Security teams commonly have questions about running Lightstep as part of their production environment. This document summarizes how you can categorize and evaluate Lightstep from a security perspective.
The Lightstep Satellite and Hypothesis Engine
The Lightstep Satellites are plain binaries that only process the data explicitly sent to it by the tracers in your instrumentation. The Satellite does not automatically inspect, acquire, or otherwise gather data from the host environment. As such, you have complete control over what data is accessible to the Satellite binary.
To enforce this restriction, you can further isolate the binary in the host environment using dedicated VMs, firewalls, containers, or other standard mechanisms of your choosing which would apply to any binaries running in your production environment to ensure they receive and send only the intended traffic via the configured ports. In a standard Lightstep configuration, limit all outbound connections to only the following IP addresses on TCP ports 443 and 8043.
By extension, the Hypothesis Engine only has access to the data sent to it by the Lightstep Satellites. Our best practices, guidelines, assurances, and remediation strategies around the data sent to the Hypothesis Engine are documented elsewhere in our contracts and legal documentation. Please review that documentation to ensure only the data you want is accessible to Lightstep. In short, you control the specific data sent to Lightstep and should avoid sending any sensitive data to the Satellite that shouldn’t be sent to the Hypothesis Engine.
Both the Lightstep Satellite and the Hypothesis Engine are composed of proprietary code. Internally, Lightstep follows best practices including, but not limited to, source code control, code review, and continuous testing to ensure the reliability of these service components.
The Lightstep Tracers
The Lightstep OpenTracing tracers send data from the host application to the Lightstep Satellites. They are all open source and hosted on GitHub. Security teams are encouraged to audit them for specific concerns.
The tracers are based on OpenTracing and transfer data using explicit API calls which gives you full control over the data communicated to Lightstep.
Please contact our Customer Success team if you have specific questions.
Lightstep is GDPR compliant.