download the Lithium security datasheet
download the Lithium security datasheet
download the Lithium security datasheet
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Lithium</strong> Technologies<br />
<strong>security</strong> overview<br />
At <strong>Lithium</strong>, <strong>security</strong> is our strength and one of our core competencies.<br />
Many <strong>Lithium</strong> customers and end-users are extremely tech-savvy and<br />
demand <strong>the</strong> highest standard in <strong>security</strong> from our products and services.<br />
As such, <strong>Lithium</strong> reaffirms its commitment to <strong>security</strong> by adhering to<br />
<strong>security</strong> best practices in every aspect of our product development and<br />
deployment life cycle. Security is incorporated into <strong>the</strong> design of our<br />
products and services and tested rigorously before rollout to production.<br />
We also conduct regular <strong>security</strong> audits and <strong>security</strong> vulnerability<br />
testing of our products and our production hosting environment to<br />
ensure continued compliance with our strict <strong>security</strong> standards. Below<br />
is a brief overview of <strong>security</strong> measures used at <strong>Lithium</strong>.<br />
application <strong>security</strong><br />
The <strong>Lithium</strong> application itself has several layers of <strong>security</strong>, some of<br />
which include:<br />
▪ An extensive input and output validation layer checks and validates<br />
for proper and expected input and output. All user-provided content,<br />
such as <strong>the</strong> URI, query string parameters, form submissions,<br />
cookies, etc. are validated through this framework before <strong>the</strong><br />
underlying application layers are allowed to handle <strong>the</strong> request. All<br />
non-validated input is ei<strong>the</strong>r escaped or rejected as necessary.<br />
▪ The application has a robust permission system which allows<br />
granular control over user, role, and group level access.<br />
Permissions and roles can be applied at <strong>the</strong> global community level,<br />
on categories, boards, and individual users. The fine granularity<br />
of <strong>the</strong> permissions ensures that users can be granted <strong>the</strong> specific<br />
access <strong>the</strong>y need, without having to grant <strong>the</strong>m excessive rights. All<br />
unauthorized access attempts are logged in <strong>the</strong> audit logs.<br />
▪ User provided content is also checked and validated using an<br />
intelligent HTML parser. Administrators can specify which HTML<br />
tags are allowed, including tag attributes and sub-tags. This<br />
intelligent parsing protects against many forms of attacks such as<br />
cross-site scripting, script insertion, style hijacking, cookie <strong>the</strong>ft,<br />
etc. By providing such extensive HTML parsing, we can allow our<br />
users to safely use HTML tags for rich and lively content creation<br />
without forcing <strong>the</strong>m to learn custom or proprietary markup<br />
languages.<br />
▪ On <strong>the</strong> application layer, we also employ a fail-safe countermeasure<br />
called “ticketing”, whereby secure, encrypted, and time sensitive<br />
tickets are assigned to user requests. All form submissions which<br />
result in an administrative action require valid and matching tickets<br />
to proceed. The ticketing system is completely transparent to <strong>the</strong><br />
user and helps protect against certain classes of attacks called<br />
cross-site request forgery. This measure protects against attacks<br />
that originate from external content outside of <strong>the</strong> application’s<br />
control.<br />
application <strong>security</strong><br />
done right:<br />
Extensive I/O Validation<br />
Layer Checks<br />
Robust Permission<br />
System<br />
Intelligent HTML Parser<br />
Ticketing System<br />
<strong>Lithium</strong> BlackBox
<strong>Lithium</strong> Technologies<br />
<strong>security</strong> overview<br />
▪ A <strong>Lithium</strong> proprietary safeguard called BlackBox is also used on<br />
<strong>Lithium</strong> communities. Similar to <strong>the</strong> black box recording systems<br />
