About Ping Identity

Identity is at the core of every great digital experience and the key to digital transformation. That’s why we champion your unique identity needs. We give you the tools to offer your users the right access at the right times no matter how they connect with you.

Our solutions were built to support the scale, flexibility and resiliency required by enterprise-level IT teams. With 99.99% uptime and over 8 billion identities under management, we’re the only identity vendor that’s proven to champion the scale, performance and security of large enterprises.

Security at Ping Identity

Ping Identity recognizes that security is essential to digital identity management. To that end, we invest heavily in security and embed it into every aspect of our business, as briefly illustrated in the following sections.¹

Secure Development

• Ping Identity’s Secure Development Lifecycle provides a consistent framework for developing, releasing and operating secure software and services, aligned with industry standard frameworks, including the Microsoft Secure Development Lifecycle and NIST.

• All Ping Identity engineers take annual training in secure coding techniques. In addition, several internal forums are devoted to security knowledge-sharing and discussion.

• Automated security scanning tools are embedded throughout the development and deployment process, including static, dynamic, and open-source scanning.

• Threat models are developed during the design of security-critical components, independently reviewed, and maintained throughout the components’ lifecycle. Penetration testing is used extensively for additional independent validation, including both black and white-box testing.²

Audit and Compliance

Ping Identity has a comprehensive internal auditing program to regularly review on at least an annual basis all of the applicable security and privacy controls as set out in our Information Security Management System (ISMS) and related policies. This audit program is based on our compliance obligations under ISO 27001, ISO 27017, ISO 27018, SOC 2, CSA STAR, TISAX and HIPAA/HITECH, for which Ping Identity has obtained certification and undergoes continuous improvement as a result of internal and external audits, and future certifications.

¹ For a more detailed description of Ping Identity’s company-wide security practices, see: https://www.pingidentity.com/en-us/docs/legal/security-exhibit

² In a black-box penetration test, an attacker positioned on the Internet, with no inside information about the service, attempts to compromise it. In a white-box test, the attacker is provided with full details about the design, implementation, and operation of the service. He or she is then “conceded a beachhead” within the service and asked to attempt to extend their control.

PingOne Advanced Identity Cloud

PingOne Advanced Identity Cloud is an online service that enables customers to meet their identity and access management needs without the burden of hosting and operating an on-premise infrastructure.

The PingOne Advanced Identity Cloud provides a comprehensive, flexible identity and access management solution run and operated by Ping Identity. We secure, monitor, upgrade, and run the software while providing the flexibility and extensibility to satisfy some of the most complex identity and access management (IAM) use cases in the industry. PingOne Advanced Identity Cloud supports all major identity standards, including OAuth 2.0, OIDC, SAML, CIBA, as well as providing identity synchronization, lifecycle management, governance, and storage. The PingOne Advanced Identity Cloud can be supplemented with the PingGateway™ or agents to provide policy enforcement and API management.

More information on the PingOne Advanced Identity Cloud’s features and benefits is available at https://www.pingidentity.com/en/platform/pingone-advanced-identity-cloud.html.

Security Compliance

The PingOne Advanced Identity Cloud and supporting procedures and functions are certified compliant with the following industry security frameworks:

• ISO 27001 (including ISO 27017 and ISO 27018)
• SOC 2 Type 2
• CSA STAR Level 2 (CSA CCM v4)
• HIPAA/HITECH
• TISAX (VDA-ISA)

Certificates and reports (as applicable) for the above referenced certifications are available to customers under NDA on Ping Identity’s Support Portal.

The PingOne Advanced Identity Cloud is subject to both internal and external audit by an independent third party at least once annually.

Ping Identity maintains a dedicated Governance, Risk and Compliance function whose responsibility is to ensure that the organization maintains compliance with a robust framework of security policies and controls.

Ping Identity’s control framework is defined in our security policy set, available on our Support Portal, and reflected in our Security Exhibit.

Security Approach

PingOne Advanced Identity Cloud’s security model is based on a system of complementary, mutually-reinforcing security controls that promote three qualities that are essential to security in an assume-breachworld: isolation, hygiene, and observability.³

³ Assume breach posits that an attacker with sufficient funding, skill, and tenacity eventually will meet with some degree of success. Accordingly, one’s security architecture should bend but not break, and allow an agile response.

