IT Security Review FAQ

This article reviews the following information:

  1. Third Party Relationships / Outsourced Services
  2. Infrastructure Security
  3. Data Security
  4. Application Security
  5. Application Development Best Practices
  6. Human Resources Security
  7. Infrastructure Disaster Recovery & Business Continuity

Click the quick link above to jump to that section, or scroll to follow the full article.


Third Party Relationships / Outsourced Services

IT Management

Limelight engages with an external vendor to provide IT Management services:

ITMethods
36 York Mills Road 
Toronto, ON M2P 2E9

ITMethods is a recognized vendor with Amazon Web Services (AWS) Managed Services Partner (MSP) certification.

Reference to AWS MSP Partners information: Click here

Cloud Hosting

Limelight utilizes Amazon Web Services (AWS) as cloud-hosting provider 

Physical / Environmental Security

Limelight does not manage physical infrastructure. Limelight leverages Amazon Web Services (AWS) cloud platform to host the application, therefore physical and environmental security is managed by Amazon.

Details available from: AWS Security Whitepaper – Page 5, section on “Physical and Environmental Security”

Compliance & Attestation

SOC1 / SOC2

AWS is SOC1 and SOC2 compliant, more information on AWS SOC Compliance can be found here.

If SOC1 / SOC2 report is required, please contact Limelight to retrieve a copy of the confidential report.

ISO 27001

AWS is ISO 27001 Compliant, certificate can be found here.

Other Third Party Attestations / Certifications

Overall report on AWS attestations / certifications can be found here.


Infrastructure Security

Standard Server Hardening Configuration

Servers are hardened through standard deployment scripts as follows:
  • Servers are configured using a configuration manager, from base images
  • All the latest packages are installed
  • All ports are blocked, except for those required for communication with other servers
  • Inbound internet access is blocked, except where required
  • All SSH access is only allowed from a local bastion
  • Root user is blocked from ssh access. Sudo access is allowed for specific users, with restricted command

Network Encryption (Encryption In-Transit)

Limelight platform utilizes TLS 1.2 protocol to secure connection. The ciphers in use will depend on the supported cipher between the client and the server. Our infrastructure supports the following list of ciphers:
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES256-GCM-SHA384
  • AES256-SHA256

Database Encryption (Encryption At-Rest)

Limelight platform utilizes database encryption as supported by Amazon Web Services (AWS) RDS, it applies AES-GCM encryption with a random & uniquely generated 256-bit secret keys.

Network Access Configuration - Least Privileged

Network configuration is implemented based on "Principle of least privilege" as well as whitelist approach (block everything by default, except what's explicitly allowed).

Network Security Appliances / Applications

Network security is provided both through AWS (AWS Shield and AWS EC2 Intrusion Detection and Prevention – IDS/IPS) as well as network configuration managed by ITMethods.

Access Control & Management

Access to infrastructure requires individual ssh keys. Access is only available through secure protocols (eg. ssh). Access permission is also controlled on per-user basis, only a restricted set of users have access to production systems and only a subset of the users with access will have write access

User access history and activities / actions within the servers including installation of any packages or applications are also logged & monitored. 

Monitoring

Automated monitoring in place that will trigger alerts in the event of suspicious activities that require manual investigation.

Patches & Updates

IT Management (ITMethods) responsible to make sure the latest security patches are installed, and access control and network security configuration are maintained as well as overall system monitoring and alerts.

Production and Test Environments Segregation

Production and test environments are physically separated and is never touch each other.
There is no cross pollination between non-production and production environment data. Confidential data from real users are restricted to only production data. Development & testing process are required to generate their own testing data in non-production environment.

Data Security

Personal Identifiable Information (PII)

Limelight Platform is configurable based on client’s need per event (project) basis to decide what data fields will be gathered from the consumer.
As part of the project configuration, client has the option to mark the data field as a “Personal Identifiable Information” therefore treating any data stored in that field to be sensitive data and allowing for ease of future erasure of PII-only data without deleting the whole data set.
Client also has the option to choose various validation types and to set whether each data field is mandatory / optional.
While not a must, generally the most basic configuration most commonly used on per project basis will include these three fields: email, first name, and last name.

Encryption

Data is encrypted both in-transit and at-rest.
Please review Infrastructure Security section for more details on on encryption in-transit and encryption at-rest.

