Security Practices at Ping Identity

Our mission at PIng Identity is to simplify how enterprises provide secure and seamless digital experiences. With security at the heart of all we do, it should be no surprise that our security program serves our mission for our operational practices.

Aligned directly to the company’s goals and functions, our security program embeds security engineers to each of our core functions. This enables us to inject security requirements early, and continually assess how well we’re supporting and protecting these functions throughout daily operations.

PING IDENTITY CORE FUNCTIONS 

Understanding, managing and monitoring risks to Ping and our customers is at the core of our security program. No less than annually, the Identity Security Team performs a risk assessment against all of our systems, ranking each system’s criticality to serving our customers, and data risk. We work one-on-one with each business unit to understand how the system supports our business processes and ensure we maintain the clearest picture possible of whom and what we’re protecting. We use the assessment to develop a risk treatment plan that addresses identified risks, not only based on our own risk appetite, but with a bias toward continual process improvement. The risk assessment and treatment plan is presented to the Ping Identity Risk Committee (see below), who is responsible for approving the risk treatment plan and ensuring that appropriate resources are allocated.

The value of Ping’s security program is only as good as its ability to deliver on our objectives. To ensure we’re achieving those objectives, we evaluate ourselves against a series of effectiveness measures, each of which maps to a key capability identified within our program. We regularly track these measures and provide progress reports directly to senior management.

There’s no such thing as perfect security. But we commit to continuously improving our security practices, and in doing so reduce risk by using the results of our program monitoring to identify those areas where more resources are needed. This results in regular improvements to our current controls and frequent creation of new ones. Implementing new controls requires more than just new technology. We develop procedures to support the new technology and conduct awareness and training programs for the stakeholders impacted. We also develop dedicated effectiveness measures for each new key control.

By implementing a risk-based information security program, Ping has created the structure needed to effectively manage the spectrum of risks impacting our business, ensure compliance with applicable laws, regulations and customer requirements, and achieve our strategic goals.

Our information security program enables us to:

• Deliver assured IAM solutions
• Safeguard confidential customer information
• Reduce the risk of fraud, errors and malicious attacks
• Protect brand and reputation
• Maximize revenue through highly available business systems
• Ensure timely and accurate financial reporting

The Ping Risk Committee is the executive leadership team responsible for ensuring that risk is addressed appropriately throughout the organization. This committee reviews risk assessment results, approves risk treatment plans and ensures appropriate resources are available for remediation efforts. The standing committee members are the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Chief Product Officer, Chief Legal Officer and Chief Accounting Officer, and the committee is led by the Chief Information Security Officer. Other business leaders are included and consulted as needed.

The Ping Security Steering Committee is made up of functional area leaders from our various business units. It serves as the main communication channel between the Identity Security Team (IST) and the rest of the business. The committee works to inform the IST on the operational priorities and constraints of the organization, and the potential implications of security changes. It also communicates the company’s security requirements throughout the business and ensures that security is integrated into organizational processes. This integration results in an infrastructure that not only supports Ping’s ongoing business, but embraces customer and compliance needs with respect to information security. 

Ping has multiple change advisory boards to ensure that changes to the production, corporate and development environments are properly reviewed, approved and scheduled. The IST is tightly integrated with these boards to provide guidance and to review all changes for potential security impacts.

It is the responsibility of all Ping Identity employees to protect our own and our customers’ data, comply with security protective practices, and report any real or suspected security incidents. All employees receive formal annual security training that is continuously reinforced throughout the year in the form of all-hands company syncs, email communications and targeted information sharing with specific functional teams. 

Mission: Ensure Ping’s products are architected, developed and maintained securely

As a leading provider of IAM solutions, we take very seriously the confidentiality, integrity and availability of our systems. We have embedded product security engineers in our product engineering teams. These product security experts ensure that security is considered and implemented throughout the software development lifecycle (SDLC), not just as a gate at the end.

Our product security team is comprises of former developers who understand the SDLC and can relate to the challenges of product engineering. Our Product Security team also leads Ping’s Security Advocates, an information-sharing group of technical staff dedicated to learning and understanding our threat landscape, as well as identifying how they can shore up our products to withstand current threats. Each product development team has at least one security advocate who keeps the team up to date on the current security landscape.

Mission: Maintain and improve security posture in the corporate and IDaaS infrastructure

The Infrastructure Security team provides a secured and assured computing platform both within the Ping corporate infrastructure and in the Ping identity-as-a-service (IDaaS) environment. Infrastructure Security performs security engineering and operations activities, including the creation and monitoring of security alerts, vulnerability scanning, penetration testing, investigation and analysis. Proactively, this team works closely with IT, Site Reliability Engineering (SRE) and Information Systems to ensure that all changes to the infrastructure are reviewed for security implications.

Mission: Ensure Ping has appropriate security guidance for current and new systems and projects

The Security Architecture team provides architectural guidance to stakeholders throughout the Ping environment to ensure that our systems are properly secured and assured. This includes early engagement on key technology projects, partnerships and investments to ensure security is considered from the beginning. Generally the architecture team will provide security requirements to the technical teams to ensure they implement as a part of their project plan.

Mission: Manage and communicate an effective and assured security program

The Governance, Risk and Compliance (GRC) team is responsible for the overall stewardship of the security program. Specifically, the GRC team facilitates the creation of security policies and standards, risk management activities, compliance with regulatory, legal and contractual requirements, security awareness and training, business continuity and disaster recovery, and incident response management. In addition, the GRC team helps customers understand our security posture and how our secure operational practices help support their own efforts at maintaining an information security program.

