive and successful

LinkedIn currently has over 332 million

members worldwide

Over 6,000 full-time employees in 30

cities worldwide


New Security Challenges

New enterprise applications can be bought

with a corporate card, no need for

procurement cycles

Corporate data is now unmanaged

Corporate security is still expected to provide

Confidentiality, Integrity, and Availability

IT can’t control what

applications

employees use, but

we can make the

approved apps more

attractive than the

alternatives


Proposal to Create A Policy

Existing policy not enforceable

Not scalable to new cloud business needs

Made executive management aware of shortcomings

Develop plans to identify and resolve gaps


Policy Timeline

Q4 ‘13 Q1 ‘14 Q2 ‘14 Q3 ‘14 Q4 ‘14 Q1 ‘15

Review of New Applications

Existing Application Gap Analysis

Policy Initial Release

Solution POC

Vendor Selection

Solution Deployment

Vendor Demos

Policy Review 12 Month Review

Security Assurance

Corporate IT

Policy Authoring Team


Resourcing

Cloud

Security

Incident

Response

IT App

Owner

Security Corp IT

Director, Security Director,

IT

VP, SecurityVP,

EngineeringLegal

Review

HR

Review

PMO

Support


AUTHORING THE POLICY


10,000 Foot Strategy


Sample Data Types

Resources: US NIST FIPS 199, NIST 800-60 Vol. 2

Customer Company Personal

Limited Potential impact of release is limited

Confidential Potential impact of release is serious

Highly

ConfidentialPotential impact of release is severe


Level Mapping

A tiered approach enables the creation of security controls that are

appropriate for the types of content handled

Consider the most restrictive requirements for each level

Some content may not be allowed onto the cloud

Define “Cloud” for your organization

ComplexityRisk

Level 1

Level 2

Level 3

DurationEffort


Sample Assurance Levels

Level 1 Data Classification

Applications that handle data in the following categories are classified as Level 1

Personal Limited

Company Limited



Personal Confidential

Company Confidential

Customer Confidential



Personal Highly Confidential

Company Highly Confidential

Customer Highly Confidential

Not Classified

We do not have any data in the following categories

Customer Limited

*These levels are not representative of LinkedIn policy


Identify controls for Data Types

CSA Security Guidelines

PCI-DSS v3.0

AWS Security Whitepaper Google Security Whitepaper

NIST SP 800-61


Get From Here to There

Domain 2: Governance and Enterprise Risk

Domain 3: Legal Issues: Contracts and Electronic Discovery

Domain 4: Compliance and Audit Management

Domain 6: Interoperability and Portability

Domain 7: Traditional Security, Business Continuity, & Disaster Recovery

Domain 8: Data Center Operations

Domain 9: Incident Response

Domain 10: Application Security

We focused on using the following domains to create categories important to LinkedIn.

Authentication & Administration

Auditing

Business Continuity

Data Security

Communication Security

Vendor Governance

Brand Reputation


Structure of a Domain5. Communication Security

Network Security Testing

Application Security Testing

Thick-Client or Physical Appliance Security

Mobile Client Security

Transport Layer Protection

Data Loss Prevention

3rd Party Application Interoperability

Storage at Rest

Virtualization

PCI-DSS 2.2.1

AWS Whitepaper

Google Security

Whitepaper

LinkedIn Security

Standards

CSA 10.6.3

CSA 10.1.3

CSA 5.6.5

PCI-DSS 11.3


Structure of a Control

ISC2

PCI

2.2.1

CSA

13.1.8


Policy Challenges - OAuth

When reviewing applications, consider 3rd party integrationsWhat applications are people using?

What permissions do those applications have?

How will you whitelist or blacklist apps?


More Policy Challenges

Off Site Backups

Key Management

Drive Destruction

David Gard/Star Ledger/Corbis


SSO Integration Classes

Class 0: Saved Password

Class 1: SSO, with Username / Password Backdoor

Class 2: SSO Access Only

Class 3: SSO Access Only, with automatic

account deprovisioning


PRESENTING THE POLICY


Execution

Business Owner

Corporate IT

New Projects Team

Corporate IT Support

Security Assurance

Legal / Procurement

Identify

New

Solution

Review

Define Support

Pilot

Contract Negotiation

Validate Production

Develop Production Req’s

Deployment PM Support


Understanding your Audience

Employees / End-Users

Incident Response Teams

Application Support Teams

Security Assurance Team

Legal


End Users - Service Catalog

Employees want to know where they can store their data, and how to

access those tools when they need them


CSIRT Teams

Incident Response Teams need access to application assignment,

ownership, and data type information quickly. They do not need configuration

information


Application Support Teams

Application Support teams need to know

how to recover applications quickly if there is

a SSO platform failure, and who to contact

during an outage


Assurance Team - Worksheets

Assurance teams need tools to quickly

evaluate new applications


Legal Documentation

Part of our security controls are enforced through legal documents. Streamline this by adding requirements into the MSA

This means defining terminology throughout the policy and documentation and being specific

Help your legal team by making a playbook and offering flexibility


LESSONS LEARNED


Cloud Security Solutions


Gap Analysis

Priority Control Type

1 Platform Usage and Incident Response Security and Operational

2 Content Inspection and Compliance Security

3 Administration and Automation Operational

4 Availability and Performance Monitoring Operational

5 Content Encryption Security

6 Application Inventory Process Security and Operational


Policy Review and Feedback

Our data model was too limiting, had to soften Level 2 applications

Level 3 applications are very challenging, but we haven’t done enough to

fully evaluate

A more hands-on approach was needed to guide

customers through the process

The review process is ongoing & will transition to annual


Variance Process

Considering the variance process at the outset will reduce the likelihood that

you’re caught needing to push an app through unprepared

Capture the compensating controls used for your next policy review

When reviewing existing applications, track what are existing risks versus

new risks


Takeaways

Start with a top-down approach and understand your data model

The Cloud Security App space is very young. IAM is a quick win, followed by

monitoring, but your requirements may be different

Be flexible, this isn’t an HR policy – the business can and will roll over you.

Make the process easy, and the corporate-supported apps easier

©2014 LinkedIn Corporation. All Rights Reserved.©2014 LinkedIn Corporation. All Rights Reserved.©2014 LinkedIn Corporation. All Rights Reserved.