Security
We understand that our customers expect us to protect their data with the highest standards and are committed to be a trustworthy service provider. We can demonstrate this through our SOC 2 (ISAE 3000) attestation report, dedicated to our cloud platform and evaluated by a third-party auditor. Although not part of the report, the majority of the processes and controls are also implemented for the on-premises software, including the Relay Service used by LsAgent.
Lansweeper has defined a security framework based on recognized industry standards and taking into account the legal, regulatory, contractual, and business requirements.
Security policies & processes
Security at Lansweeper is organized based on industry standards (e.g. NIST CSF, ISO 2700x) and implemented using a risk-based approach. The security framework is translated into security processes including specific technical and organizational controls. The processes are supported by a comprehensive security policy framework. Security policies are considered internal and are not shared externally.
Vulnerability management
Penetration testing is performed by a bug bounty platform on a continuous basis on the cloud production systems, allowing security researchers from around the world to ethically and responsibly research and disclose security vulnerabilities. In addition, Lansweeper performs vulnerability assessments and penetration tests on a regular basis.
Application security
All our software and systems are developed and set-up following security by design and secure application development principles. Our CI/CD process includes statistic analysis, peer reviews, end-to-end testing and more.
Lansweeper cloud platform uses a trustworthy identity provider (Auth0) that ensures a secure and state-of-the-art authentication towards your asset data. Authentication requests are protected by strong password settings.
We have a shared responsibility with our customers regarding the security of our on-premise software. However, we support our customers as much as possible with their security responsibilities. You can find more information on how to properly set up the on-premise software in a secure way here.
Infrastructure security
Our platform is hosted in both AWS and Azure. Following the “Shared responsibility model”, they are responsible for protecting the infrastructure that runs all of the services offered in the cloud. Our infrastructure is protected using multiple security mechanisms:
- Customer asset data is logically separated from other customer's asset data in a multi-tenant environment;
- Comprehensive logging and monitoring on a 24/7 basis for operational and security related issues and incidents;
- Firewalls to filter network traffic and enforce network segmentation;
- A web application firewall (WAF) for content-based dynamic attack blocking.
All service providers that are supporting our cloud platform are subject to a review of available audit and certification reports to evaluate and confirm the security practices implemented.
Encryption
Lansweeper encrypts all data both in transit and at rest:
- Data in transit is encrypted using TLS;
- Data at rest is encrypted across our infrastructure using strong encryption protocols (AES-256);
- Credentials are encrypted using strong encryption prior to being added to your Lansweeper database.
Backup & disaster recovery
Lansweeper uses both backups and high availability and resiliency services for ensuring no data is lost. Backups store snapshots of the data in a specific moment in time, while high availability and resiliency services ensure data is always available and consumable.
A disaster recovery plan is in place and is reviewed on an annual basis by relevant personnel. The disaster recovery plan is tested at least once a year.
Access management
Access to our cloud platform by Lansweeper personnel or contractors is based on a least-privileged and need-to-know basis. We regularly conduct user access reviews to ensure appropriate permissions are in place. Access is granted and revoked following formal access management processes.
Security awareness and training
All personnel is subject to and required to follow recurrent security awareness sessions during onboarding and during employment via an automated security awareness program. Security awareness focuses on the understanding of the Lansweeper security framework, but also on the current threats and risks all personnel should be aware of.