Security at Ping Identity
Ping Identity’s security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world.
Three Guiding Principles for Security
Ping Identity has founded its security approach on the three core principles of information security:
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Integrity: The property of safeguarding the accuracy and completeness of information and such asset
Availability: The property of information is accessible and usable upon demand by only authorized entities
Together, these three principles deliver one thing to our customers — a product and service that allows people to simply and securely access the digital world and a company they can trust to help them do that.
Secure Personnel
Ping Identity takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to Ping Identity resources.
All Ping Identity contractors and employees undergo background checks prior to being engaged or employed by Ping Identity in accordance with local laws and industry best practices.
Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
Secure Development
All development projects at Ping Identity, including on-premises software products, support services, and Ping Identity’s own cloud offerings follow secure development lifecycle principles.
All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
Software development is conducted in line with OWASP Top 10 recommendations for web application security.
Secure Testing
Ping Identity deploys automated vulnerability scanning of all production and Internet facing systems on a regular basis.
All new systems and services are scanned prior to being deployed to production.
We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.
Cloud Security
PingOne Advanced Identity Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.
PingOne Advanced Identity Cloud leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.
All customer cloud environments and data are isolated using Ping Identity’s patented isolation approach (patented under the ForgeRock, Inc. company name). Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained Ping Identity experts.
Ping Identity has implemented a mature information security management system (ISMS), owned by our CISO, which details the security policies that all Ping Identity employees must follow. All of these policies and practices are also regularly reviewed and assessed by internal as well as external auditors.
We separate each customer's data and our own, utilizing unique encryption keys to ensure data is protected and isolated.
Ping Identity’s data protection complies with ISO 27001 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.
Responsible Disclosure
Ping Identity values the security researcher community greatly and appreciates those who help us improve the security of our corporate systems, products and services. If you’re a security researcher and have discovered a security vulnerability in any of our systems, products or services, we appreciate your help in disclosing it to us privately and giving us an opportunity to address it before publishing technical details. We will validate, respond to, and address vulnerabilities in support of our commitment to security and privacy.
To that end, we have created a couple of different ways to engage with Ping to report vulnerabilities. First is responsibly disclosing directly to our Security Team by filing a support case. Second, in order to get more eyes on our products and services, we have created a bug bounty program that pays for in-scope vulnerabilities in our products and services.
Responsibly disclose to Ping directly:
This is available for any vulnerabilities, whether in Ping’s products or services, our corporate website (pingidentity.com), or any other Ping infrastructure or systems. Please do not publicly disclose these details outside of this process without explicit permission. In order for us to triage and respond to the report, we ask you include the following information in your report:
System or product name and version (if applicable)
Vulnerable URL: the endpoint where the vulnerability occurs
Vulnerable Parameter: if applicable, the parameter where the vulnerability occurs
Vulnerability Type: the type of the vulnerability
Steps to Reproduce: step-by-step information on how to reproduce the issue
Screenshots or video: a demonstration of the attack
Attack scenario: an example attack scenario may help demonstrate the risk and get your issue resolved faster
Log files
Click here to file a support case.
Participating in Ping's Product Bug Bounty:
We are thrilled to announce Ping’s public bug bounty, focused solely on Ping’s product and services. The goal here is to leverage the capabilities of the entire research community and get as many good guys looking for issues as possible. All details of the program, including in-scope systems, bounty amounts, and other rules of engagement are available on the bug bounty program landing page.
Click here to access our bug bounty program.
Our Commitment
If you identify a verified security vulnerability in compliance with this responsible disclosure program, Ping Identity commits to:
Establishing a remediation timeline with a definite end date.
Disclosing the vulnerability through our support page to best protect our customers (if in our customers’ best interest).
Certifications, Associations, & Affiliations
Prior to Ping Identity combining with ForgeRock, both organizations successfully achieved many of the same certifications, while others were unique to one or the other. Going forward, Ping Identity will pursue these certifications as a single company.
ISO/IEC 27001:2013 Certification
Ping’s corporate office in Denver and our key products are ISO/IEC 27001:2013 certified. ISO 27001 is the international standard outlining best practices for information security management systems. Compliance with these standards demonstrates our commitment to a repeatable, continuously improving, risk-based security program. The management system was inspected by Coalfire ISO, Inc., a certification body for management systems accredited through the ANSI-ASQ National Accreditation Board (ANAB).
Established by the International Organization for Standardization (ISO), the standard requires the certification of an organization’s information security management controls for areas such as data security and business continuity. The certification extends to every level of an organization’s IT infrastructure stack, including asset management, access control, human resource security and application security.
The in-scope products for the ISO 27001 certification include PingOne, PingID, PingFederate, PingDirectory, PingAccess, PingDataSync, PingAuthorize, and ForgeRock’s information security management system (ISMS) which covers all major offices used in the development of ForgeRock products, all of our product offerings including our standalone on-premise products, Identity Cloud service, and Autonomous products, as well as all supporting infrastructure, systems, and internal processes.
