Information Security & Data Compliance

This document is an overview of Instana’s Security Policies and security features of the Instana SaaS service. It examines the specific security capabilities and controls within Instana’s offerings, and is intended to address questions and issues users may have about privacy and security.

Instana requires employees to stay abreast of Instana policies, potential threats, and their specific responsibilities by completing training programs on a regular basis. Instana’s dedicated Information Security & Data Compliance Department oversees the corporate security program and is responsible for the evaluation and development of controls.

Information Security Policies

Instana has implemented specific policies and procedures that help to determine whether management’s directives are carried out. These control activities, whether automated or manual, have a range of objectives, and are applied at various organizational and functional levels. Generally, controls at Instana may be categorized as policies including the following:

  • Baseline Security Policy Set (e.g. Code of Conduct, Acceptable Use, Secure Password and Protection, Information Handling, Software Installation and others)
  • Software Development Policy
  • Change Management Policy
  • Technical Incident Policy
  • Information Security Incident Policy
  • Personnel Security Policy
  • Risk Management and Treatment Policy
  • Internal Security Audit Policy
  • Business Continuity Policy
  • Vulnerability Threat Assessment Plan
  • Vendor and Application Management Guideline

Security Awareness Program

Instana understands the human factor is one of the most important frontiers in Information Security. Therefore, our employees are required to complete a security training program covering all the key-factors of the current threat landscape on an annual basis.

Software Development Lifecycle & Secure Coding

Instana utilizes agile software development principles and secure coding practices based on concepts like OWASP Top 10. The Software Development Lifecycle, including code development, review and acceptance phases, is documented and continuously improved.

Vulnerability Management Program

Instana is performing vulnerability assessments and external penetration testing on a frequent basis. Findings are managed and fixed whenever necessary. In addition, Instana is running automated dependency-checks on relevant software depositories.

Risk Management Program

Instana has designed an internal compliance review program to monitor ongoing compliance with operational and internal control policies and procedures as well as to identify other potential operational risks requiring attention. The risk management process includes business impact assessments, classification and risk treatment as well as dedicated vendor and fraud risk management programs.

Business Continuity and Disaster Recovery Program

In accord with industry best practices, Instana has developed a Disaster Recovery plan for our SaaS service. This plan is updated as appropriate, and tested for assurance annually.

Product Overview

Instana’s SaaS service processes configuration, performance and dependency data from our users’ infrastructure, services and applications. These data are sent to Instana’s SaaS service, which securely stores the data and requires users to access and authenticate on a secure website to gain access.

  • Users install Instana agents on the servers that make up their applications, whether in the data center, a private cloud or public cloud environment.
  • The Instana Agent automatically discovers and in most cases automatically attaches sensors to the software components.
  • The Instana Agent collects through the sensors and transmits performance data points to the Instana Service Quality Engine (the Instana “backend”).
  • The Instana backend aggregates and stores the application performance information and data points in a comprehensively compliant Amazon data center (https://aws.amazon.com/compliance/), fully separated between Europe and the US.

Instana Agent

Instana Agents do not require an open hole in user firewalls. Communication from the Instana Agents to the Instana SaaS service is outbound on port 443 (and can use a proxy server when desired). Instana Agents do not receive inbound connections.

While Instana Agents perform periodic checks and will update the agents automatically by default, the updates can be configured to match the data security processes of the end user (i.e., prohibited, staged, mirrored, proxied and manually installed).

Authentication & Access Management

Visualizations of the customer’s application performance data are available via Instana’s SSL-encrypted and password-protected per-tenant website or via the Instana API secured by a customer-managed token.

Registered Instana users are uniquely identified by an email address-based login ID. User passwords must meet “adequate strength” security levels. User passwords are stored in an industry standard encrypted hash format. An individual account can have unlimited users. Each user can be assigned a level of control: https://docs.instana.io/admin/manage-users/#create-roles

As is standard with other SaaS tools, administrative users are responsible for maintaining their user records and authorizations, including enabling and disabling users.

For user authentication, Instana is supporting:

  • Multi-Factor-Authentication
  • Google Single-Sign-On via oAuth
  • SAML Integrations
  • LDAP Integrations (On-Premise Only)

Data Collection and Retention

Instana is focused on performance metrics of IT systems and applications only. Upon termination of Instana Service for any reason, all data will be removed out of Instana system (including backups) within a maximum of 90 days.

Instana has the ability to filter data on the agent-level to prevent sensitive data from getting sent to the backend.

For more information about the data processing in general, please visit: https://docs.instana.io/auto_discovery/#how-instana-collects-data

For information regarding the data processing of the End-User Website Monitoring component, please visit: https://docs.instana.io/website_monitoring/faq/

Data Encryption

Instana encrypts performance data in transit (data from the Instana Agents to the Instana backend) by default using TLS encryption.

Instana encrypts performance data at rest by default using the Advanced Encryption Standard.

Data Center Security

Instana SaaS service is fully cloned and separate, hosted in both the U.S. and in Europe in Amazon’s secure and comprehensively compliant data centers with fully redundant power backup systems, fire suppression systems, security guards, and biometric authentication systems.

For more information about the AWS compliance program, please visit: https://aws.amazon.com/compliance/programs/

Alternatively, Instana also provides a separate EU SaaS Service hosting in GCP. Similar to AWS, GCP is running a compliance program covering several standards among the industry.

For more information about the GCP compliance program, please visit: https://cloud.google.com/security/compliance

SOC 2

SOC 2 is a security framework comparable with the European ISO 27001 standard touching several corporate and product related security controls in regard to the confidentiality, integrity and availability of our service. Independent SOC 2 security audits conducted annually to provide assurance in the appropriateness and design of security controls as they relate to product and corporate security.

GDPR

Protecting the privacy of our users is of utmost importance. Any data we gather from applications are for analysis and display of application performance data. That data is intended to only be seen by owners of the applications through their secure and private Instana account.

Instana’s Data Protection Addendum (DPA) is available here and incorporates the European Standard Contractual Clauses.

Data Center Compliance

Instana SaaS service is fully cloned and separate, hosted in both the U.S. and in Europe in Amazon’s secure and comprehensively compliant data centers with fully redundant power backup systems, fire suppression systems, security guards, and biometric authentication systems.

For more information about the AWS compliance program, please visit: https://aws.amazon.com/compliance/programs/

Alternatively, Instana also provides a separate EU SaaS Service hosting in GCP. Similar to AWS, GCP is running a compliance program covering several standards among the industry.

For more information about the GCP compliance program, please visit: https://cloud.google.com/security/compliance

CSA STAR

Instana is maintaining a CSA STAR CAIQ Self-Assessment at: https://cloudsecurityalliance.org/star/registry/instana-inc/

The CAIQ is based upon the CCM and provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix.

HIPAA

Instana’s SaaS platform is not HIPAA compliant but that does not mean you cannot use Instana if you require HIPAA compliance. You can either choose to apply filtering to prevent any PHI data from getting collected when using SaaS or you can run Instana as a full on-premise solution.

PCI-DSS

An evolving standard, the Payment Card Industry Data Security Standards (PCI/DSS) must be considered by Instana users, when the managed application includes PCI/DSS security restrictions. By default, Instana does not receive any cardholder data. To alleviate compliance concerns (of connecting applications to the “web”, users can either run Instana as a full on-premise solution or run Instana Agents behind a proxy to satisfy PCI/DSS compliance requirements.