used on airplanes, it records key information about <strong>the</strong> system and<br />
user requests including, request parameters, URLs, IP addresses,<br />
etc. In case of a <strong>security</strong> breach <strong>Lithium</strong> can playback <strong>the</strong>se<br />
recordings to identify exactly how <strong>the</strong> breach took place, as well<br />
as any actions and damage that <strong>the</strong> intruder may have inflicted.<br />
If necessary, BlackBox recordings can be used to rollback <strong>the</strong><br />
community to a specific point in time and undo any damage caused<br />
due to malicious activity.<br />
network <strong>security</strong><br />
At <strong>the</strong> network level, <strong>Lithium</strong>’s production environment is designed to<br />
provide maximum <strong>security</strong> based on <strong>security</strong> best practices.<br />
▪ Our servers are protected by redundant<br />
firewalls.<br />
▪ The front-end application and web<br />
servers are isolated from o<strong>the</strong>r services<br />
such as DNS and SMTP.<br />
▪ The databases are fur<strong>the</strong>r protected in<br />
a separate data island firewalled from<br />
<strong>the</strong> front-end servers. No direct access<br />
from <strong>the</strong> Internet is allowed to <strong>the</strong><br />
database servers.<br />
▪ Intrusion Detection Systems are<br />
deployed to monitor unauthorized<br />
access or detect malicious traffic.<br />
▪ Only relevant ports are allowed such as port 80 (HTTP), port 443<br />
(HTTPS), and a 5xxx range port for customers using <strong>the</strong> chat<br />
application.<br />
<strong>security</strong> at its finest, on<br />
all levels:<br />
Application Security<br />
Network Security<br />
Host Security<br />
Physical Security<br />
Access Security
<strong>Lithium</strong> Technologies<br />
<strong>security</strong> overview<br />
host <strong>security</strong><br />
At <strong>the</strong> host level, <strong>Lithium</strong> servers are fine-tuned or “hardened”<br />
according to <strong>security</strong> best practices.<br />
▪ Only necessary services and software are installed.<br />
▪ Servers are regularly updated with <strong>the</strong> latest <strong>security</strong> patches.<br />
▪ All management traffic to <strong>the</strong> servers is encrypted.<br />
▪ Where applicable, malware detection tools are also used for good<br />
measure.<br />
▪ Administrative access to servers is restricted to authorized staff<br />
and must occur over a secure encrypted session. All administrative<br />
access is logged and monitored.<br />
▪ Security auditing is turned on and logs are sent to a secure log<br />
collection system.<br />
physical <strong>security</strong><br />
The <strong>Lithium</strong> production environment<br />
is hosted in SSAE16 and ISO27001<br />
certified secure datacenters.<br />
Datacenters are equipped with CCTV<br />
systems, digital recorders, and<br />
manned by <strong>security</strong> guards on a 24x7<br />
basis. Access to <strong>the</strong> datacenters is<br />
restricted to authorized staff only<br />
and reviewed on a regular basis. Multiple forms of au<strong>the</strong>ntication are<br />
required to access <strong>the</strong> facility such as a valid picture ID, a secret PIN<br />
code, and biometric identification. Datacenters are also equipped with<br />
fire, water, and heat detection and protection systems.<br />
access <strong>security</strong><br />
Physical access to <strong>the</strong> datacenters is restricted to <strong>Lithium</strong> Technical<br />
Operations staff and controlled by access lists held by <strong>the</strong> colocation<br />
facility’s <strong>security</strong> department. Logical access to <strong>the</strong> production<br />
environment can only be established via a secure encrypted session<br />
which is also restricted to <strong>Lithium</strong> Technical Operations staff. All<br />
administrative access is logged and monitored.<br />
battle-tested<br />
datacenters ensure<br />
your data is secure:<br />
SSAE 16<br />
TYPE II CERTIFIED<br />
SSAE 16<br />
TYPE II CERTIFIED<br />
ISO 27001<br />
IS 574923
<strong>Lithium</strong> Technologies<br />
<strong>security</strong> overview<br />
proactive monitoring<br />
