01
Security-oriented environments start with high coding standards that guard against attempted security breaches and are accompanied by rigorous code reviews and tests (such as code coverage testing). Logz.io employs the strictest development processes and coding standards to ensure that both adhere to the best security practices. In addition, the company’s testing platform performs a set of various black box and white box tests for quality assurance (including ongoing penetration tests). R&D processes are implemented and supported with security as a top priority across all system layers, from the physical layers up to the application layer.
02
Logz.io relies on the Amazon and Microsoft cloud’s exceptionally flexible and secure cloud infrastructure to store data logically across multiple AWS and Azure cloud regions and availability zones. AWS and Azure make abiding by industry and government requirements simple and ensures the utmost in data security and protection. For example, AWS infrastructure aligns with IT security best practices and follows a number of compliance standards such as:
(formerly SAS 70 Type II)
All data centers that run Logz.io’s platform are secured and monitored 24/7, and physical access to both AWS and Azure facilities are strictly limited to select internal cloud staff. (For more information about these providers' secure architecture and compliance certifications, visit: http://aws.amazon.com/security or https://azure.microsoft.com/en-us/overview/trusted-cloud/.)
03
Every microservice runs inside a well-defined Docker container that allows specific levels of access to select controllers. Logz.io uses Docker to avoid erroneous instance-configuration changes, upgrades, and corruption that are common sources of security breaches. Additionally, the company hardens operating systems within containers to enable various network access controls (such as iptables).
Logz.io takes all necessary precautions to ensure that every layer involved in data transfer is secured by best-of-breed technologies. The company’s network is segmented using security groups, VPCs, and ACLs in AWS and NSGs, VNets, and ACLs in Azure, in addition to custom measures. In addition, their threat-control center is kept up to date with security alerts that are analyzed and addressed in real-time. Through in-depth network monitoring, Logz.io is able to detect anomalies and take a proactive approach to eliminating potential breaches.
04
Logz.io secures each and every step of the data funnel by provisioning dedicated data stores for each individual customer, ensuring full data-segregation. Data is tagged, segregated, and tunneled through the company’s data-ingestion system. They mark each specific piece of given customer data according to its associated organization, which is associated with that data throughout its life cycle. When data is in transit in Logz.io’s ingestion pipeline, it is marked with specific information, including its associated customer, so that it can only be accessed by that customer. The company supports SSL encryption for data in transit, so customers can securely upload their data to the Logz.io cloud and securely browse through their own Logz.io console. Cold data is encrypted and hosted in separate Simple Storage Service (S3) buckets, which are secured via durable AES 256-bit encryption.
In addition, Logz.io continuously tracks and maintains the location and state of their customers’ data. That way, when the company retires an operating system, for example, and decommissions the related machine, Logz.io is sure to wipe clean any informational residue that may have been left behind before returning the machine to AWS. Disks are specially formatted to ensure that data recovery is not possible at a later point in time.
05
Logz.io supports role-based access through their interface, allowing end users to be defined as admins or users as well as suspended or deleted. Customers’ account administrators manage and control user access, including provisioning new end users with a defined access level.
06
To verify adherence with compliance policies, Logz.io uses 3rd-party auditing services. E&Y, one of the “Big Four” auditing firms, performs periodic and comprehensive auditing to audit and validate processes.
Please feel free to contact the security team at Logz.io with any questions, suggestions or concerns about any of the points outlined above at: security@logz.io.