The purpose of this policy is to outline standards set by LightSpeed VT and its cloud hosting vendor—Amazon Web Services. Effective implementation of this policy will minimize unauthorized access to LightSpeed VT’s proprietary SaaS application. This policy applies to Amazon Web Services (AWS) virtual cloud instances operated by LightSpeed VT.This policy is specifically aimed at instances on the LightSpeed VT SaaS application network.
Ownership and Responsibilities
LightSpeed VT utilizes Amazon Web Services technologies for client-facing portals, video content and the main SaaS application. Security is maintained through strict IAM security groups and Virtual Private Cloud access-control lists. The virtual devices created by LightSpeed VT to run the current software-as-a-service (SaaS) application are created on cloud-based hardware owned by Amazon Web Services. Maintenance and maintainability of these devices is the responsibility of LightSpeed VT, and periodic, appropriate steps are taken to ensure the viability of these devices.
General Configuration Guidelines
- Operating Systems are installed in accordance with the Center for Internet Security (www.cisecurity.org)
- Services and applications that will not be used are disabled where practical.
- Access to virtual instances and applications are protected through access-control methods such VPN connections, Identity & Access Management and encrypted SSH or RDP connections.
- The most recent security patches are installed on each server/system as soon as practical, the only exception being when immediate application would interfere with business requirements.
- Security groups are used to control traffic between application subnets
- Standard security principles of least required access are used to perform server and application functions.
- Administrative accounts are not used when a non-privileged account will do.
- Privileged access is performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).
- Application communication between the client (browser) and the server (LSVT AWS application) occurs using SHA256 SSL encryption to protect the data in transit and at rest.
- Primary SaaS servers are hosted in a Virtual Private Cloud with Amazon Web Services.
- All security-related events on critical or sensitive systems are logged and audit trails saved as follows:
- All security related logs are kept online for a minimum of 1 week.
- Daily incremental tape backups will be retained for at least 30 days.
- Security-related events will be reported to systems administration, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
- Port-scan attacks
- DDoS attacks
- Evidence of unauthorized access to privileged accounts
- Anomalous occurrences that are not related to specific applications on the host
- Systems and network monitoring agents are in place to alert systems administration of any application or network irregularities.
- Audits are performed on a regular basis by company personnel.
- Every effort will be made to prevent audits from causing operational failures or disruptions.