Skip to content
English
More support Sign in
Contact us
  • There are no suggestions because the search field is empty.

Compliance - AWS Compliance and Shared Responsibility

Living Security's Human Risk Management Platform is built with the tools and infrastructure of Amazon's AWS Cloud services.

📚Overview

Living Security Human Risk Management Platform is a Software-as-a-Service application that is built using AWS tools hosted in the US-East-1 region, such as Serverless Lambdas, to power our functionality. In an effort of transparency, Living Security details how our infrastructure and code meets Industry and Customer Compliance requirements below. 

🗒️ As our documentation states, we utilize AWS to power our application. This article will reference AWS's documentation. When we are referencing their documentation we will provide a link to Amazon's documentation for your reference.

📖 Table of Contents

  1. AWS and Living Security Shared Responsibility Model
  2. Living Security Responsibilities for Compliance
    1. Industry Standards
    2. Secure Code
  1. AWS Responsibilities for Compliance
    1. AWS Lambda
    2. Security and Availability Zones

👬 AWS and Living Security Shared Responsibility Model

Security and Compliance is a shared responsibility between AWS and Living Security. 

AWS operates, manages, and controls the components from the host operating system and virtualization layer, down to the physical security of the facilities in which the service operates. For AWS Lambda, AWS manages the underlying infrastructure and foundation services, the operating system, and the application platform. Living Security is responsible for the security of  code and the identity and access management (IAM) to the Lambda service and within the functionality.

AWS Shared Responsibility (1)

👤 Living Security's Responsibility for Compliance

✅ Industry Standards

Living Security products have been built with security in mind. To ensure that our clients can have faith in the security of our products, Living Security conducts annual pen-tests of each product. 

In conjunction with our pen-testing, Living Security also undergoes annual audits to maintain our SOC 2 Type II certifications of our Living Security Products with industry standards.

🔒 Living Security makes these reports available upon request, and signature of an NDA, to show that our current and prospective clients make the right choice for their Human Risk Management needs.

Living Security has been recognized by the Cloud Security Alliance by being registered as STAR Level 1. This industry certification reflects Living Security’s security posture by validating that we meet best industry practices within our cloud offerings.

🔒 Secure Code

Living Security Engineering follows coding best practices and prior to code being committed, it is reviewed by peers who are reviewing the pending code for validity of approach to solve the problem and security of the solution. Living Security also leverages technology solutions like GitHub-Dependabot, Snyk and Bandit that provide automated security updates and scan commits. Actions taken include automated security updates for packages with known vulnerabilities and scans of pending code for common security issues. All of this happens prior to an individual developer's code being merged with the larger code base.

For Living Security’s Code Patches/updates, We operate on a SCRUM/Agile development cycle, with each sprint consisting of 2-3 week release cycles. During these cycles, all commits are subject to automated testing prior to release, and our normal release schedule is every 3 weeks to a month for standard external facing releases. Checks are ran to compare the hash comparisons in our source code in our dev and production environments. 

🌐 AWS Responsibilities for Compliance

⚙️ AWS Lambda

❗This segment heavily references AWS Lambda Security Whitepaper. We recommend that this be reviewed for a more comprehensive breakdown of how Lambdas function and what compliance standards AWS Lambdas meet.

AWS Lambda is an event-driven, serverless compute service that extends other AWS services with custom logic, or creates other backend services that operate with scale, performance, and security.

Lambda runs code on a highly available compute infrastructure, and performs all of the administration of the underlying platform, including server and operating system maintenance, capacity provisioning and automatic scaling, patching, code monitoring, and logging.

When Lambda receives the function or layer code, Lambda protects access to it by encrypting it at-rest using AWS Key Management Service (AWS KMS) and in-transit by using TLS 1.2+.

🏢 Security and Availability Zones

⚠️ This segment pulls data from AWS Global Infrastructure Whitepaper. We recommend that this be reviewed for a more comprehensive breakdown of how AWS handles Security, Compliance and what role Availability Zones perform.

Cloud security at AWS is the highest priority. As organizations embrace the scalability and flexibility of the cloud, AWS is helping them evolve security, identity, and compliance into key business enablers.

AWS builds security into the core of our cloud infrastructure, and offers foundational services to help organizations meet their unique security requirements in the cloud. Living Security benefits from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. Security in the cloud is much like security in your on-premises data centers—only without the costs of maintaining facilities and hardware.

 As an AWS customer you inherit all the best practices of AWS policies, architecture, and operational processes built to satisfy the requirements of our most security-sensitive customers. Get the flexibility and agility you need in security controls.

AWS environments are continuously audited, with certifications from accreditation bodies across geographies and verticals. 

Compliance conformity includes:

  • SOC 1/ISAE 3402, SOC 2, SOC 3
  • FISMA, DIACAP, and FedRAMP
  • PCI DSS Level 1
  • ISO 9001, ISO 27001, ISO 27017, ISO 27018

The AWS Cloud infrastructure is built around AWS Regions and Availability Zones.

An AWS Region is a physical location in the world where we have multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. These Availability Zones offer the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center. For the latest information on the AWS Cloud Availability Zones and AWS Regions, refer to AWS Global Infrastructure.