Superceded September 27, 2018

Introduction

This statement summarizes the measures used by Ping Identity to maintain the security and reliability of our Identity as a Service (IDaaS) applications.

Ping Identity’s IDaaS applications consist of many different services and subsystems designed to work together in a service-oriented architecture. Each one of these services has been built as a highly resilient system capable of scaling independently of any other system to support specific usage trends. Clusters of services are hosted out of multiple data center locations providing virtual private cloud resources.

Ping Identity believes in utilizing multiple data center locations to achieve the greatest levels of service availability.  We’ve designed our services to operate across many data center locations at the same time. This provides our users better performance while maintaining the ability to recover from entire data center outages within a few minutes time.

IDaaS services at Ping Identity are also hybrid cloud applications hosted in data centers throughout the world, with instances in the United States, Germany and Australia. This gives Ping Identity’s services the ability to scale quickly to customer demand while giving us the privacy and security in our own data centers where needed.

All data centers are SOC II (http://www.ssae-16.com/ssae-16-type-ii/) compliant facilities that provide redundant street power, redundant backup generators, and redundant cooling systems. Network connectivity is provided through no fewer than three Tier 1 providers. Network Operations Centers (NOC) are located on site and manned 24x7x365. NOC personnel are trained to handle all aspects of security for the facility. Physical access to all datacenter floor space is secured with security cameras, proximity cards, biometric scanners, man traps, and complete access logging.

Site Reliability Engineering (SRE Team) is a key component in all aspects of Ping Identity’s IDaaS operations.

The SRE Team is tasked with helping to build durability, redundancy and security into on-demand applications from the start. SRE's are fully integrated into the software and system development process. In the event a performance incident occurs, the SRE Team provides valuable root cause analysis that allows us to evolve into an even better product. 

Ping Identity Site Reliability personnel monitor system health and security 24/7 with full engineering and development support. In the event of an incident, Ping Identity is ready to respond at any time.

Ping Identity’s Technology Operating Team utilizes a continuous-integration / continuous-deployment model that deploys entirely new clusters of services on a regular basis. All updates are performed as incremental updates with minimal downtime.  Features and updates applied to production servers go through rigorous testing in Test and Operational Readiness Testing (ORT) environments by the Technology Operating Team before being deployed to production. Updates requiring downtime are performed off hours and during pre-defined windows (typically Friday 22:00 MST - Sunday 14:00 MST). For unscheduled emergency changes that require service interruption, we will notify customers in advance via status.pingone.com and our twitter account.

Ping Identity invests heavily in fault analysis and detection systems for its applications. In the event of an application malfunction, our team will quickly begin to analyze system events for a given customer account in order to thoroughly analyze all potential events. Log information includes audit data that relates directly to error events, and enables us to correlate activity to the specific customer, action and timeframe.

Ping Identity provides 24/7/365 system monitoring of all production systems. Real-time reporting and notification is in place to notify the SRE Team of any issues.  We use both internal and external active service monitoring to continuously report and analyze overall system performance and availability. Our external public cloud services providing active monitoring are deployed globally to provide worldwide coverage. Each subsystem includes its own custom heartbeat that reports both application availability and software version, allowing the SRE Team to quickly determine location of any fault, and rollback application versions if needed.

Our customer’s data is of the highest importance to us as a company.  Ping Identity will never share your configuration or usage data with any other entity per our Corporate Privacy Statement.  We also take great care to safeguard your data wherever it is stored in our systems.

Our application encrypts configuration data as it’s written to our databases, so it is always stored encrypted at rest and can only be used by our applications.  Usage and logging information is stored in our secure indexing systems for reporting and troubleshooting and is only available to authorized Ping Identity employees.  All customer data is written to and stored in multiple data center locations to prevent data loss from system outages.

Ping Identity services follow strict internal security policies that govern our handling and storage of data. The list below highlights key processes and security measures that have been implemented for Ping Identity IDaaS applications.

• All configuration data is secured in its own network compartment.
• Access is limited to authorized Ping Identity personnel.
• Data encryption - Only non-proprietary, standard encryption is used. Acceptable algorithms are re-evaluated as encryption technology changes. Use of proprietary encryption is specifically forbidden since it has not been subjected to public inspection and its security cannot be assured.
• Data is backed up offsite nightly. Databases are backed up and shipped daily, and changes are replicated across datacenters in real time.
• All access to production data is logged and audited.
• Logs are maintained for 2 years and destroyed after 2 years per US Department of Defense standards. (http://www.dss.mil/documents/odaa/nispom2006-5220.pdf)
• Passwords stored in Ping Identity services are hashed based on best practices in alignment with OWASP recommendations. 

Transmitting Data Securely to Ping Identity:

• Ping Identity employs Transport Layer Security (TLS) to securely provide configuration information to our IDaaS applications. Production ciphers used by Ping Identity are capable of AES256-SHA2 with 2048 bit key strength.
• Password policy ensures a strong password to protect your data within Ping Identity applications. All passwords are stored via secure non-reversible crypto.
• Multiple authentication failures will result in the temporary lockout of your account.
• Authentication failure messages do not provide information to the administrator as to whether the username or password was incorrect.
• Inactivity timeout will log the user out and require re-authentication to access the Ping Identity services.

Each account is configured with its own unique key preventing assertions from other accounts to be processed. Audit logs track all users who log in and which IDaaS application they access. All SAML messages are received securely over a TLS connection and verified with a digital signature unique to each customer.

Security testing, also known as a vulnerability assessment, a security audit, or penetration testing, is an important part of maintaining Ping Identity’s network security. Internal security testing is performed by employees whose job functions are to assess security. Internal testing is integrated into the Technical Operations deployment process and scans are performed each time a new system version is released.

Internal testing is supplemental to external testing. External security testing, which is testing by a third party entity, is utilized to audit Ping Identity's security controls. External testing will not negatively affect network performance during peak hours or network security at any time. Ping Identity requires that external security testing be performed upon significant changes to the environment, and no less than annually.

Ping Identity’s network design follows security best practices by implementing network compartmentalization (separating the network into different segments) which reduces its network wide risk. Infrastructure security is achieved through the use of layered defensive controls. These controls include but are not limited to routing tables, security groups, intrusion detection, intrusion prevention, VLANs and access control lists.

SOC Reports help customers build trust and confidence in Ping Identity’s control procedures via stringent verification and validation of Ping’s control activities and processes conducted by an independent Certified Public Accountant. The American Institute of Certified Public Accountants (“AICPA”) created the Service Organization Control Report framework replacing SAS 70 with SSAE 16.

The SOC 2 Report focuses on controls, called Trust Services Principles, related to security, availability, confidentiality, processing integrity and privacy - validating that the system is protected against unauthorized physical and logical access, for example. As with SAS 70 reports, an organization can receive either a Type I or a Type II report. Type I merely reports on the suitability of the controls, while Type II tests the effectiveness of the controls. Our SOC 2 Report focuses on the Security and Availability principles. The SOC 2 Report is available to customers and prospective customers upon request and execution of a Non-Disclosure Agreement (NDA). Please contact your Account Manager if you would like to have a copy of the report.

Archived Security and Operational Practices (February 21, 2017)