This article reviews the following information:

  1. IT Management
  2. Infrastructure Security
  3. Data Security
  4. Application Security
  5. Application Development Best Practices
  6. Human Resources Security
  7. Infrastructure Disaster Recovery & Business Continuity

Click the quick link above to jump to that section, or scroll to follow the full article.



IT Management

Limelight internally manages their IT services.


Cloud Hosting

Limelight utilizes Amazon Web Services (AWS) as cloud-hosting provider 


Physical / Environmental Security

Limelight does not manage physical infrastructure. Limelight leverages Amazon Web Services (AWS) cloud platform to host the application, therefore physical and environmental security is managed by Amazon.

Details available from: AWS Security Whitepaper – Page 5, section on “Physical and Environmental Security”


Compliance & Attestation

SOC1 / SOC2

AWS is SOC1 and SOC2 compliant, more information on AWS SOC Compliance can be found here.

If SOC1 / SOC2 report is required, please contact Limelight to retrieve a copy of the confidential report.

ISO 27001

AWS is ISO 27001 Compliant, certificate can be found here.

Other Third Party Attestations / Certifications

Overall report on AWS attestations / certifications can be found here.


For Limelight Platform confidentiality, availability and integrity of information have great value. We have taken extensive measures on protection of information. Therefore, we follow the question catalogue of information security of the German Association of the Automotive Industry (VDA ISA). The Assessment was conducted by an audit provider, in this case the TISAX audit provider DQSBIT. The result is exclusively retrievable over the ENX portal: https://portal.enx.com/en-US/TISAX/tisaxassessmentresults.


The ENX Association supports with TISAX (Trusted Information Security Assessment Exchange) on behalf of VDA the common acceptance of Information Security Assessments in the automotive industry. The TISAX Assessments are conducted by audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for general public.

Image Placeholder

TISAX is a registered trademark and governed by ENX Association



Infrastructure Security


Standard Server Hardening Configuration


Servers are hardened through standard deployment scripts as follows:
  • Servers are configured using a configuration manager, from base images
  • All the latest packages are installed
  • All ports are blocked, except for those required for communication with other servers
  • Inbound internet access is blocked, except where required
  • All SSH access is only allowed from a local bastion
  • Root user is blocked from ssh access. Sudo access is allowed for specific users, with restricted command

Network Encryption (Encryption In-Transit)


Limelight platform utilizes TLS 1.2 protocol to secure connection. The ciphers in use will depend on the supported cipher between the client and the server. Our infrastructure supports the following list of ciphers:
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES256-GCM-SHA384
  • AES256-SHA256

Database Encryption (Encryption At-Rest)


Limelight platform utilizes database encryption as supported by Amazon Web Services (AWS) RDS, it applies AES-GCM encryption with a random & uniquely generated 256-bit secret keys.



Network Security Appliances / Applications


Network security is provided both through AWS (AWS Shield and AWS EC2 Intrusion Detection and Prevention – IDS/IPS).


Access Control & Management


Access to infrastructure requires individual ssh keys. Access is only available through secure protocols (eg. ssh). Access permission is also controlled on per-user basis, only a restricted set of users have access to production systems and only a subset of the users with access will have write access

User access history and activities / actions within the servers including installation of any packages or applications are also logged & monitored. 


Monitoring


Automated monitoring in place that will trigger alerts in the event of suspicious activities that require manual investigation.


Production and Test Environments Segregation


Production and test environments are virtually separated and never touch each other.
There is no cross pollination between non-production and production environment data. Confidential data from real users are restricted to only production data. Development & testing process are required to generate their own testing data in non-production environment.


Data Security


Personal Identifiable Information (PII)


Limelight Platform is configurable based on client’s need per event (project) basis to decide what data fields will be gathered from the consumer.
As part of the project configuration, client has the option to mark the data field as a “Personal Identifiable Information” therefore treating any data stored in that field to be sensitive data and allowing for ease of future erasure of PII-only data without deleting the whole data set.
Client also has the option to choose various validation types and to set whether each data field is mandatory / optional.
While not a must, generally the most basic configuration most commonly used on per project basis will include these three fields: email, first name, and last name.

Encryption


Data is encrypted both in-transit and at-rest.

Please review the Infrastructure Security section (found above) for more details on encryption in-transit and encryption at-rest.