Ping’s IDaaS environment hosts customers’ IAM solutions in our cloud environment. Ping Identity has taken great care to provide a secure service offering that meets the needs of customers seeking to move to the cloud while maintaining the rich feature set of our software products. Services provided include PingID, PingOne for Enterprise, PingOne for Customers and PingCloud Private Tenant

Common Cloud Services

• Environmental Segmentation: Ping segments access between cloud network segments of different sensitivity and function.
• Identity and Access Management: Ping implements appropriate controls around IAM, including short-lived access keys, multi-factor authentication and least privilege.
• Visibility: Ping security and operations teams utilize numerous technologies to ensure we’re aware of activities in the cloud environment at all times and are alerted to any high-risk changes.
• Host-based Protection, Detection and Response: Agents and operating system monitoring are configured for our product hosts to prevent inappropriate access, alert on suspicious activity and respond to incidents.
• Cloud Configuration Monitoring: Real-time monitoring of the cloud environment configuration is performed by a combination of a third-party monitoring solution and custom-made alerting.
• Real-time Security Alerting: Alerts are generated in real time and monitored by Ping security personnel.
• Third-party Monitoring: Ping enlists a third party to continuously review the IDaaS environment for security issues.

Multi-tenant Services (PingID, PingOne for Enterprise and PingOne for Customers)

• Production Environment Deceptive Technologies: Deceptive technologies are deployed throughout the production environment to alert analysts if an attacker gains access.
• Network / Environment Hunting: Identity security analysts and engineers are regularly assigned network hunting tasks to review the environment for signs of misuse and configuration issues.

Single-tenant Services (PingCloud Private Tenant)

• Dedicated Virtualized Infrastructure per Tenant: No shared server, database or application resources with other tenants.
• Environmental Segmentation by Tenant: Dedicated AWS accounts are utilized to provide isolation between tenant environments.
• Encryption of Data at Rest per Tenant: Production data is encrypted using a tenant-specific key.
• Controlled Connectivity to PingCloud Private Tenant Environment: In order to limit the attack surface, access to the singletenant environment can be restricted to only those networks or systems required.
• Customizable Security Controls: As a single-tenant environment, additional security controls can be implemented as needed, to be determined and configured based on customer requirements.

Ping embeds security controls in our SDLC to ensure security throughout the development process and provides resources for security assessment, testing and review. These capabilities are incorporated across the Ping Identity Platform, including PingFederate, PingAccess, PingDirectory, PingOne, PingID, PingDataGovernance and PingIntelligence for APIs.

• Security Embedded in Product Council: Security leadership is included on Ping’s Product Council to assure security alignment with our product roadmaps.
• Security Embedded with Product Development: Product security engineers are co-located with development teams to ensure security is considered throughout the SDLC.
• Risk Assessments against All Features: Security Risk Assessments (SRAs) are completed against all features to evaluate the security risk of the change and ensure appropriate steps are taken to review the change.
• Static Analysis: Static code analysis is continually performed during the development process to identify and remediate security vulnerabilities and weaknesses before they are released to production.
• Automated Security Functional Tests: Automated security tests are built into the deployment pipelines to test for regressions and verify the highest risk threats to Ping products.
• Dynamic Analysis: Dynamic application security analysis is performed against products to detect common application and configuration errors.
• Dependency Checking: Dependency checking is built into the development process to ensure vulnerabilities and licensing concerns from third-party components are identified and remediated.
• Manual Testing: Targeted manual security testing is performed by product security engineers based on the highest identified risks in security risk assessments.
• Security Awareness: Product security engineers meet regularly to share knowledge on emerging trends and threats, and to evangelize best practices and raise overall awareness of product security throughout the organization.
• Third-party Assessments: At least annually, Ping engages with a world-class application security testing organization to perform white box assessments of all products. This includes targeted code reviews, static analysis, dynamic analysis and manual penetration testing.
• Responsible Disclosure: Ping has created a responsible disclosure process to provide an effective way for external security researchers to report vulnerabilities in our products.
• Bug Bounty: Ping has engaged with an external managed bug bounty provider to recruit and manage researchers who assess Ping’s IDaaS offering for security vulnerabilities.
  

Our internal security practices are an essential part of providing our customers with a high-quality and assured solution. The following are key capabilities of Ping’s security program supporting day-to-day operations.

• ISO 27001 Certified Security Program: Ping achieved ISO 27001:2013 certification in 2018. The program, policies, standards and controls achieve compliance with the international standard and make them easily communicated to third parties.
• Program Effectiveness Monitoring: We periodically audit our key capabilities to ensure they are operating effectively and as designed.
• Incident Response: Ping has a documented and communicated incident response program that is managed by the IST. The incident response program is exercised no less than annually in a cross-functional event.
• Business Continuity: Business units identify critical business functions throughout the organization and work with IST to ensure appropriate controls and recovery plans are in place in the event of the loss of critical workforce, technology or facilities.
• Third-party Risk Management: Ping evaluates third parties, including vendors and partners, and performs due diligence based upon the relative risk of the third-party organization.
• Compliance Monitoring: The security team continually monitors compliance for legal, regulatory, contractual and voluntary standard requirements.
   

#3267 | 09.05.19 | v07