Building Security to Standards
A few months ago, LogicMonitor was certified to the ISO 27000 standards for Information Security management, so I thought I’d take the opportunity to write a bit about our efforts to build our information security certification program as well as our own best practices for secure use of the LogicMonitor platform.
Having been founded by experts in IT Operations, LogicMonitor has enjoyed a strong culture of security from the start. But in a SaaS business, proving the strength and resilience of your security program is table stakes for earning the trust of your customers. So we became big fans of security certifications because they provide our customers with third-party validation of controls and processes we’ve built to ensure the security of their data.
Several years ago, LogicMonitor undertook our first third-party security compliance initiative with an AICPA SOC 2 Type 1 audit. Because a Type 1 audit measures a baseline set of security controls only at a single point-in-time, it was relatively low hurdle against which we could start building out a formal program. The first step in building out a security stance is to have the foundational systems in place; only once you have the systems can you build the business processes around them.
With the security processes in place, we embarked on a SOC 2 Type 2 initiative. Unlike the SOC 2 Type 1, a SOC 2 Type 2 audit measures the continuous application—typically over 12 months—of an organization’s confidentiality/integrity/availability controls. Being made to prove that your processes work continuously is a much higher bar than a point-in-time measurement, and requires a reasonable amount of maturity in your InfoSec program.
Thus with SOC 2 under our belts, we embraced ISO 27000 certification. ISO certification is based on implementation of the ISO 27001/27002 framework, which shares many of its fundamental controls with SOC 2, but offers a number of advantages: 1) by virtue of coming out of the International Standards Organization, it’s accepted worldwide as the gold standard; and, 2) in addition to the measurement of technical security controls, ISO also evaluates the management of the InfoSec program itself, ensuring engagement all the way up to the executive level. LogicMonitor opted to certify against two ISO standards: ISO/IEC 27001:2013 which validates our program as a whole, and ISO/IEC 27017:2015 which further substantiates the security of our SaaS platform.
Securing your LogicMonitor Deployment
Like most cloud service providers, LogicMonitor maintains a “shared responsibility” model for securing our customers’ data. Our job is to secure the business operations, technical platforms, application suite, and provide the in-product features our customers need to secure their deployments. The third-party certifications discussed above demonstrate that we’ve done our part. Building upon that secure foundation, it’s incumbent upon our customers to manage their LogicMonitor deployment per our security best practices.
Access control is one of the fundamental pillars of security, and LogicMonitor provides various options to ensure that only the individuals you want in your environment can get in. On the authentication side, we offer standard “webform” credentials with strong passwords, optional second-factor confirmation, and automatic brute-force attack protection. Alternatively, we’ll integrate with your SAML-based SSO provider and automatically provision your end-user accounts on-the-fly. You can choose either—or even use both—but in any case, you’ll want to carefully manage your account provisioning and de-provisioning processes to ensure only those you intend to have access. On top of this, we can further restrict access to a configured set of IP addresses or netblocks which prevent your portal from being accessed from the entire public internet. If your end-users will only access LogicMonitor from your corporate offices, or otherwise connect via VPN to a known netblock, we recommend leveraging this feature for additional assurance.
Once authenticated, end-users access can be further managed using our fine-grained role-based access control system. We ship with several default roles but offer the flexibility to build your own as needed and scope access based on least-privilege according to your specific needs. We also provide the ability to customize the timeout of your LogicMonitor session and recommend that this feature is leveraged to ensure your end-users stay logged in without re-authenticating only for as long as appropriate based on your security policies.
LogicMonitor’s unique Collector architecture is one of the many ways in which we differentiate ourselves from other solutions. We’ve designed the Collector with exceptionally tight security: mutual authentication with the LM mothership prevents man-in-the-middle attacks, always-on TLS 1.2 protects data in transit, in-memory data storage means there’s nothing that can be read from the filesystem, and no inbound TCP ports ensure that it’s resistant from network attacks. But the Collector application is only as strong as the environment in which it’s hosted. We recommend that you install your Collectors on dedicated systems such as virtual machines rather than sharing their workloads directly with other applications. And of course you’ll want to apply standard OS security-hardening to every system you deploy; we like the CIS Benchmarks ourselves. Finally—although this should go without saying—you’ll want to provide reasonable protections to the networks on which these systems are installed; although you could put your Collector system on the public internet, you probably don’t want to. 🙂
Once you’ve secured your installation, you want to use our Audit Log feature to track what’s going on within your implementation. Log tracking and analytics are some of the basic tenets of security monitoring, and we make it easy. You can search the Audit Log within our UI for meaningful activities within your account, such as authentication actions, configuration changes, and other notable events. Or, if you have a log aggregation system or SIEM in place, you can use our REST API to extract your audit logs from LM and inject them into your tool of choice.
We’ve built the LogicMonitor product and our business for security from the inside out. If you’re interested in even more details, check out our Security Overview page which explains the innards of our product security and third-party certifications. For information on configuring your LM deployment for top-notch security, see our Security Best Practices support document.