Security teams commonly have questions about running Lightstep Observability as part of their production environment. This document summarizes how you can categorize and evaluate Lightstep Observability from a security perspective.
The Lightstep Observability Microsatellites and the SaaS platform
The Microsatellites are plain binaries that only process the data explicitly sent to it by the tracers in your instrumentation. The Microsatellite does not automatically inspect, acquire, or otherwise gather data from the host environment. As such, you have complete control over what data is accessible to the Microsatellite binary.
To enforce this restriction, you can further isolate the binary in the host environment using dedicated VMs, firewalls, containers, or other standard mechanisms of your choosing which would apply to any binaries running in your production environment to ensure they receive and send only the intended traffic via the configured ports. In a standard Lightstep Observability configuration, limit all outbound connections to only the following IP addresses on TCP ports 443 and 8043.
126.96.36.199(for public API access)
By extension, the platform only has access to the data sent to it by the Microsatellites. Our best practices, guidelines, assurances, and remediation strategies around the data sent to the platform are documented elsewhere in our contracts and legal documentation. Please review that documentation to ensure only the data you want is accessible to Lightstep Observability. In short, you control the specific data sent to Lightstep Observability and should avoid sending any sensitive data to the Microsatellite that shouldn’t be sent to the platform.
Both the Microsatellites and the platform are composed of proprietary code. Internally, Lightstep Observability follows best practices including, but not limited to, source code control, code review, and continuous testing to ensure the reliability of these service components.
The Lightstep launchers and tracers
The Lightstep Observability OpenTelemetry launchers OpenTracing tracers send data from the host application to the Microsatellites. They are all open source and hosted on GitHub. Security teams are encouraged to audit them for specific concerns.
The launchers and tracers transfer data using explicit API calls which gives you full control over the data communicated to Lightstep Observability.
Lightstep Observability uses the American Institute of Certified Public Accountants (AICPA) SOC 2 standard for measuring the security, confidentiality, and availability of our services. Our SOC 2 Type 2 report describes how we protect our customers’ data using technical and organizational controls to manage risk and oversee day-to-day operations.
Lightstep Observability is compliant with the General Data Protection Regulation (GDPR). Our products, processes, and procedures meet obligations as a data processor. You can find our subprocessors here.