LinkedIn - Creating a Cloud Security Policy

  • View
    146

  • Download
    0

Embed Size (px)

Transcript

Creating a Cloud Security Policy

Chris Niggel, CISSP CCSKCharles Nwatu, GSLCNovember 2014Creating a Cloud Security Policy2014 LinkedIn Corporation. All Rights Reserved.1About LinkedInOur mission is to connect the worlds professionals to make them more productive and successful

LinkedIn currently has over 332 million members worldwide

Over 6,000 full-time employees in 30 cities worldwide

2014 LinkedIn Corporation. All Rights Reserved.2New Security ChallengesNew enterprise applications can be bought with a corporate card, no need for procurement cyclesCorporate data is now unmanagedCorporate security is still expected to provide Confidentiality, Integrity, and AvailabilityIT cant control what applications employees use, but we can make the approved apps more attractive than the alternatives

2014 LinkedIn Corporation. All Rights Reserved.3Proposal to Create A PolicyExisting policy not enforceableNot scalable to new cloud business needsMade executive management aware of shortcomingsDevelop plans to identify and resolve gaps2014 LinkedIn Corporation. All Rights Reserved.4Policy TimelineQ4 13Q1 14Q2 14Q3 14Q4 14Q1 15Review of New ApplicationsExisting Application Gap AnalysisPolicy Initial ReleaseSolution POCVendor SelectionSolution DeploymentVendor DemosPolicy Review12 Month ReviewSecurity AssuranceCorporate ITPolicy Authoring Team2014 LinkedIn Corporation. All Rights Reserved.5ResourcingCloud SecurityIncident ResponseIT App OwnerSecurityCorp ITDirector, SecurityDirector, ITVP, SecurityVP, EngineeringLegal ReviewHR ReviewPMOSupport2014 LinkedIn Corporation. All Rights Reserved.6Authoring The policy2014 LinkedIn Corporation. All Rights Reserved.710,000 Foot Strategy

2014 LinkedIn Corporation. All Rights Reserved.8Sample Data TypesResources: US NIST FIPS 199, NIST 800-60 Vol. 2CustomerCompanyPersonalLimitedPotential impact of release is limitedConfidentialPotential impact of release is seriousHighly ConfidentialPotential impact of release is severe2014 LinkedIn Corporation. All Rights Reserved.9Level MappingA tiered approach enables the creation of security controls that are appropriate for the types of content handled

Consider the most restrictive requirements for each level

Some content may not be allowed onto the cloud

Define Cloud for your organizationComplexityRisk Level 1 Level 2 Level 3DurationEffort2014 LinkedIn Corporation. All Rights Reserved.10Sample Assurance LevelsLevel 1 Data ClassificationApplications that handle data in the following categories are classified as Level 1Personal LimitedCompany Limited

Level 2 Data ClassificationApplications that handle data in the following categories are classified as Level 2Personal ConfidentialCompany ConfidentialCustomer Confidential

Level 3 Data ClassificationApplications that handle data in the following categories are classified as Level 3Personal Highly ConfidentialCompany Highly ConfidentialCustomer Highly Confidential

Not ClassifiedWe do not have any data in the following categoriesCustomer Limited

*These levels are not representative of LinkedIn policy2014 LinkedIn Corporation. All Rights Reserved.11Identify controls for Data TypesCSA Security GuidelinesPCI-DSS v3.0AWS Security WhitepaperGoogle Security WhitepaperNIST SP 800-612014 LinkedIn Corporation. All Rights Reserved.12Get From Here to ThereDomain 2: Governance and Enterprise RiskDomain 3: Legal Issues: Contracts and Electronic DiscoveryDomain 4: Compliance and Audit ManagementDomain 6: Interoperability and PortabilityDomain 7: Traditional Security, Business Continuity, & Disaster RecoveryDomain 8: Data Center Operations Domain 9: Incident ResponseDomain 10: Application SecurityWe focused on using the following domains to create categories important to LinkedIn.Authentication & AdministrationAuditingBusiness ContinuityData SecurityCommunication SecurityVendor GovernanceBrand Reputation

2014 LinkedIn Corporation. All Rights Reserved.13Structure of a Domain5. Communication SecurityNetwork Security TestingApplication Security TestingThick-Client or Physical Appliance SecurityMobile Client SecurityTransport Layer ProtectionData Loss Prevention3rd Party Application InteroperabilityStorage at RestVirtualization

