Security teams commonly have questions about running Lightstep as part of their production environment. This document summarizes how you can categorize and evaluate Lightstep from a security perspective.
The Lightstep Microsatellites and the SaaS Platform
The Lightstep Microsatellites are plain binaries that only process the data explicitly sent to it by the tracers in your instrumentation. The Microsatellite does not automatically inspect, acquire, or otherwise gather data from the host environment. As such, you have complete control over what data is accessible to the Microsatellite binary.
To enforce this restriction, you can further isolate the binary in the host environment using dedicated VMs, firewalls, containers, or other standard mechanisms of your choosing which would apply to any binaries running in your production environment to ensure they receive and send only the intended traffic via the configured ports. In a standard Lightstep configuration, limit all outbound connections to only the following IP addresses on TCP ports 443 and 8043.
- 18.104.22.168 (for public API access)
By extension, the platform only has access to the data sent to it by the Lightstep Microsatellites. Our best practices, guidelines, assurances, and remediation strategies around the data sent to the platform are documented elsewhere in our contracts and legal documentation. Please review that documentation to ensure only the data you want is accessible to Lightstep. In short, you control the specific data sent to Lightstep and should avoid sending any sensitive data to the Microsatellite that shouldn’t be sent to the platform.
Both the Lightstep Microsatellites and the platform are composed of proprietary code. Internally, Lightstep follows best practices including, but not limited to, source code control, code review, and continuous testing to ensure the reliability of these service components.
The Lightstep Launchers and Tracers
The Lightstep OpenTelemetry launchers OpenTracing tracers send data from the host application to the Lightstep Microsatellites. They are all open source and hosted on GitHub. Security teams are encouraged to audit them for specific concerns.
The launchers and tracers transfer data using explicit API calls which gives you full control over the data communicated to Lightstep.
Lightstep uses the American Institute of Certified Public Accountants (AICPA) SOC 2 standard for measuring the security, confidentiality, and availability of our services. Our SOC 2 Type 2 report describes how we protect our customers’ data using technical and organizational controls to manage risk and oversee day-to-day operations.
Lightstep is compliant with the General Data Protection Regulation (GDPR). Our products, processes, and procedures meet obligations as a data processor. You can find our subprocessors here.