Since inception, protecting the security and privacy of our data has been a top priority for ThousandEyes. Our customers trust us to collect and store information about performance of networks and applications they use. Depending on the deployment scenario and specific customer use cases, this could include information from the Internet that constitutes public domain knowledge and/or information from private enterprise networks. As such, we treat all data collected as highly sensitive and have implemented a security program to ensure its confidentiality, integrity, availability, and privacy.
We start with a solid management foundation through adoption of the widely recognized and respected ISO/IEC 27001 standard for our information security management system. Our privacy information management system is based on ISO 27701.
Jointly these frameworks form a ThousandEyes Unified Security and Privacy Management Framework (USPMF) that is supported by strict policies, standards, technologies and processes. We continually improve our USPMF by implementing additional technical and organizational controls to ensure customer data is always protected with best current practices.
As a cloud service provider, ThousandEyes shares the responsibility for security and privacy with its customers. Review the information below to understand your role in the implementation of security controls and operational activities.
Organization of Information Security
Information Security organization at ThousandEyes is headed by the Chief Information Security Officer. His team oversees all aspects of data protection: business, physical, and technical security and privacy. This also includes audit and compliance, as well as overall risk management.
Human Resources Security
We believe information security starts with people and it's not enough to merely secure physical systems. Hence, we invest in security awareness and training for all our employees so that they are equipped with the knowledge to support our security and privacy management systems from day one.
Asset and Risk Management
All information is classified in terms of its confidentiality within a three-level data classification scheme, and we require specific security controls to be implemented accordingly. Risk assessments are required to be performed on each critical information asset to verify if existing controls meet defined criteria. All customer information is classified as confidential by default and as a result, will always require the highest level of protection.
Access to information is granted on a need-to-know basis and controlled through a managed process that addresses authorization for new access, timely access revocation when required and periodic review of access lists to critical information.
All crypto controls at ThousandEyes adhere to international legal regulations and restrictions and require strong key management procedures.
Physical and Environmental Security
Both data center and office space are equipped with access control and video surveillance systems with 24x7 security onsite. To be accepted by ThousandEyes, data centers must meet Tier III requirements.
All networks, systems and applications are securely configured, implemented and backed-up to ensure that they operate as intended. Anti-malware is deployed on all critical customer-facing systems.
All communication resources at ThousandEyes are used in a manner that is consistent with our ethical and business principals and have implemented relevant controls such as use of cryptography for sensitive data transmission.
System Acquisition, Development and Maintenance
Examples of our controls include penetration testing and code review as vital steps in the approval process. Furthermore, our secure software development lifecycle design and deployment methodologies are continually being enhanced to keep up with current best practices and stay ahead of the latest threats.
Third Party Services
When contracted third-parties act on our behalf, we require them to meet the same rigorous standards of security and privacy as we meet internally. This due diligence is completed as part of our vendor risk management process, which entails a comprehensive security review of the third-party organization as well as their service offering or product.
Security Monitoring and Incident Management
We constantly monitor our network, systems and applications to detect various types of events. No surprise, our own cloud monitoring solution monitors itself and other components of our technology infrastructure. When a critical event is registered, incident response plan immediately kicks in.
Bug Bounty Program
ThousandEyes is running a bug bounty program on the Bugcrowd platform. This program complements our penetration testing to improve security for both ThousandEyes and our customers. If you’ve found a vulnerability, please read the rules of our bounty brief and submit here.