• January 8, 2020

Safety First: Limo Anywhere and Data Security

Data security is an ongoing concern for all of us, both in our personal lives and our businesses. It seems that every month another news story comes out about a major retailer or financial institution or online platform whose security has been breached.

At Limo Anywhere, data security is on the forefront of our operations and is a primary factor in all of our projects, both from an engineering and infrastructure standpoint. We take it extremely seriously and invest significant time and money to protect our customers and their data.

PCI DSS Certification

We know this term gets thrown around a lot, but it holds a lot of weight. Companies that are capable of achieving this level of security certification have gone to great lengths to do so. A third-party security assessor runs regular penetration tests from outside our network to see if they can gain access to any of our data or any of our servers, testing for vulnerabilities such as SQL injection, cross site scripting, and many others.

This certification also requires that we encrypt all data pertaining to passwords or account information. Additionally, we must conform to their requirements of web communication protocols. Although everyone considers SSL (secure socket layer) very secure, it has not been secure for several years. And even the early versions of TLS (transport layer security) are no longer considered secure. We update our communication protocols regularly to ensure we are always transmitting data securely.

After the external security scan is complete, we give our “white hat” hackers access to our network and let them try to attack us from the inside. This attack assumes that the bad guys have infiltrated our network and are now trying to attack us from within. Although real hackers would not have this information, we provide IP addresses of all of our servers so they can try to penetrate each one directly. This test is intense and serious, and any issues found must be resolved before our certification is renewed.

Network devices

We have an intrusion detection device on the forefront of our network. This device inspects each request entering our network from the public internet and determines whether it is malicious or not. If the request is found to be some sort of attack or hack, the IP address that issued the request is shunned for 24 hours, and no more requests will be allowed into our network for that period of time while we investigate. This very effective device is updated regularly with known attack patterns and any other identification information.

Segmentation

By default, servers and devices in our network are segmented into different groups that cannot see each other. This access is not only by IP, but also by network port, so even if a server is compromised, it can only talk to other servers (and ports) that were explicitly allowed. We undergo network segmentation tests every quarter as part of our PCI compliance certification.

Allowed external access

The only way our customers and partners are given functional access to our system is through APIs. Providing API access allows us to expose only the functionalities and data that we desire. Nobody has access to our data; even our tightly-integrated parent company is required to access Limo Anywhere through our APIs.

Physical Security

Access to our office and data centers is strictly controlled on an as-needed basis. All access points require a digital proxy card or biometrics (or both) to access. All visitors are logged and escorted at all times.

Backups

In addition to the security involved in protecting our customers’ data, we also employ thorough backup procedures to ensure that data is not only secured, but also kept safe in the event of hardware failures and data corruption.

Backup begins at the storage level. For our storage solution, we have a SAN (storage area network) in each datacenter. SANs, by nature, use RAID technology to shield our operations from hard drive failures. We can experience multiple hard drive failures simultaneously and everything will continue to work normally while those failed drives are replaced and rebuilt in the background.

In addition, we perform both file system and database backups of all servers and databases. These backups are encrypted and are stored in multiple locations – locally on the host, on a different host in the same datacenter, on a different host in the DR datacenter, and also on tape backup media.

Furthermore, all database backups use a log shipping approach to keep the DR database server in sync with the production database in case it needs to take over live traffic. Our backup solution has 4 levels of redundancy, including offsite tape storage, and also provides a point in time restore so we can protect the system from data corruption.

 

As you can see, Limo Anywhere’s commitment to your data security is paramount. We will continue to keep it at the forefront of our mission. If you have any questions, please contact [email protected].