⁴ Trust zones are analogous in many ways to microservices. A trust zone tends to be dedicated to a single business purpose; it fulfills its purpose using resources that it alone controls; and it establishes and enforces rules for interacting with it.

Security Architecture

A simplified view of the service’s security architecture is shown in figure below.

The fundamental trust zone consists of a dedicated Google Cloud Platform (GCP) environment that hosts PingOne Advanced Identity Cloud in its entirety.⁵ Crucially for security, it is sovereign: the environment is self-sufficient regarding its critical resources; it, and it alone, controls access to them, and it polices the activities that happen within it.⁶

The environment is further subdivided into a single service control plane that manages the overall health of the service, and multiple customer environments, each containing one customer’s dedicated infrastructure, code, and data.⁷ Like the PingOne Advanced Identity Cloud environment as a whole, the service control plane and customer environments are sovereign: each is self sufficient, self-governing, and self-policing.

Even these environments are additionally segmented to isolate workloads based on their value and the inherent risk they are exposed to.⁸ As well, every workload is encapsulated within a dedicated, hardened Docker container.

⁵ The Advanced Identity Cloud environment is separate from Ping Identity’s own corporate IT environment.

⁶ All Advanced Identity Cloud software runs under service accounts that are local to the environment. User access, by company policy, is limited to user accounts that are local to the environment and issued only to Ping Identity employees whose job functions require such access.

⁷ Regional redundancy is used within each of these environments to provide resiliency. For instance, if a customer environment were located in GCP’s us-west1 region, its compute, network, and storage resources would be replicated in three or more availability zones within the region.

⁸ For instance, within each customer’s environment, the workloads that interact with untrusted Internet clients are in different trust zones from those that access customer data.

Tenancy

The term tenancy is understood differently within various audiences, and so it’s important to be clear about the service’s tenancy model.

PingOne Advanced Identity Cloud provides full-tenant isolation in a multi-tenant cloud service by using individual trust zones. Each tenant environment is a dedicated trust zone that shares no code, data, or identities with other customers’ environments. All customer environments are built from a standard template, hosted using a common technology base, maintained according to a consistent set of processes, and continually upgraded to the latest code base. The infrastructure is treated as cattle, and not pets, and uses consistency, standardization, and automation to deliver a highly available service.

PingOne Advanced Identity Cloud provides a distinct, dedicated environment to each customer. As described in the previous section, each customer environment is self-sufficient and sovereign. It comprises a distinct GCP and Kubernetes environment, runs a distinct copy of the service code under dedicated identities, and provides dedicated storage for customer secrets and data that only it can access. ^{9, 10}

⁹ Specifically, each customer’s environment consists of a distinct GCP project dedicated solely to that purpose. The project contains dedicated secrets-management, logging, storage, and other resources, as well as a dedicated Kubernetes environment in which the customer’s Advanced Identity Cloud software runs.

¹⁰ This is in contrast to a shared-service model in which all customers’ resources would be pooled under the control of a supervisor process.

Data Protection

The service protects customer data at both the service and physical levels:

Network Security

Each customer environment includes dedicated networking resources such as internet-accessible endpoints for user interfaces and APIs. Network communications between customer environments are blocked; even within a customer environment, network communications between workloads are strictly controlled using role-based access control and enforced via network policies.

PingOne Advanced Identity Cloud makes use of GCP-native network security features to protect against denial of service attacks.11 All Identity Cloud endpoints require TLS 1.2 or higher, offering GCP’s most secure ciphers, and are anchored by a digital certificate.

Identity and Access Management

One of the cornerstones of the PingOne Advanced Identity Cloud security model is comprehensive and rigorous IAM. Virtually all transactions require authentication, using identities defined within the trust zone that enforces the authentication. Least-privilege principle is employed throughout the service.

