Security Overview

This article discusses how Kentik ensures the security of its systems and of the data entrusted to us by customers. These topics are covered in the following topics:

• Security Summary
• Security FAQ
• Security Details

Kentik takes extremely seriously the security of the data collected for, sent to, and ingested by our data platform. At the highest level, our approach can be summed up as follows:

• All data sent to us can be encrypted in transit.
• All customer data stored by us (public SaaS, private SaaS, and on premises) is encrypted at rest.
• All access to our system is protected.
• No customer has access to the data of another customer.

The following table shows in somewhat greater detail how the system and the data are protected:

Most Kentik customers use the Kentik service — which has been architected to provide multi-factored scalability, reliability, and security — via our multi-tenant SaaS platform. The answers provided in the following FAQ topics — many of which apply as well to on-premises deployment — address how Kentik Technologies handles security concerns that commonly arise in relation to SaaS deployment:

• General Security Questions
• Compliance and Certification
• Data Protection and Segregation
• Access and Identity Management
• Application Security Questions
• Privacy Questions

• Does Kentik hold a SOC 2 Type 2, ISO27001, or similar third-party audit report?
  Kentik maintains an active SOC 2 Type 2 report that is available upon request to active customers with an executed NDA. All data center locations where Kentik operates production systems and/or stores customer data are required to maintain a SOC 2 Type 2 report and/or to be ISO 27000 certified.
• Has Kentik undergone a vulnerability assessment or penetration test of its production environment within the past six months?
  Yes. Kentik performs vulnerability assessments against the public facing systems as well as private internal systems on a quarterly basis. Kentik also engages with an independent third party firm to perform penetration tests on a semi-annual basis, or when significant changes to the infrastructure have occurred.
• What is Kentik’s process for security event monitoring and notification?
  Processes and logs are used to watch for possible security breaches, with internal monitoring via dashboards, pager alerting, and log viewing. Notifications are optionally sent by email to the address associated with user login account. All security related questions can be directed to the Kentik Security Team through email at security@kentik.com.
• What notification and escalation processes exist in case of a security event?
  Were a security breach to occur, all affected customers are notified using email and a message banner in the Kentik portal within 72 hours.
• Is Kentik insured by a 3rd party for security/operational losses?
  Yes.
• How is security supported within Kentik’s company culture?
  Discussion of the importance of security, and the procedures we use to support it, is part of the applicant screening process for all positions, and security considerations are built into the design and review process across our platform.

• Are the hosting facilities SOC 1/2 or ISO 27000 certified?
  Yes, all of our hosting centers are SOC 1/2 and or ISO 27000 certified.
• Is Kentik’s service PCI and HIPAA compliant?
  Neither PCI certification nor HIPAA compliance are currently relevant to Kentik’s services because Kentik does not receive or store any PCI-restricted data, or ePHI, from customer networks.
• Is Kentik GDPR Compliant?
  - Kentik has implemented a full suite of information security and privacy policies that fully meet the requirements of the GDPR.
  - Kentik has obtained its Privacy Shield certification.
  - Kentik does not store or process information commonly classified as personally identifiable information (PII), such as Social Security number, drivers license number, home address, medical information, or credit card information.
• Are customers allowed to conduct vulnerability assessments or penetration testing?
  Kentik is open to coordinating any such activity, providing that it is scheduled in advance, poses no potential to disrupt normal operations, is conducted on a running up-to-date copy of Kentik’s SaaS platform, and is conducted at the customer’s expense.
• What risk management framework does Kentik use?
  - Kentik has adopted the NIST 800-53 framework as the basis for its information security and privacy program.
  - The Kentik information security program includes elements from the following control areas: Access Control, Security Awareness & Training, Audit & Accountability, Security Assessment & Authorization, Configuration Management, Contingency Planning, Identification & Authentication, Incident Response, Maintenance, Media Protection, Physical & Environmental Protection, Planning, Personnel Security, Risk Assessment, System & Services Acquisitions, System & Communication Protection, System & Information Integrity, and Program Management.
  - The Kentik information privacy program includes elements from the following areas: Authority to Collect, Privacy Impact Assessments, Privacy Requirements for Contractors and Service Providers, Privacy Monitoring and Auditing, Privacy Awareness and Training, Accounting of Disclosures, Validation of PII, Minimization/Removal of PII, Data Retention and Disposal, Consent, Redress, Complaint Management, Incident Response, Internal Use, and Sharing with Third Parties.

