Lightstep’s Commitment to Security
Here at Lightstep, we are committed to protecting our customers' data. Lightstep provides insights into our users' applications by explaining the performance anomalies and answering the question "what caused that change?" These insights are based on confidential data provided by our users, and we go to great lengths to keep that data secure (check out our security page). Today, we are announcing the availability of our Service Organization Control (SOC) 2 Type II report. But as external validation like a SOC 2 report is just one component of our security program, this seemed like a good time to highlight how we think about security at Lightstep holistically.
Compiled by Coalfire Controls, an independent cybersecurity firm, the report documents how Lightstep's information security practices, policies, and procedures are suitable to meet the SOC 2 Type II trust principles criteria for security, confidentiality, and availability. This independent validation of security controls is crucial for our customers. As companies increase their usage of outside vendors to perform activities that are core to their business operations and strategy, there is a need for the highest level of trust and transparency into cloud service providers' operations, processes, and results.
Security starts when we first sit down and open our laptops. At Lightstep we've embraced cloud applications whenever possible, as well as BeyondCorp, an approach to security developed at Google that puts zero trust in the network and instead relies on fine-grained access control. This approach made our transition to fully remote work in 2020 straightforward: there was never anything different about being physically in one of our offices in the first place, so no changes were required when we shifted to working from home.
Security is an integral part of our development process, and Lightstep's security team works to support our other engineering, product, and design teams as they gather requirements, define new features, build and ultimately ship them. Security is not just a matter of what Lightstep does with the data, but making sure that the choices we present to our users are clear and safe.
That said, protocols are important! All data sent to Lightstep is encrypted using modern standards like TLS, and all data is encrypted at rest. We've also decoupled customer-facing APIs from data access and used safe languages and frameworks to make injection attacks virtually impossible.
While Lightstep is a SaaS platform, we also offer the option to host our Satellites on-prem. With this hybrid deployment model, Lightstep's customers gain additional control over how their data is managed. Not only can they control what data is sent to Lightstep through open standards like OpenTelemetry, but Satellites provide an additional layer of defense-in-depth to prevent sensitive data from leaving their data centers.
With RBAC, our customers can ensure that every Lightstep user in their organization has the correct level of permissions for investigating issues and improving system performance. Permissions are assigned to roles that are assigned to users to establish a precise separation of duties.
As an engineer, I love writing code. Whenever possible we've tried to take security procedures out of the hands of humans and automate them. Not only does this limit repetitive work and reduce the chance of a step being skipped, but it also makes it easy to create a paper trail. After all: in the words of every SOC 2 auditor ever, "if you didn't document it, it didn't happen."