We’re experts at information security, and we do it right. Outsource your monitoring with confidence that your data is safe in our hands.
Security best-practices are baked into the fundamental architecture of both the LogicMonitor product and how LogicMonitor operates as an organization.
The short version: a one-page overview of LogicMonitor’s security stance.
The whole enchilada: a deep dive in LogicMonitor’s security controls.
SOC3 Audit Report
Don’t take our word for it. Have a look at our third-party audit that covers how we handle operational security.
Platform & Collector Security
The LogicMonitor service is based upon two primary components: the LogicMonitor SaaS Platform and the LogicMonitor Collector. Each of these has numerous built-in security controls and protections.
To ensure your data is protected the LogicMonitor Platform uses encryption throughout -- both when it’s transmitted across a network and when it’s stored -- to ensure that only those that should see your data can actually get to it. Access to your account is secured with strong authentication using our built-in two-factor system or by integration with your SAML identity provider. Our IP Whitelisting feature further prevents unauthorized third-parties from accessing your account. Once logged in, fine-grained access controls allow you to ensure each individuals’ access is scoped based on the principle of least privilege.
The LogicMonitor Collectors you install within your operating environments have been specifically designed for high security. Upon installation each Collector is uniquely keyed to a LogicMonitor account using modern cryptographic techniques. Because communication between the Collector and the LogicMonitor Platform takes place only over outbound HTTP/TLS it doesn’t have any open ports, leaving it resistant to any network-based attack.
Built on these secure foundations, the LogicMonitor service is continually evolving. We employ a secure software development lifecycle as we develop and improve the service, including multiple stages of threat modelling and security testing from feature conception to release.
Operations & Organizational Security
The LogicMonitor service is build upon a high-availability, high-security operational stack. Our platform is built upon security-hardened Linux servers with intrusion prevention systems applied both at the host and network perimeter. Access to our production systems is secured by multiple layers of authentication and authorization, with rights based on the principle of least privilege.
Earning our customers’ trust is of paramount importance to LogicMonitor, so we’ve baked-in security practices throughout the organization. Employee background checks are completed as part of our hiring practices, and security awareness training is conducted on an ongoing basis to ensure that both our customer and our corporate data is handled with security at front-of-mind.
Security Auditing & Compliance
To validate the security of our platform and service, we have our operational and development practices validated by multiple third parties.
Every year LogicMonitor undergoes an System & Organization Controls (SOC) 2 type 2 audit by AICPA-certified technical auditors. A SOC2 type 2 process which is the most comprehensive certification of how a well a company safeguards customer data. LogicMonitor’s SOC2 type 2 report validates the efficacy of our operational processes and controls that provide for the security, confidentiality, and availability of our customers data. Our SOC 2 report is available for review for prospective and current customers. We also offer a companion SOC 3 report, which is publicly available for download.
The security of our service is validated by annual penetration tests against our applications. LogicMonitor engages professional security consultancies to discover and exploit security defects in our product, and we provide them with our full source-code to give them every advantage that a real attacker wouldn’t have. If the good guys can’t break our security -- even with a helping hand -- surely the bad guys can’t. We can provide to our customer an attestation of our penetration testing practices to our prospective and current customers upon request.
LogicMonitor maintains a minimal amount of incidental personal data on our end users, which is used only for alert delivery and audit logging purposes. We maintain our customers’ personal data in alignment with the requirements prescribed by the EU General Data Protection Regulation (GDPR) and commit that we use this data only for its intended purpose.
What are the security impacts of running a LogicMonitor Collector in my network?
The Collector has been carefully designed with high-security in mind. In operation, the Collector accepts no connections from your network, and initiates only outbound connections: either within your LAN to the devices it’s been assigned to monitor or out to the LogicMonitor platform.
What level of access does the Collector have to the devices it monitors?
LogicMonitor’s best practices dictate that the Collector have the least possible privileges to gather instrumentation for any given device; most devices require onlly read-only access. Access configuration for each device is entirely within our customers’ control, and our documentation provides details on how to configure the minimum required rights.
How is data transmitted between the Collector and the LogicMonitor platform?
All communication between the Collector and LogicMonitor’s service platform takes place only over the HTTPS protocol using TLS encryption encoded with only the strongest ciphers. Communication is always initiated by the Collector, since outgoing HTTPS traffic can pass through a typical firewall configurations. Further, the Collector authenticates LogicMonitor using X.509 certificates to thwart any man-in-the-middle attacks between itself and the LogicMonitor platform.
What kind of device data does LogicMonitor collect and store?
There are two classes of information stored by LogicMonitor: device metadata (IP address, system type, SNMP community string, configuration data, etc.) and performance information (CPU load, disk utilization, request latency, etc.). All device metadata, including those that are not typically sensitive, are encrypted prior to storage. Less sensitive performance data is stored in a proprietary high-performance time-series database system.
What kind of personal information does LogicMonitor store?
The LogicMonitor platform stores only a minimal amount of personal information about our end-users. We need only name, email address, and optionally mobile number for those that opt to receive alerts via SMS. User passwords are not stored at all; instead we store salted one-way hashes. Alternately, LogicMonitor supports SSO via any SAMLv2 Identity Provider system such as ADFS.
Who has access to your data?
Only your end-users can access your data, and our role-based access control system ensures you can tailor access as appropriate to your environment. Those with “Administrative” rights can add, delete, suspend, or change the access levels of other users in your account. Other access roles can be defined that limit what data can be viewed and/or changed. While our default configuration allow for access by LogicMonitor’s support engineers, this may be disabled at any time. Once disabled, you may elect to temporarily enable that account so we can login to help you with a specific issue.
How is the LogicMonitor platform protected?
LogicMonitor operates our service platform out of professionally managed datacenters with the highest-grade security measures:
- SOC 2 Type 2 or ISO 27001 certified
- Servers housed in locked cabinets
- Ingress and egress secured with electronic key cards and biometric scans
- 24×7x365 high resolution, motion-sensitive video surveillance
- Fully redundant power and cooling
- VESDA Fire-threat detection and suppression
What operational procedures do you have to protect collected data?
The LogicMonitor platform is subject to rigorous validation to ensure the security, availability, and confidentiality of our customer’s data. We undergo an annual third-party audit to demonstrate our compliance with SOC 2 Type 2 security principles. Further, we have a professional security consultancy conduct a source-code assisted penetration test of our application on an annual basis. If the good guys -- given every advantage -- can’t successfully attack our platform, surely the bad guys can’t.
Let's get started.
Get a 14-day free trial, no CC required.