Live Optics Security FAQ – Live Optics Support

Overview

In this document you will find information about security and compliance aspects of the Live Optics tool, considering customer’s frequently asked questions and security best practices.

Dells Secure Development Lifecycle integrates standards from a variety of data sources. A primary consideration is data from both internally discovered and externally reported issues. This awareness allows us to focus on the issues that are most prevalent in our technology space. A second major consideration is industry practices. Dell collaborates through many industry-standard venues such as SAFECode, BSIMM, and IEEE Center for Secure Design to ensure that we follow industry practices. Lastly, Dells Secure Development Lifecycle is aligned with the principles outlined in ISO/IEC 27034 Information technology, Security techniques, Application security.

1. Encryption Requirements

How is ‘Data in transit’ encrypted?

Data communications are encrypted using industry approved protocols, protecting data in transit.

How is the data going to be encrypted at rest? What type of encryption is used?

All Live Optics data technologies automatically apply encryption for data at rest.

Are data backups encrypted? What technology is used to encrypt data backups and how are those keys managed?

Yes, data backups are encrypted and stored using a backup vault.

Are all server-to-server data transmissions also encrypted?

Data transmitted externally is encrypted using industry standard protocols.

How are the encryption keys managed?

Certificates used in Live Optics are stored within the Vault utilizing IAM controls. A certificate rotation policy is in place.

2. Access Privileges and Controls

Who can see or have access to Customer data?

Customer data can only be viewed by registered users from the Customer’s organization or any Live Optics users whom you share the data with. Live Optics administrators will also have access to this data.

What actions and internal controls do you have in place to prevent unauthorized viewing of customer information?

Access to Live Optics resources is managed by Dell's instance of active directory. Multi-factor authentication is used when logging into the portal. Users are assigned to pre-built roles to further restrict the access & privileges to resources with auditing in place.

How are you ensuring that another tenant would not have access to Customer data? How is each tenant secured?

Customers own their own data and do not have access to other projects unless they agree to share their data. Live Optics is not a multi-tenant platform but instead a single tenant platform.

How is access management set up? How is the identity and access management (IAM) solution monitored? Do you support SAML based SSO for customer user access?

SSO is supported for Dell users of Live Optics which is managed through Dell’s instance of Active
Directory. For non-Dell users’ access is managed through ASP.Net identity management solution.

What physical security measures are in place at the data processing facility where the data would be stored?

As per Dell policy.

How do you vet employees who will have physical access to the network and compute infrastructure that hosts Customer data?

As per Dell policy.

What audit log are available for customer and their retention period? Can customer enable logging within the application service and export the log into SIEM tool like Splunk?

No audit logs are available for Customers to manage.

Do you support IAM solution integration for automated provisioning/de-provisioning customer user accounts?

No. It is possible for Customers to delete their accounts.

What policies are implemented for any third party hosted applications?
Live Optics complies with Dell’s Public Cloud and Cybersecurity policies in relation to using 3rd party cloud platform and services.

3. Data Backup & Recovery

How is the data backed up?

Backups of data are carried out as per internal Live Optics policy.

How many copies of the data are stored, and where are they stored?

Multiple copies of backups are stored for 90 days in a backup vault.

How often do you test backups?

As per internal policy.

What is the retention period for backups?

90 days.

4. Software Development:

What is your development lifecycle process?
Live Optics follows a Secure development Lifecyle aligning to ISO/IEC 27034 principles including but not limited to code reviews, security scans, testing, logging, and automated pipelines.

5. Data Remanence

How is the data purged, so that the data is deleted completely, and there are no remnants of deleted data, therefore, not subject to attack or e-discovery?

Automated deletion process in place to delete data after 7 years.

In case of termination of the contract, how will the data be provided back to the Customer?
Raw data is not provided back to the Customer; however, reports can be downloaded by the Customer for all projects owned in the form of xls and ppt.

6. Business Continuity

What is your disaster recovery process?

Databases are running in multi data centers with built in redundancy. Our application servers are automated with one-click deployment and can be deployed in any data center within a few minutes.

What tests do you perform on your disaster recovery plan?

Due to data being written from active services to the database, we don’t perform any tests from a parallel environment.

Where do the servers, processes, and data physically reside?

All services are hosted on Dell managed resources residing in the US.

What is your service RTO (Recovery Time Objective) and RPO (Recovery Point Objective)?

Live Optics does not have a formal RTO/RPO policy in place; however, outages are treated with high priority resuming availability as early as possible.

7. Network & Application Security

Do you perform vulnerability scans on the application?

All Dell networked systems are scanned periodically. Additionally, vendor and industry sites in scope are monitored for vulnerability announcements, patch and non-patch remediations, and any emerging threat on a periodic basis. Frequency of these scans depends on asset type and criticality. Live Optics undergoes routine application vulnerability scans

Do you have an internal, external, or red team performing annual penetration tests of your IT environment?

Penetration tests on External and Internal Networked systems are performed periodically by Dell's internal Red/Penetration testing team. Also, if required by compliance requirements, Dell makes use of third-party vendors (e.g. S3Security for PCI, Whitehat for Pentests). The Red Team is part of the Security and Resiliency Organization (SRO).

Dell has a Chief Security Officer (CSO), authorized by Dell executive management, who reports directly to the General Counsel and who directs and oversees a comprehensive security and resiliency program. This includes cybersecurity for all systems, data and networks, product security, physical security, supply chain security and enterprise resiliency.

The SRO has defined roles and responsibilities for security and resiliency management, which includes vulnerability management and penetration testing, among others.

What steps have been taken to ensure the applications are secured from application-level attacks like XSS, SQL injection...etc?

Yes. Penetration testing is performed by a 3rd party.

What measures are in place to mitigate Denial of Service attacks?

All public endpoints are behind a gateway which implements firewall rules protecting against such attacks as DOS.

Do you offer periodic reports confirming compliance with security requirements and SLAs?

Yes.

8. Incident Management & Response

How are incidents handled?

Dell has multiple teams handling incidents depending on the type of incident. Robust processes are in place.

Would the Customer receive a notification if a data breach is detected?

Yes.

What access do you provide to logs? Would the Customer be provided all logs and audit trails regarding an incident?

Live Optics logs are not provided to Customers.