Components on this page are not available in Touch UI, please switch to Classic to author. Visit go/touch-ui-hub and download the switcher to navigate between the two UIs.

IMPORTANT: INSTANCE DEPRECATION NOTICE | Legacy CQ is now locked. Content creation, editing, and modification are no longer available. This page is flagged for deprecation, and starting Q3FY24, content will no longer be accessible via the CMS. For questions or support, please contact

A security policy framework to help companies unlock the power of the cloud

February 2, 2015

Today’s employees have more data than ever to work with, and expect easy-to-use tools that work everywhere they do. At the same time, IT departments are tasked with deploying more services with less budget, and aren’t always able to buy or build solutions that meet every business unit’s needs and timelines. These challenges have sparked a new, hosted computing model called “the cloud.”

At LinkedIn, we quickly adopted the cloud model for our business operations data. Today we have dozens of supported applications, with more in the queue. These applications range from non-confidential services such as our business-card printing vendor to a highly confidential service we use to run our payroll systems. When evaluating a new cloud application, it’s not as simple as creating accounts and sending data, we must also ensure that the company’s data is being hosted and managed to the highest standards of security.

Organizations such as the Cloud Security Alliance have done an excellent job creating guidance around application security, but their one-size-fits-all approach does not take into account that IT security groups have to to balance security with the needs and speed of the business. To accommodate this, the Cloud Security Team at LinkedIn used guidance from the CSA, Amazon, Google, and the US National Institute of Standards and Technology (NIST) to create a framework designed to enable secure use of a wide range of applications.

Describes how external controls contribute to the policy

What makes this framework unique is the data modeling and leveling process, utilizing the NIST 800-60 guidance to categorize applications into one of three levels from least to most confidential. This categorization then drives a set of appropriate security controls.

Describes three levels of assurance

Using this strategy, we are able to apply appropriate protections, keeping corporate data safe while not acting as a roadblock to progress. The controls are primarily focused on Software-as-a-Service (SaaS) solutions, but many are applicable to Platform- or Infrastructure- as-a-Service deployments as well.

Since no two companies have the same data models and security threats, our goal is to help start a dialog where IT security professionals, as cloud consumers, can share challenges and best practices. To accomplish this, LinkedIn is releasing our policy framework under a Creative Commons Non-Commercial license. This model encourages you to cut-and-paste some or all of our framework in your organization, and contribute to the development of industry best practices.

pdf logoDownload the Policy Framework (PDF)

Please post your thoughts and changes. I, and the rest of the LinkedIn Cloud Security Team, look forward to your feedback!