Data Retention

Limelight Platform have an optional, configurable data retention policy on per-client basis. Each client may request Limelight to remove data after a certain period of time, determined by client’s business rules / requirements.

Data Segregation

Limelight Platform is a multi-tenant solution that stores data in a shared physical database / disk. Data segregation is achieved through logical separation based on certain identifier stored with each data entry to refer to the client identifier the data belongs to. Limelight Platform enforces the logical separation through strict application of the roles & permissions configuration.

Application Security

Access Control

On the application level, Limelight applies access control based on user roles and project permission to determine whether a specific user can access a specific set of data.
Please review support documentation at User Role Settings.
Client usually have at least one user with the “Client Admin” role that have administrative privileges to control user roles & configuration to any additional users on the platform within the client environment.
Internal to Limelight employees, access to the platform is granted on an as-needed and per-client basis. For example, Account Managers and/or Client Services team members that need to help clients to configure their projects may be configured the appropriate user roles to complete the requested tasks.

Password Rules & Encryption

Current password rules for all account to the Limelight Platform web portal is as follow:
  • Minimum length of 8 characters, no maxmium
  • Minimum of 1 uppercase and 1 lowercase characters
  • Minimum of 1 numeric character
  • No blank space
  • Any substring does not match the user’s username
  • No substring that match common words such as “password” or “test”

Additionally, there’s an optional configurable policy to set password expiry. Each client may choose to decide on the number of days the user's password will expire where user will be forced to update.

Password Storage

Password to the application is stored in a secure one-way BCrypt encryption. There is no password stored in plain-text and it’s never logged anywhere on the platform. 

Penetration Testing

Limelight works with an independent 3rd party vendor to perform penetration testing at least annually.
Any medium / high / critical vulnerabilities will be addressed immediately. Low level vulnerabilities will be discussed internally on their importance & urgencies and will be scheduled for remediation accordingly.
Please contact Limelight team for a copy of the most recent pen testing report.

Application Development Best Practices

Software Development Life Cycle (SDLC)

Limelight development team follows Agile development practices, specifically Scrum methodologies. Every change that goes into the system is required to go through a rigorous code review process that checks for code quality, unit testing, and developer smoke testing.
Each developer is also required to follow secure development practices that include coding best practices such as adherence to Open Web Application Security Project (OWASP) guidelines.
Best practices and guidelines are continuously monitored through an automated code analysis as well as enforcement through the code review process.
Limelight development team follows gitflow branching model to separate the different stages of development and testing.
A set of changes is packaged as a Release Candidate and deployed to a testing environment that goes through QA testing. This covers both new test cases as well as checks for all regression test cases that continuously expand over time. The release candidate then goes through performance and stress testing as well as beta-testing by the Client Services team.
Upon approval from QA, Product, Client Services, and the Development team, the Release Candidate will be deployed to production. Immediately following the production deployment, the QA team will do another round of smoke testing in production.

Continuous Integration & Static Code Analysis

As part of Continuous Integration (CI) implementation, Limelight's development team uses a Static Code Analysis tool that includes the implementation of Open Web Application Security Project (OWASP) guidelines upon scanning. Pull Requests and changes to the main development and production branches will automatically trigger the CI process that runs a series of automated testing and static code analysis.
Any major or higher issues are required to be fixed prior to changes being merged and any minor or lower issues will require documented discussions on their resolution plan.

Human Resources Security

Background Checks

Limelight performs thorough background checks on new employees and contractors as part of new employee hiring process prior to their start of employment.

Training & On-Boarding

New employees / contractors undergo an on-boarding process (first week of employment) that includes mandatory training and review of Limelight’s Information Security policies.
Members of Development Team are required to go through additional training in accordance to Secure Development Policies & Best Practices (eg. Awareness training on OWASP)

End of Employments / Contracts

When an employee or contractor leaves, all access to Limelight’s systems will be terminated immediately. This include access that user to infrastructure such as ssh keys.

Infrastructure Disaster Recovery & Business Continuity

Physical Backup

Limelight utilizes different AWS geographical locations as a secondary backup.

Automated Backup

Automated backups of all data (encrypted) are performed on a nightly basis

Still need help? How can we help? How can we help?