Security teams commonly have questions about running LightStep [x]PM as part of their production environment. This document gives an overview of how to categorize and evaluate LightStep [𝑥]PM from a security perspective.
The LightStep [𝑥]PM Satellites are plain binaries that only process the data explicitly sent to it by the LightStep SDK client libraries. The Satellite does not automatically inspect, acquire, or otherwise gather data from the host environment. As such you have complete control over what data is accessible to the Satellite binary.
To enforce this restriction, the binary can always be further isolated in the host environment by the customer using dedicated VMs, firewalls, containers, or other standard mechanisms of your choosing which would apply to any binaries running in your production environment to ensure they receive and send only the intended traffic via the configured ports. In a standard LightStep [𝑥]PM configuration, you should limit all outbound connections to api-all.lightstep.com:443.
By extension, the LightStep [𝑥]PM SaaS platform only has access to the data sent to it via the LightStep [𝑥]PM Satellites. Our best practices, guidelines, assurances, and remediation strategies around the data sent to the SaaS platform are documented elsewhere in our contracts and legal documentation. Please review that documentation to ensure only the data you want is accessible to LightStep. In short, you control the specific data to be sent to LightStep and should avoid sending any sensitive data to the Satellite that should not be sent to the SaaS platform.
Both the LightStep [𝑥]PM Satellite and the LightStep [𝑥]PM SaaS platform are composed of proprietary code. Internally we follow best practices including, but not limited to, source code control, code review, and continuous testing to ensure reliability of these service components.
The LightStep SDK client libraries which sent data from the host application to the LightStep [𝑥]PM Satellites are all open source and hosted on GitHub. Security teams are encouraged to audit them for specific concerns.
The SDK is based on OpenTracing and transfers data via explicit API calls which gives you full control over what data is communicated to LightStep.
Please contact our Customer Success team if you have specific questions.