Blog LastPass-SOC-2-3-C5. April 15, 2020 By Lauren Christopherson. Lauren Christopherson. Global Lead, External Communciations.
Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass servers, and are never accessible by LastPass. We are also SOC 2 Type II compliant. This detailed review of our controls and processes is a “gold standard” for confirming the security and reliability of LastPass. SOC 2 Type 2 compliance This detailed review of our controls and processes is a “gold standard” for confirming the security and reliability of LastPass. Regular audits & pen tests We engage trusted, world-class, third-party security firms to conduct routine audits and testing of the LastPass service and infrastructure. LastPass offers industry standard cryptography that is strong enough to defend against brute-force attacks. SOC-2 report: The Service Organization Control 2 (SOC 2) Type II attestation report is widely recognized as an information security “gold standard.” Completing and maintaining the SOC 2 is just one way we demonstrate our. Azure SOC 2 attestations are based on rigorous independent third-party audits conducted by a reputable CPA firm. At the conclusion of a SOC 2 audit, the auditor renders an opinion in a SOC 2 Type 2 report, which describes the cloud service provider’s (CSP’s) system and assesses the fairness of the CSP’s description of its controls.
What are Managed Companies in LastPass Enterprise?
The 'Managed Companies' feature of a Managed Service Provider (or, MSP) account for LastPass Enterprise provides the ability for LastPass admins of the primary account (i.e., MSP technicians) to manage multiple independent tenants, or company accounts for LastPass all from one primary account.
Managed Companies have all the features and functionality available to a LastPass Enterprise account, including various multifactor authentication options, directory integrations, federated login, over 100+ customizable policies, single sign-on capabilities, and much more. For more details about the various features and tools included in LastPass Enterprise, please see the LastPass Admin Toolkit.
This company management solution allows LastPass admins to have granular control over all aspects of the LastPass accounts they oversee, including full access to the Admin Console of each managed company. If desired, a hybrid model can be set up, which allows both the LastPass admin of the primary account (MSP technician) and the local LastPass admin of the managed company account to share management responsibilities.
What is the technical structure of Managed Companies?
LastPass Managed Service Provider accounts utilize strict and secure data isolation between each managed company, at both the logical and encryption layer. This is critical to support independence, privacy, and security for each company account that is managed in LastPass Enterprise. It also preserves compliance with security and privacy standards covering SOC-2.
Since LastPass uses a zero-knowledge security architecture, each managed company's data is completely separate and encrypted with a key derivation architecture that is specific to each managed company. Therefore, it is not possible to inadvertently share managed company related data (e.g., emails, admins, teams, roles, Vault data, etc.) with any other company that is also being managed.
LastPass admins of the primary account (MSP technicians) exist at the root level of the MSP's system, and have the ability to access each managed company instance for administrative purposes. Any 'local' LastPass admins set up in the managed company do not have this root level access to the MSP's Admin Console, or any of the MSP's data. Managed Companies are strictly isolated within their own organizational architecture; therefore they cannot view or access another managed company's Admin Console or Vault records.
What is displayed on the Managed Companies page?
On the Managed Companies page, you can see the following data:
- User Licenses – Displays both the total active licenses and total available licenses for the entire primary account.
- Average Security Score – Displays the aggregated security score for all Managed Companies combined.
- Managed Companies – This section provides a list of all companies managed within the primary account (with the ability to perform various actions), and displays the following details:
- Managed company name
- Active users for the managed company
- Managed company status (i.e., active or suspended)
- Security score for the managed company
- Available licenses for the managed company
What can I do from the Managed Companies page?
On the Managed Companies page, the LastPass admin of the primary account (MSP technician) can do the following:
How do I get started?
Please see our LastPass MSP Deployment & Adoption Guide to learn how to get started.
We know third-party validation of the security and reliability of our solutions is important to our current and potential customers. We are thrilled to share that LastPass has achieved several security compliance certifications including SOC 2 Type II, SOC 3 Type II, and C5 examinations.
SOC2 and SOC3 examinations are a review of the controls and processes that affect the security of LogMeIn products and infrastructure, the availability of the systems used to process data, and the confidentiality of the information processed by the systems.
Lastpass Soc 2 Security
Of note for our customers in Germany, LastPass has also completed the Cloud Computing Compliance Controls Catalogue (C5) from the German Federal Office for Information Security. This certification defines which controls cloud providers must comply with or which minimum requirements the cloud providers should be obliged to meet. An important cornerstone in cloud security for the German market, only a few cloud providers are certified.
In addition to these security standards, we also are excited to share the new LogMeIn Trust & Privacy Center! This new site provides a centralized resource across LogMeIn products to find information including:
- Our Commitment to Privacy certified through the EU-US and Swiss Privacy Shield and TRUSTe Verified Privacy Frameworks
- LogMeIn’s Security Measures and globally trusted third-party security certifications such as SOC2, SOC3, and C5
- Specific Product Information including current system performance and the security and privacy features for each
Lastpass Soc 2 Report
Customers can download a copy of the SOC 3 report on the Trust & Privacy Center, here: https://www.logmeininc.com/trust/resource-center
The SOC 2 and C5 reports are available under Non-Disclosure-Agreement, upon request. Please contact your sales representative.
Lastpass Soc 2
Lastpass Soc 2 Vs
Investing in security and compliance is a constant focus for LogMeIn and LastPass, and we are excited to offer the latest on security, compliance and system performance information.