PCI-DSS 2.2.1

AWS Whitepaper

Google SecurityWhitepaper

LinkedIn Security Standards

CSA 10.6.3

CSA 10.1.3

CSA 5.6.5

PCI-DSS 11.32014 LinkedIn Corporation. All Rights Reserved.14Structure of a ControlISC2PCI 2.2.1CSA 13.1.8

2014 LinkedIn Corporation. All Rights Reserved.s.15Policy Challenges - OAuthWhen reviewing applications, consider 3rd party integrationsWhat applications are people using?What permissions do those applications have?How will you whitelist or blacklist apps?

2014 LinkedIn Corporation. All Rights Reserved.16More Policy ChallengesOff Site Backups

Key Management

Drive Destruction

David Gard/Star Ledger/Corbis2014 LinkedIn Corporation. All Rights Reserved.17SSO Integration ClassesClass 0: Saved PasswordClass 1: SSO, with Username / Password BackdoorClass 2: SSO Access OnlyClass 3: SSO Access Only, with automatic account deprovisioning

2014 LinkedIn Corporation. All Rights Reserved.18Presenting The Policy2014 LinkedIn Corporation. All Rights Reserved.19ExecutionBusiness OwnerCorporate ITNew Projects TeamCorporate IT SupportSecurity AssuranceLegal / ProcurementIdentify New SolutionReviewDefine SupportPilotContract NegotiationValidate ProductionDevelop Production ReqsDeployment PM Support2014 LinkedIn Corporation. All Rights Reserved.20Understanding your AudienceEmployees / End-UsersIncident Response TeamsApplication Support TeamsSecurity Assurance TeamLegal

2014 LinkedIn Corporation. All Rights Reserved.21End Users - Service CatalogEmployees want to know where they can store their data, and how to access those tools when they need them

2014 LinkedIn Corporation. All Rights Reserved.22CSIRT TeamsIncident Response Teams need access to application assignment, ownership, and data type information quickly. They do not need configuration information

2014 LinkedIn Corporation. All Rights Reserved.23Application Support TeamsApplication Support teams need to know how to recover applications quickly if there is a SSO platform failure, and who to contact during an outage

2014 LinkedIn Corporation. All Rights Reserved.24Assurance Team - Worksheets

Assurance teams need tools to quickly evaluate new applications2014 LinkedIn Corporation. All Rights Reserved.25Legal DocumentationPart of our security controls are enforced through legal documents. Streamline this by adding requirements into the MSA

This means defining terminology throughout the policy and documentation and being specific

Help your legal team by making a playbook and offering flexibility

2014 LinkedIn Corporation. All Rights Reserved.26Lessons learned2014 LinkedIn Corporation. All Rights Reserved.27

Cloud Security Solutions

2014 LinkedIn Corporation. All Rights Reserved.28Gap AnalysisPriorityControlType1Platform Usage and Incident ResponseSecurity and Operational2Content Inspection and ComplianceSecurity3Administration and AutomationOperational4Availability and Performance MonitoringOperational5Content EncryptionSecurity6Application Inventory ProcessSecurity and Operational2014 LinkedIn Corporation. All Rights Reserved.29

Policy Review and FeedbackOur data model was too limiting, had to soften Level 2 applications

Level 3 applications are very challenging, but we havent done enough to fully evaluate

A more hands-on approach was needed to guidecustomers through the process

The review process is ongoing & will transition to annual2014 LinkedIn Corporation. All Rights Reserved.30Variance ProcessConsidering the variance process at the outset will reduce the likelihood that youre caught needing to push an app through unprepared

Capture the compensating controls used for your next policy review

When reviewing existing applications, track what are existing risks versus new risks2014 LinkedIn Corporation. All Rights Reserved.31TakeawaysStart with a top-down approach and understand your data modelThe Cloud Security App space is very young. IAM is a quick win, followed by monitoring, but your requirements may be differentBe flexible, this isnt an HR policy the business can and will roll over you. Make the process easy, and the corporate-supported apps easier2014 LinkedIn Corporation. All Rights Reserved.322014 LinkedIn Corporation. All Rights Reserved.2014 LinkedIn Corporation. All Rights Reserved.2014 LinkedIn Corporation. All Rights Reserved.33