Data Retention


The Limelight Platform has an optional, configurable data retention policy on per-client basis. Each client may request Limelight to remove data after a certain period of time, determined by client’s business rules / requirements.

Data Segregation


The Limelight Platform is a multi-tenant solution that stores data in a shared physical database / disk. Data segregation is achieved through logical separation based on certain identifier stored with each data entry to refer to the client identifier the data belongs to. Limelight Platform enforces the logical separation through strict application of the roles & permissions configuration.


Application Security


Access Control


On the application level, Limelight applies access control based on user roles and project permission to determine whether a specific user can access a specific set of data.
Please review support documentation at User Role Settings.
Client usually have at least one user with the “Client Admin” role that have administrative privileges to control user roles & configuration to any additional users on the platform within the client environment.
Internal to Limelight employees, access to the platform is granted on an as-needed and per-client basis. For example, Account Managers and/or Client Services team members that need to help clients to configure their projects may be configured the appropriate user roles to complete the requested tasks.

Password Rules & Encryption


Current password rules for all account to the Limelight Platform web portal is as follow:
  • Minimum length of 8 characters, no maximum
  • Minimum of 1 uppercase and 1 lowercase characters
  • Minimum of 1 numeric character
  • No blank space
  • Any substring does not match the user’s username
  • No substring that match common words such as “password” or “test”

Additionally, there’s an optional configurable policy to set password expiry. Each client may choose to decide on the number of days the user's password will expire where user will be forced to update.


Password Storage


Password to the application is stored in a secure one-way BCrypt encryption. There is no password stored in plain-text and it’s never logged anywhere on the platform.


Penetration Testing


Limelight works with an independent 3rd party vendor to perform penetration testing at least annually.
Any medium / high / critical vulnerabilities will be addressed immediately. Low level vulnerabilities will be discussed internally on their importance & urgencies and will be scheduled for remediation accordingly.
Please contact Limelight team for a copy of the most recent pen testing report.


Application Development Best Practices


Software Development Life Cycle (SDLC)


Limelight development team follows Agile development practices, specifically Scrum methodologies. Every change that goes into the system is required to go through a rigorous code review process that checks for code quality, unit testing, and developer smoke testing.

Each developer is also required to follow secure development practices that include coding best practices such as adherence to Open Web Application Security Project (OWASP) guidelines.

Best practices and guidelines are continuously monitored through an automated code analysis as well as enforcement through the code review process.
Limelight development team follows gitflow branching model to separate the different stages of development and testing.

A set of changes is packaged as a Release Candidate and deployed to a testing environment that goes through QA testing. This covers both new test cases as well as checks for all regression test cases that continuously expand over time. The release candidate then goes through performance and stress testing as well as beta-testing by the Client Services team.

Upon approval from QA, Product, Client Services, and the Development team, the Release Candidate will be deployed to production. Immediately following the production deployment, the QA team will do another round of smoke testing in production.

Continuous Integration & Static Code Analysis


As part of Continuous Integration (CI) implementation, Limelight's development team uses a Static Code Analysis tool that includes the implementation of Open Web Application Security Project (OWASP) guidelines upon scanning. Pull Requests and changes to the main development and production branches will automatically trigger the CI process that runs a series of automated testing and static code analysis.
Any major or higher issues are required to be fixed prior to changes being merged and any minor or lower issues will require documented discussions on their resolution plan.


Human Resources Security


Background Checks


Limelight performs thorough background checks on new employees and contractors as part of new employee hiring process prior to their start of employment.

Training & On-Boarding


New employees / contractors undergo an on-boarding process (first week of employment) that includes mandatory training and review of Limelight’s Information Security policies.

During their employment tenure, Limelight employees/ contractors are required to attend an annual Information Security Training to review all current ISMS policies .

Members of Development Team are required to go through additional training in accordance to Secure Development Policies & Best Practices (eg. Awareness training on OWASP)

End of Employments / Contracts


When an employee or contractor leaves, all access to Limelight’s systems will be terminated immediately. This include access that user to infrastructure such as ssh keys.


Infrastructure Disaster Recovery & Business Continuity


Physical Backup


Limelight utilizes different AWS geographical locations as a secondary backup.

Automated Backup


Automated backups of all data (encrypted) are performed on a nightly basis