In keeping with the isolation tenet of the security design, cross-zone trusts are employed rarely, and only after careful consideration. The PingOne Advanced Identity Cloud environment as a whole extends no trusts to other environments. Likewise, individual customer environments extend no trusts to each other, or to the control plane.^{11, 12}

To understand this in practice, consider a representative customer environment. It comprises a GCP project with a single Kubernetes cluster; thus, it is a self-managed identity domain for both GCP and Kubernetes. It mints a GCP and Kubernetes service account corresponding to each Kubernetes namespace, assigns them minimum privileges, and assigns them to the appropriate workloads.

An attacker who gained a foothold in the environment would find it extremely difficult to extend the compromise, because the GCP and Kubernetes identities present in one namespace have no privileges in any others. Even in the worst case scenario where an attacker compromised an entire customer environment, none of the identities there would be valid in other customer environments or the service control plane.

Likewise, user access to the PingOne Advanced Identity Cloud environment is tightly controlled. The service infrastructure can be accessed only by user accounts that are granted only to Ping Identity employees whose jobs involve building and operating PingOne Advanced Identity Cloud. Even these accounts don’t have unfettered access to the infrastructure — in particular, the production infrastructure can be accessed only by a small number of “special access” accounts whose actions are closely monitored.

¹¹ The Google network’s scale and multiple points of presence provide strong protection against flooding attacks; its filtering and blocking features protect against Layer 3 and 4 attacks.

¹² Although the control plane creates new environments, it does not maintain any privileges in them. Instead, after creating a bare-bones environment, it passes control to a workload within the environment that deploys all the needed security mechanisms and controls. As one of its first acts, it removes the control plane’s access.

Secrets Management

Every environment within PingOne Advanced Identity Cloud has a dedicated secrets vault that it uses to securely store passwords, private keys, API keys, and other secrets. The secrets are strongly protected at rest and in transit, and the cryptographic keys used to encrypt the secrets are regularly rotated.¹³

Except for customer-provided secrets, all secrets are created within the customer environment. They are unique from environment to environment, and cryptographically random.

¹³ PingOne Advanced Identity Cloud uses Google Secret Manager, which protects secrets at rest with AES-256 encryption and in transit with TLS. It also provides automatic rotation of the encryption keys.

Auditing and Logging

The PingOne Advanced Identity Cloud generates extensive auditing and logging information.

¹⁴ The values of secrets, keys, and other sensitive data are not recorded in log data.

Security Monitoring

Ping Identity continually monitors the security of the PingOne Advanced Identity Cloud environment, using NIST 800-137 as a guide. The monitoring program is particularly attuned to two types of issues, discussed below.

Configuration Management

PingOne Advanced Identity Cloud’s infrastructure is configured for security. Ping Identity deploys and manages it using declarative tools in order to avoid configuration “drift” over time. Additionally, we independently validate the configuration using several continuous security and compliance scanning tools and alerting mechanisms.

The security configuration is based on guidance from a variety of subject matter experts, including:

• Vendor recommendations. Ping Identity follows Google’s recommendations for securely using GCP; k8s.io’s recommendations for Kubernetes; and our own published recommendations for securely using PingAM, PingIDM, and PingDS.
• Security Subject Matter Experts. Ping Identity also follows guidance from third-party security experts, in the form of CIS Benchmarks, NIST, and other published recommendations.

Backup

All critical data is automatically backed up. This not only includes service infrastructure data such as DNS records, but also customer-specific information. For example, each customer environment backs up its data hourly; in keeping with the sovereignty model, this data is stored entirely within the customer environment but also replicated across availability zones for disaster recovery purposes.

Physical Security

The service is wholly hosted within Google Cloud Platform, and Ping Identity does not operate any physical hardware or facilities associated with the PingOne Advanced Identity Cloud. Google has published a whitepaper detailing how it secures the compute, storage, and networking assets in GCP.

At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise. That’s digital freedom. We let enterprises combine our best-in-class identity solutions with third-party services they already use to remove passwords, prevent fraud, support Zero Trust, or anything in between. This can be accomplished through a simple drag-and-drop canvas. That’s why more than half of the Fortune 100 choose Ping Identity to protect digital interactions from their users while making experiences frictionless. Learn more at www.pingidentity.com.

© Copyright 2025 Ping Identity. All rights reserved.