Today’s employees have more data than ever to work with, and expect easy-to-use tools that work everywhere they do. At the same time, IT departments are tasked with deploying more services with less budget, and aren’t always able to buy or build solutions that meet every business unit’s needs and timelines. These challenges have sparked a new, hosted computing model called “the cloud.” Organizations such as the Cloud Security Alliance have done an excellent job creating guidance around application security, but their one-size-fits-all approach does not take into account that IT security groups have to to balance security with the needs and speed of the business. To accommodate this, the Cloud Security Team at LinkedIn used guidance from the CSA, Amazon, Google, and the US National Institute of Standards and Technology (NIST) to create a framework designed to enable secure use of a wide range of applications.
What makes this framework unique is the data modeling and leveling process, utilizing the NIST 800-60 guidance to categorize applications into one of three levels from least to most confidential. This categorization then drives a set of appropriate security controls, enabling us to apply appropriate protections and keep corporate data safe while not acting as a roadblock to progress.
After many internal conversations that started way back before Oktane, we are finally ready to release our Cloud Security Policy Framework! Please send along your feedback, and continue the conversation about how you're managing the growth of cloud applications in your environment. I'm looking forward to it.
A security policy framework to help companies unlock the power of the cloud | LinkedIn Engineering
Original Author: Chris Niggel, LinkedIn (now at Okta)