IT Security at a Glance

Limelight has organized its Information Systems Security policies and practices to comply with ISO: 27002:2013 and SOC Type 2 standards, best practices, and recommendations
External IT Security consultants regularly perform audits on Security Practices and Policies
Limelight Staff is continually trained on the IT Security policies and best practices

Windows Active Directory controls employee network access
Limelight employees do not have administrative privileges on their laptops
Employee laptops are encrypted through the Group Policies
Group Policies strictly enforce password policies
Hardware and software firewalls protect internal IT resources
All servers and laptops are patched regularly according to a formal Pathing Policy Patching Policy
Critical Servers backup daily

Limelight Software has established a formal Access Policy that strictly access to the Cloud resources
Limelight Software administrative access to Cloud resources is protected by a combined mandatory two-factor and SSH PKI authentication system and limited to senior technical staff
Employees access rights are reviewed periodically through a formal process
Changes to the organization, business processes, information processing facilities, and systems that affect information security in the production environment and financial systems are controlled. All significant changes to in-scope systems are documented and go through a formal approval process
Regular vulnerability scans and penetration tests are performed to ensure that the infrastructure is securely configured
Substantial defense systems are in place to protect our services against the broad array of cyber threats. Firewalls block unwanted connections. All customer access to the application is via secure encrypted HTTPS / TLS 1.2 connections.
Development and staging environments are strictly segregated from production SaaS environments
Confidential production customer data is not used outside of the Production environment and is governed by a formal Limelight Software Privacy Policy
Cloud infrastructure is continuously monitored for resources utilization as well as any authorized access attempts. Specific steps are outlined in the formal Incident Management Policy

Username and password are required to access the application
Federated access is supported (SAML, 0Auth2.0, Azure, Google, Okta, etc.)
Limelight Staff is continually trained on the IT Security policies and best practices
MFA is supported via AWS Cognito, or client provided service
User access rights are role-based inside Limelight SaaS

Application logs retain user logon information, including actions takes by the user
Application logs are kept for 7 days
Application logs are protected and encrypted
User passwords are never exposed in plain text in the logs

Client data is encrypted at rest and in transit
At rest, the client data is encrypted by the AES-256 algorithm (including backups)
Encryption keys are managed by AWS KMS (key management system) in compliance with FIPS 140-2 standards
In transit, the client data is encrypted by various secure transmission protocols (HTTPS, SFTP, TLS 1.2, SSH)
Client data is backup daily and can be recovered at the client request
Client backups are stored on AWS Block Storage system with 99.99% availability and 99.999999999% durability

Only authorized people have access to the source code
Source code is regularly reviewed for known vulnerabilities using security methodologies from OWASP, SANS, CWE
Source code is continuously scanned for known vulnerabilities as part of the Software Development Life Cycle
Application is tested in the QA environment before release to the Production using detailed testing plans

Security, Privacy and Control