Where is OneLogin hosted?
OneLogin is hosted in two independent operating regions; the United States and the European Union. The U.S. operating region consists of OneLogin instances running AWS regions in Oregon and Ohio. The E.U. operating region consists of OneLogin instances running on AWS regions in Frankfurt, Germany and Dublin, Ireland.
How do you monitor AWS facilities?
AWS facilities are ISO 27001 certified and issue SOC 2 Type 2 reports, which are evaluated periodically by OneLogin. OneLogin actively monitors AWS status alerts and maintenance notices in order to mitigate any impact these might have on OneLogin customers.
Do your personnel sign confidentiality agreements and do you perform background checks on those with access to customer data?
All personnel sign confidentiality agreements and a background check is performed prior to them joining OneLogin.
Do personnel receive security awareness training?
As part of onboarding and annually thereafter, personnel receive security and privacy awareness training. Additional security training modules are delivered throughout the year. Personnel also acknowledge our Acceptable Use Policy as part of onboarding.
How do you encrypt customer data?
OneLogin uses an encryption service that works with AWS KMS to encrypt and decrypt data that is stored encrypted within databases. The encryption service uses AWS KMS to decrypt intermediate account keys, which it holds in memory for a short amount of time to decrypt the actual data. By design, the service does not have access to the encryption key that is managed by AWS KMS, so redundant and emergency processes are in place to mitigate the risk of an AWS KMS outage in the primary AWS region used by each operational region. Previously, each customer had an account specific key that was used to encrypt/decrypt customer data and this key would in turn be encrypted with a master key that was stored separately.
How is customer data classified and where does it reside?
Customer data is classified at the highest confidentiality level and only resides in the Production Environment.
Which groups of staff (individual contractors and full-time) have access to personal and sensitive data handed to you?
We use a role-based access control system and the least access privilege principle to assign personnel access rights. Generally this includes TechOps (infrastructure management), Customer Success (support), Finance (as needed).
What are your general rules management in relation to role provisioning, deprovisioning, and recertification?
OneLogin follows role-based access control and least privilege access principles, which leverages our own platform. Roles, role assignment and access privileges based on these roles are reviewed quarterly.
Do you have a formal Information Security Program?
Yes. OneLogin based their Security and Privacy Programs on the ISO/IEC 27001:2013 (“ISO 27001:2013”) standard, and has been augmented over the years to incorporate the National Institute of Standards and Technology’s (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity, Payment Card Industry Data Security Standard (“PCI DSS”), ISO/IEC 27017:2015 (“ISO 27017:2015”), ISO/IEC 27018:2014 (“ISO 27018:2014”), E.U.-U.S. and Swiss-U.S. Privacy Shield Framework, General Data Protection Regulation (“GDPR”), and other security and privacy standards and frameworks.
How do you log and alert on relevant security events?
Several monitoring tools are in place at various layers that trigger alerts to internal messaging channels. We use a combination of custom alerts and heuristics based alerts.
How do you monitor for network vulnerabilities?
Daily scans are run against installed packages to alert us of any new reported vulnerabilities. Monthly network, CIS benchmark, and DISA checklist scans are performed against hosts and databases. PCI network scans using an approved ASV (Approved Scanning Vendor) are also performed quarterly.
How do you monitor for application vulnerabilities?
Ongoing bug bounty program, static code analysis on each pull request, weekly dynamic code scans, quarterly whitebox penetration tests. We also use Next-Gen Web Application Firewalls to analyze and actively block malicious traffic received and determine if additional mitigations are needed.
Are all endpoint laptops that connect directly to production networks centrally managed?
Yes, Meraki MDM (OS), Cisco Umbrella (network), and Cybereason (anomalous activity).
What are the standard employee issued device security configuration/features? (Login Password, antimalware, Full Disk Encryption, Administrative Privileges, Firewall, Auto-lock, etc.)
Login, password requirements, AV, endpoint detection and response, encryption, firewall, remote wipe and lock capabilities, idle timeout, and MFA for systems that access production environment.
Does sensitive or private data ever reside on endpoint devices? How is this policy enforced?
No. Customer data only resides in Production.
Are the hosts where the service is running uniformly configured?
Yes, groups of hosts are uniformly configured based on their function and this is centrally managed via Puppet. This includes running the required security agents and available patches.
How do you regularly evaluate patches and updates for your infrastructure?
Most patches are installed automatically, with a minority needing targeted testing and phased rollouts, e.g., kernel updates.
Do you have a formalized Security Incident Response Program? How do you notify customers of any incidents?
Yes. We have a Security Incident Response Program. Customers are notified of incidents via email, the help desk portal, and in-app notifications.
Has OneLogin experienced any security-related incidents in the past?
Past incident information can be found here.
How do you to ensure code is being developed securely?
Developing secure code is a process that requires control points across the entire SDLC including: personnel receive both internal and external training, automated tools are built into the commit process, peer reviews are performed for each code change, automated scans are performed post deploy, and manual vulnerability assessments are performed post deploy.
Is your service audited by independent third parties?
Periodic third party audits are performed as part of SOC 1 and SOC 2 reporting, ISO 27001:2013 certification audits, ISO 27017:2015 and ISO 27018:2014 attestation audits, and TRUSTe Certification audits, which are closely tied to E.U.-U.S. and Swiss-U.S. Privacy Shield requirements. OneLogin internal audits are also performed in support of the same. As part of these initiatives, audit results are evaluated and remediation activities performed, which are then validated during future audit periods. For additional information, please visit our compliance page.
Which IT operational, security, privacy related standards, certifications and/or regulations you do comply with?
Refer to our Compliance page located here.
Where can I find the most recent certifications?
Refer to our Compliance page located here.
Do you use any sub-processors for data processing purposes?
OneLogin leverages several sub-processors as part of delivering the service. These entities are monitored on an ongoing basis via real-time alerts and periodic review of their third party audit reports. Access to customer data is as needed for the delivery of the service in question, e.g., end-user email address is used by SendGrid to send a password reset notification.