ISO 27017 and ISO 27018
Ping Identity (formerly ForgeRock) has included ISO 27017 and ISO 27018 into its certified ISMS and additionally has achieved independent certifications validating the controls and implementation guidance relevant to those standards are in place and operational.
The scope of Ping Identity (formerly ForgeRock's) ISMS covers all major offices used in the development of products previously developed at ForgeRock, all of our product offerings including our standalone on-premise products that were previously offered by ForgeRock, the PingOne Advanced Identity Cloud service (formerly ForgeRock Identity Cloud), and Autonomous products, as well as all supporting infrastructure, systems, and internal processes still in place as ForgeRock combined into Ping Identity.
Service Organization Controls (SOC)
SOC Reports help customers build trust and confidence in Ping Identity’s control procedures via stringent verification and validation of Ping’s control activities and processes conducted by an independent Certified Public Accountant. The American Institute of Certified Public Accountants (“AICPA”) created the Service Organization Control Report framework replacing SAS 70 with SSAE 16.
The SOC 2 Report focuses on controls, called Trust Services Principles, related to security, availability, confidentiality, processing integrity and privacy - validating that the system is protected against unauthorized physical and logical access, for example. As with SAS 70 reports, an organization can receive either a Type I or a Type II report. Type I merely reports on the suitability of the controls, while Type II tests the effectiveness of the controls. Our SOC 2 Report focuses on the Security and Availability principles.
Ping Identity and ForgeRock combined into a single company in 2023, however currently still have two separate reports. Both SOC 2 Reports are available to customers and prospective customers upon request and execution of a Non-Disclosure Agreement (NDA). Please contact your Account Manager if you would like to have a copy of the reports.
Information Systems Security Association, Denver Chapter
The Information Systems Security Association (ISSA) is an international not-for-profit organization of information security professionals and practitioners. It provides education forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members.
ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure. The Denver chapter has been recognized as the largest chapter in the world with over 500 members to date. The Denver chapter president is Ping Identity’s own Chief Information Security Officer, Robb Reck, and numerous Ping employees are active members. Visit www.denverissa.org to learn more.
Cloud Security Alliance STAR Registry
The CSA Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.
CSA STAR is open to all cloud providers, and allows them to submit self-assessment reports that document compliance to CSA-published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.
PingOne and PingOne Advanced Services are CSA Star Level 1. PingOne Advanced Identity Cloud (formerly ForgeRock Identity Cloud) is CSA Star Level 2.
HIPAA and HITECH
Health Insurance Portability and Accountability Act (HIPAA) is the U.S. national standard for health information security and privacy that governs the use and disclosure of sensitive protected health information (PHI).
While all products across the combined Ping Identity organization meet HIPAA requirements, we’ve gone one step further with PingOne Advanced Identity Cloud (formerly ForgeRock Identity Cloud) to perform an independent assessment to assert that it complies with HIPAA security standards and Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification requirements.
Trusted Information Security Assessment Exchange (TISAX)
The Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for the information security of enterprises, governed by ENX on behalf of the German VDA. The exchange allows recognition of assessment results among the participants. TISAX may be accessed by active participants via https://enx.com/tisax. TISAX and TISAX results are not intended for general public.
ForgeRock Inc. & ForgeRock Ltd. are active TISAX participants with assessment results available through the ENX portal at: https://portal.enx.com/en-US/TISAX/tisaxassessmentresults under scope ID: SZZMC3 and assessment ID: AZ5YYL-1. In scope of this assessment is PingOne Advanced Identity Cloud (formerly ForgeRock Identity Cloud).
FBI InfraGard
InfraGard members have access to an FBI secure communications network featuring an encrypted website, web mail, listservs and message boards. The website plays an integral part in the FBI’s information-sharing efforts to disseminate threat alerts and advisories, as well as to send out intelligence products from the bureau and other agencies.
There are 85 InfraGard chapters with a total of more than 35,000 members who work with the FBI through field offices to ward off attacks against critical infrastructure that can come in the form of computer intrusions, physical security breaches or other methods. These members represent state, local and tribal law enforcement, academia, other government agencies, communities and private industry. Ping Identity employees are affiliated with the InfraGard Denver Members Alliance (IDMA).
OWASP Member
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Our programming includes:
- Community-led open source projects including code, documentation, and standards
- Over 250+ local chapters worldwide
- Tens of thousands of members
- Industry-leading educational and training conferences
We are an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security. The OWASP Foundation launched on December 1st, 2001, becoming incorporated as a United States non-profit charity on April 21, 2004.
Visit www.owasp.org to learn more.
Shared Responsibility
When it comes to our cloud solutions, our commitment to security and compliance doesn't stop with us. We also work with our customers to ensure that our solutions remain secure. More information about our shared responsibility is available here.
Start Today
Contact Sales
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