<strong>Lithium</strong> monitors all communities and critical infrastructure on a<br />
24x7 basis. An alert system is tied to each of <strong>the</strong> community’s health<br />
statistics, as well as major parts of <strong>the</strong> <strong>Lithium</strong> hosting infrastructure.<br />
All major services such as DNS, firewalls, servers, and Internet<br />
connectivity are actively monitored. Alerts are also set up to monitor<br />
<strong>security</strong> related events and detect <strong>security</strong> violations. Security auditing<br />
is enabled on systems, and logs are sent to a secure log collection<br />
system for retention and safe keeping.<br />
redundancy and backup<br />
The hosting infrastructure at <strong>Lithium</strong> is designed with multiple<br />
redundancies for maximum uptime.<br />
▪ Secure datacenters have UPS and generator backup systems for<br />
power and diverse entry points for key utilities and communication<br />
facilities.<br />
▪ At <strong>the</strong> network edge, <strong>Lithium</strong> has deployed multiple high-speed<br />
Internet Service Providers for fast Internet connectivity using <strong>the</strong><br />
BGP protocol for redundancy and automatic failover.<br />
▪ Beyond <strong>the</strong> network edge, each critical system in <strong>the</strong> <strong>Lithium</strong><br />
architecture is set up in a redundant manner to eliminate single<br />
points of failure. This includes redundant load balancers, firewalls,<br />
switches, and routers.<br />
▪ At <strong>the</strong> system layer, servers are deployed with redundant power<br />
supplies, redundant network cards, and redundant disk storage.<br />
▪ At <strong>the</strong> database layer, data replication is set up from master<br />
database servers to slave database servers in real-time. Lastly,<br />
regular backups are made and stored offsite in a secure location for<br />
safety.<br />
compliance, audits, and certifications<br />
▪ <strong>Lithium</strong> datacenters are SSAE16 certified, ISO 27001 certified, and<br />
PCI DSS section 9 certified.<br />
▪ <strong>Lithium</strong> hosted application solutions are ISO 27001 and SSAE16<br />
certified.<br />
▪ <strong>Lithium</strong> is U.S.-E.U. Safe Harbor and U.S.-Swiss Safe Harbor selfcertified.<br />
your community is<br />
certified safe with<br />
<strong>Lithium</strong>:<br />
SSAE 16<br />
TYPE II CERTIFIED<br />
SSAE 16<br />
TYPE II CERTIFIED<br />
ISO 27001<br />
IS 574923
<strong>Lithium</strong> Technologies<br />
<strong>security</strong> overview<br />
▪ <strong>Lithium</strong> has been awarded TRUSTe’s Privacy Seal signifying that our<br />
privacy policy and practices are complaint with TRUSTe’s program<br />
requirements including transparency, accountability, and choice<br />
regarding collection and use of private information.<br />
▪ <strong>Lithium</strong> conducts annual <strong>security</strong> vulnerability and penetration<br />
testing using independent third party auditors.<br />
about <strong>Lithium</strong><br />
<strong>Lithium</strong> helps companies unlock <strong>the</strong> passion of <strong>the</strong>ir customers.<br />
<strong>Lithium</strong> software powers amazing Social Customer Experiences for<br />
more than 400 iconic brands including AT&T, BT, Best Buy, Indosat,<br />
Sephora, Skype and Telstra. <strong>Lithium</strong> helps companies grow brand<br />
advocacy, drive sales, reduce costs and accelerate innovation to create<br />
social communities that redefine <strong>the</strong> customer experience. For more<br />
information, visit lithium.com, or connect with us on Twitter, Facebook<br />
and our own community–<strong>the</strong> Lithosphere. <strong>Lithium</strong> is privately held with<br />
corporate headquarters in San Francisco, Calif. and offices in Europe,<br />
Asia and Australia.<br />
<strong>Lithium</strong><br />
lithium.com | © <strong>Lithium</strong> Technologies, Inc. All Rights Reserved.<br />
SSAE 16<br />
TYPE II CERTIFIED<br />
SSAE 16<br />
TYPE II CERTIFIED<br />
ISO 27001<br />
IS 574923<br />
contact us<br />
To learn more about our<br />
<strong>security</strong> practices, visit<br />
lithium.com/<strong>security</strong>,<br />
or email us at<br />
<strong>security</strong>@lithium.com.