This document is an overview of Instana’s Security Policies and security features of the Instana SaaS service. It examines the specific security capabilities and controls within Instana’s offerings, and is intended to address questions and issues users may have about privacy and security.
Security Policies & Information
Instana Security Program Summary
Instana is committed to the security of our users’ application systems and performance data. To meet that commitment, we follow key industry-standard security procedures to protect data from unauthorized access, use, or disclosure.
Instana’s Information Security Officer oversees Instana’s security policies, including:
- Corporate Security
- Physical Security
- Infrastructure Security
- Network Security
- Application Security
- Application Data Security
Instana requires employees to stay abreast of Instana policies, potential threats, and their specific responsibilities by completing training programs on a regular basis.
Instana Solution Overview
Instana’s SaaS service processes configuration, performance and dependency data from our users’ infrastructure, services and applications. These data are sent to Instana’s SaaS service, which securely stores the data and requires users to access and authenticate on a secure website to gain access.
- Users install Instana agents on the servers that make up their applications, whether in the data center, a
private cloud or public cloud environment.
- The Instana Agent automatically discovers and in most cases automatically attaches sensors to the
- The Instana Agent collects through the sensors and transmits performance data points to the Instana
Service Quality Engine (the Instana “backend”).
- The Instana backend aggregates and stores the application performance information and data points
in a comprehensively compliant Amazon data center (https://aws.amazon.com/compliance/), fully
separated between Europe and the US.
- Visualizations of the customer’s application performance data are available via Instana’s
SSL-encrypted and password-protected per-tenant website or via the Instana API secured by
a customer-managed token.
Instana processes performance data for the technology stack running on hosts / servers where an Instana agent has been installed by the user. This includes traces of application requests (see https://docs.instana.io/core_concepts/tracing/ for more detail on our tracing model), server resource utilization and discovered technology component performance metrics.
Instana Agents collect and transmit the following application information:
- Application traces
- Database query activity, including create, update, and delete activity
- View activity
- Requests that result in an error
- Process memory and CPU usage
- Metrics from different software components
Instana also collects and transmits key server utilization data:
- Disk & Storage
- Network & I/O
Further, each Instana technology sensor instruments and queries components on a regular basis to measure and transmit their typical set of performance and health metrics.
Finally, application traces can potentially capture personal data. Instana provides the user with the ability to configure the Agent measuring mechanisms to prevent transfer of this data to the Instana SaaS service.
Location and Security of Data Centers
Instana SaaS service is fully cloned and separate, hosted in both the U.S. and in Europe in Amazon’s secure and comprehensively compliant (https://aws.amazon.com/compliance/) data centers with fully redundant power backup systems, fire suppression systems, security guards, and biometric authentication systems.
Instana Solution Security Features
Instana solutions include security configuration options so that customers can select the level of security that best suits their operations.
- Instana encrypts performance data in transit (data from the Instana Agents to the Instana backend) by default using TLS encryption.
- Instana encrypts performance data at rest by default using the Advanced Encryption Standard.
- Instana Agents do not require an open hole in user firewalls. Communication from the Instana Agents to the Instana SaaS service is outbound on port 443 (and can use a proxy server when desired). Instana Agents do not receive inbound connections.
- While Instana Agents perform periodic checks and will update the agents automatically by default, the updates can be configured to match the data security processes of the end user, (i.e., prohibited, staged, mirrored, proxied and manually installed).
- Limited data retention: Metrics Data Retention
- 1 second data granularity is stored for 24 hours
- 5 seconds for 24 hours
- 60 seconds for 1 month
- 300 seconds (5 minutes) for 3 months
- 3600 seconds (1 hour) for at least 13 months
Graph/Configuration Data Retention
- Each change of the Dynamic Graph is kept for the lifetime of the contract
Events Data Retention
- Each event is kept for the lifetime of the contract
- Limited data retention: Metrics Data Retention
Upon termination of Instana Service for any reason, all data will be removed out of Instana system (including backups) within a maximum of 90 days.
Registered Instana users are uniquely identified by an email address-based login ID. User passwords must meet “adequate strength” security levels. User passwords are stored in an industry standard encrypted hash format.
An individual account can have unlimited users. Each user can be assigned a level of control and scope(providing full Administrative or some kind of restricted access).
As is standard with other SaaS tools, administrative users are responsible for maintaining their user records and authorizations, including enabling and disabling users.
Application Security Training
Instana is committed to ongoing education in current security concerns and initiatives for all employees, including developers. This training, which includes standard concepts like the OWASP Top 10, helps Instana design more secure systems.
To that end, all code (production and QA) must be approved by the Instana security committee, and must include automatic analysis by third-party assessment tools.
Instana maintains a robust set of Security Policies that are updated at least annually. These cover the following areas:
- Policy Management
- Asset Management
- Access (Role & Scope)
- Personal Devices
- System Operations
- Threat / Anomaly monitoring
- Vulnerability monitoring
- Security Incident Alerting
- Backup procedures
- Business Continuity Management
Protecting the privacy of our users is of utmost importance. Any data we gather from applications are for analysis and display of application performance data. That data is intended to only be seen by owners of the applications through their secure and private Instana account.
Instana’s Data Protection Addendum (DPA) is available upon request and incorporates the European Standard Contractual Clauses.
Audits & Certifications
Independent security audits conducted regularly provide assurance that Instana is handling systems and data appropriately. In addition, data is stored in Amazon’s comprehensively compliant / certified data centers.
In accord with industry best practices, Instana has developed a Disaster Recovery plan for our SaaS service. This plan is updated as appropriate, and tested for assurance annually.
PCI / DSS
An evolving standard, the Payment Card Industry Data Security Standards (PCI/DSS) must be considered by Instana users, when the managed application includes PCI/DSS security restrictions. By default, Instana does not receive any cardholder data. To alleviate compliance concerns (of connecting applications to the “web,”, users can either run Instana as a full on-premise solution or run Instana Agents behind a proxy to satisfy PCI/DSS compliance requirements.
If your security concern / issue was not answered within this document, please refer to the Instana website for any additional guidance and materials. You can also ask your Instana support team or sales team.