AWS is ISO 27001 Compliant, certificate can be found here.
Other Third Party Attestations / Certifications
Overall report on AWS attestations / certifications can be found here.
Standard Server Hardening Configuration
Servers are hardened through standard deployment scripts as follows:
- Servers are configured using a configuration manager, from base images
- All the latest packages are installed
- All ports are blocked, except for those required for communication with other servers
- Inbound internet access is blocked, except where required
- All SSH access is only allowed from a local bastion
- Root user is blocked from ssh access. Sudo access is allowed for specific users, with restricted command
Network Encryption (Encryption In-Transit)
Limelight platform utilizes TLS 1.2 protocol to secure connection. The ciphers in use will depend on the supported cipher between the client and the server. Our infrastructure supports the following list of ciphers:
Database Encryption (Encryption At-Rest)
Limelight platform utilizes database encryption as supported by Amazon Web Services (AWS) RDS, it applies AES-GCM encryption with a random & uniquely generated 256-bit secret keys.
Network Access Configuration - Least Privileged
Network configuration is implemented based on "Principle of least privilege" as well as whitelist approach (block everything by default, except what's explicitly allowed).
Network Security Appliances / Applications
Network security is provided both through AWS (AWS Shield and AWS EC2 Intrusion Detection and Prevention – IDS/IPS) as well as network configuration managed by ITMethods.
Access Control & Management
Access to infrastructure requires individual ssh keys. Access is only available through secure protocols (eg. ssh). Access permission is also controlled on per-user basis, only a restricted set of users have access to production systems and only a subset of the users with access will have write access
User access history and activities / actions within the servers including installation of any packages or applications are also logged & monitored.
Automated monitoring in place that will trigger alerts in the event of suspicious activities that require manual investigation.
Patches & Updates
IT Management (ITMethods) responsible to make sure the latest security patches are installed, and access control and network security configuration are maintained as well as overall system monitoring and alerts.
Production and Test Environments Segregation
Production and test environments are physically separated and is never touch each other.
There is no cross pollination between non-production and production environment data. Confidential data from real users are restricted to only production data. Development & testing process are required to generate their own testing data in non-production environment.
Personal Identifiable Information (PII)
Limelight Platform is configurable based on client’s need per event (project) basis to decide what data fields will be gathered from the consumer.
As part of the project configuration, client has the option to mark the data field as a “Personal Identifiable Information” therefore treating any data stored in that field to be sensitive data and allowing for ease of future erasure of PII-only data without deleting the whole data set.
Client also has the option to choose various validation types and to set whether each data field is mandatory / optional.
While not a must, generally the most basic configuration most commonly used on per project basis will include these three fields: email, first name, and last name.
Data is encrypted both in-transit and at-rest.
Please review the Infrastructure Security section (found above) for more details on encryption in-transit and encryption at-rest.
Limelight Platform have an optional, configurable data retention policy on per-client basis. Each client may request Limelight to remove data after a certain period of time, determined by client’s business rules / requirements.
Limelight Platform is a multi-tenant solution that stores data in a shared physical database / disk. Data segregation is achieved through logical separation based on certain identifier stored with each data entry to refer to the client identifier the data belongs to. Limelight Platform enforces the logical separation through strict application of the roles & permissions configuration.
On the application level, Limelight applies access control based on user roles and project permission to determine whether a specific user can access a specific set of data.
Client usually have at least one user with the “Client Admin” role that have administrative privileges to control user roles & configuration to any additional users on the platform within the client environment.
Internal to Limelight employees, access to the platform is granted on an as-needed and per-client basis. For example, Account Managers and/or Client Services team members that need to help clients to configure their projects may be configured the appropriate user roles to complete the requested tasks.
Password Rules & Encryption
Current password rules for all account to the Limelight Platform web portal is as follow:
- Minimum length of 8 characters, no maxmium
- Minimum of 1 uppercase and 1 lowercase characters
- Minimum of 1 numeric character
- No blank space
- Any substring does not match the user’s username
- No substring that match common words such as “password” or “test”
Additionally, there’s an optional configurable policy to set password expiry. Each client may choose to decide on the number of days the user's password will expire where user will be forced to update.
Password to the application is stored in a secure one-way BCrypt encryption. There is no password stored in plain-text and it’s never logged anywhere on the platform.
Limelight works with an independent 3rd party vendor to perform penetration testing at least annually.
Any medium / high / critical vulnerabilities will be addressed immediately. Low level vulnerabilities will be discussed internally on their importance & urgencies and will be scheduled for remediation accordingly.
Please contact Limelight team for a copy of the most recent pen testing report.
Application Development Best Practices
Software Development Life Cycle (SDLC)
Limelight development team follows Agile development practices, specifically Scrum methodologies. Every change that goes into the system is required to go through a rigorous code review process that checks for code quality, unit testing, and developer smoke testing.
Each developer is also required to follow secure development practices that include coding best practices such as adherence to Open Web Application Security Project (OWASP) guidelines.
Best practices and guidelines are continuously monitored through an automated code analysis as well as enforcement through the code review process.
Limelight development team follows gitflow branching model to separate the different stages of development and testing.
A set of changes is packaged as a Release Candidate and deployed to a testing environment that goes through QA testing. This covers both new test cases as well as checks for all regression test cases that continuously expand over time. The release candidate then goes through performance and stress testing as well as beta-testing by the Client Services team.
Upon approval from QA, Product, Client Services, and the Development team, the Release Candidate will be deployed to production. Immediately following the production deployment, the QA team will do another round of smoke testing in production.
Continuous Integration & Static Code Analysis
As part of Continuous Integration (CI) implementation, Limelight's development team uses a Static Code Analysis tool that includes the implementation of Open Web Application Security Project (OWASP) guidelines upon scanning. Pull Requests and changes to the main development and production branches will automatically trigger the CI process that runs a series of automated testing and static code analysis.
Any major or higher issues are required to be fixed prior to changes being merged and any minor or lower issues will require documented discussions on their resolution plan.
Human Resources Security
Limelight performs thorough background checks on new employees and contractors as part of new employee hiring process prior to their start of employment.
Training & On-Boarding
New employees / contractors undergo an on-boarding process (first week of employment) that includes mandatory training and review of Limelight’s Information Security policies.
Members of Development Team are required to go through additional training in accordance to Secure Development Policies & Best Practices (eg. Awareness training on OWASP)
End of Employments / Contracts
When an employee or contractor leaves, all access to Limelight’s systems will be terminated immediately. This include access that user to infrastructure such as ssh keys.
Infrastructure Disaster Recovery & Business Continuity
Limelight utilizes different AWS geographical locations as a secondary backup.
Automated backups of all data (encrypted) are performed on a nightly basis