Security
Lansweeper manages the data of over 20,000 companies worldwide, and with this responsibility, we are committed to providing our customers with the highest standards of security.
We understand our responsibility when you, our customers, entrust us with a significant amount of data. To maintain customer confidence in our security posture and the security features we provide, we work diligently to continuously improve security processes and controls and provide our customers with the highest transparency they need.
Below this page you can request access to:
- Our SOC 2 Type II report
- CSA STAR self-assessment
- Security whitepaper about our cloud platform
Â
Compliance
We obtain industry-accepted certifications and comply with current industry standards and regulations so you can feel confident that your data remain secure and compliant.
Lansweeper's Approach to Security
Lansweeper’s information security program is planned, built, run, and monitored by our Information Security Officer. He is supported by several representatives from the Operations, Development and IT teams.
We organize all our security processes and measures in an internal Lansweeper Security Framework, making it easy and transparent to define, implement, monitor, and improve our security processes and controls. The processes are supported by a comprehensive security policy framework. The framework is organized based on industry standards (e.g. NIST CSF, ISO 2700x) and implemented using a risk-based approach.
We introduced several organizational structures on different levels to make sure our security program is aligned with Lansweeper’s objectives:
- Security governance team with stakeholders from C-level
- Operational security team with representatives from the Operations, Development and IT teams
- Security champions team with representatives from the Development teams
Vulnerability Management
Lansweeper constantly strives to reduce the severity and frequency of vulnerabilities in our software and infrastructure. To this end, we have a multi-faceted and continually evolving approach to vulnerability management that utilizes both automated and manual processes across both our software and infrastructure to detect vulnerabilities in production:
- Quarterly vulnerability scans on our software and infrastructure
- Bug bounty program
- Responsible disclosure policy
- Penetration testing in QA team
We centralize and track vulnerabilities we identify using our internal ticketing systems in Jira to have a ‘single pane of glass.’
We have a vulnerability response process with an internal SLA to mitigate vulnerabilities within a specific timeframe. This timeframe is based on the CVSS score.
Application Security
A secure SDLC procedure is defined and implemented throughout Lansweeper to ensure that security is incorporated from the inception of a new project and continues throughout the system’s entire life. Responsible personnel review the procedure yearly and acquires appropriate management approval for revised versions created during the review process.
Our SDLC procedure contains but is not limited to security in the design phase, SAST, peer reviews, SCA, end-to-end testing, and more.
Lansweeper cloud platform uses a trustworthy identity provider (Auth0) that ensures a secure and state-of-the-art authentication of your asset data. Authentication requests are protected by strong password settings.
We have a shared responsibility with our customers regarding the security of our on-premise software. However, we support our customers as much as possible with their security responsibilities. You can find more information on properly setting up the on-premise software securely here.
Infrastructure Security
Our platform is hosted in both AWS and Azure. Following the "Shared responsibility model", they are responsible for protecting the infrastructure that runs all of the services offered in the cloud. Our infrastructure is protected using multiple security mechanisms:
- Customer asset data is logically separated from other customer’s asset data in a multi-tenant environment;
- Comprehensive logging and monitoring on a 24/7 basis for operational and security-related issues and incidents;
- Firewalls to filter network traffic and enforce network segmentation;
- A web application firewall (WAF) for content-based dynamic attack blocking;
- Backups and high availability and resiliency services are in place to ensure no data is lost
- A disaster recovery plan is in place and is reviewed on an annual basis by relevant personnel. The disaster recovery plan is tested at least once a year.
All service providers supporting our cloud platform are subject to a review of available audit and certification reports to evaluate and confirm the security practices implemented.
Encryption
Lansweeper encrypts all data both in transit and at rest:
- Data in transit is encrypted using TLS;
- Data at rest is encrypted across our infrastructure using strong encryption protocols (AES-256);
- Credentials are encrypted using strong encryption before being added to your Lansweeper database.
Access Management
Access to our cloud platform by Lansweeper personnel or contractors is based on a least-privileged and need-to-know basis. We regularly conduct user access reviews to ensure appropriate permissions are in place. Access is granted and revoked following formal access management processes.
Security awareness and training
All personnel is subject to and required to follow recurrent security awareness sessions during onboarding and employment via an automated security awareness program. Security awareness focuses on understanding the Lansweeper security framework and the current threats and risks all personnel should be aware of.