• What type of data security/segregation controls does Kentik provide?
  Customer data in our public SaaS is stored on common sets of nodes, but with multiple internal system safeguards to ensure that data cannot cross customer boundaries:
  - The Kentik Data Engine (KDE) stores each customer’s network data (flow records, BGP, GeoIP, SNMP) in separate logical databases and tables, such that the data from any given customer’s devices is never included in a table with data from any other customer.
  - Customers do not have permission/access to change the mapping of data to any KDE table.
  - Customers can see only their own logical databases and tables, and thus only their own data.
  - Data access audit logs are maintained for all activity within the environment.
  - Access to client data is limited to senior, vetted SaaS administrators via logged 2FA authentication.
• Is data encrypted at rest?
  All customer data across all production systems is encrypted at rest to FIPS 140-2 standards.
• Is data encrypted in transit?
  - Kentik collects NetFlow data, BGP routing data, and SNMP polling data from customer routers/ switches. Transmitted data can be optionally encrypted over HTTPS via the Kentik agent running on a host inside the customer infrastructure. Inbound data privacy can also be implemented by use of a direct PNI to the Kentik backend, via cross-connect, if the customer has a PoP in an Equinix data center.
  - Queries in transit are encrypted via TLS.
• Can data be removed at customer’s request and per customer’s policies?
  Yes. Data is automatically removed from the system when past the negotiated retention period. Data can also be optionally removed at any time per customer request.
• Will data be shared with third party vendors?
  No. Kentik does not share any customer information with any third parties. Kentik may seek express written consent from our customers to use agreed portions or aggregates of their data for Kentik’s own marketing or research purposes as covered in Kentik’s customer contracts, and would only do so with such written consent.
  Third-party vendors used by Kentik undergo a thorough security risk assessment and are analyzed by our security team. Once the vendor meets Kentik’s security requirements, Kentik will periodically reassess their security controls and agreements in place. Kentik ensures that all data is returned and/or deleted at the end of a vendor relationship.
• Are there any interfaces or connections with third party systems?
  A number of alliance partners have built connectors to the Kentik Data Engine (backend datastore). However any data retrieval via those interfaces must be instantiated and authorized by the Kentik customer, and must use validated customer access credentials controlled by the user.

• What forms of user management features and controls exist for Kentik?
  - Our operations environment is accessible only through a combination of SSH RSA/DSS key authentication in combination with two-factor authentication.
  - Internally, only Kentik personnel in the operations group have access to the Kentik infrastructure.
  - Service users (customers) use the portal login.
  - User accounts exist only within a customer’s account, and can be created only by the designated customer administrator. Users can be assigned Admin or Read-only access.
  - API access tokens are generated for each user account.
  - Data retrieval filters can be placed on individual users.
• Does Kentik offer single sign-on (SSO)?
  Yes, we offer SAML2-based SSO.
• Is multi-factor authentication deployed for "high-risk" environments?
  Multi-factor authentication is implemented in Kentik. It is used internally by Kentik employees, and is available for each customer to enable for its own users.
• Pursuant to local laws, regulations, ethics, and contractual constraints, are all Kentik employment candidates, contractors, and third parties subject to background verification?
  Kentik performs standard reviews of background, references, and criminal records (federal, state, and local) as part of employment.
• Are employees required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer/tenant information?
  Yes.
• What are Kentik’s user termination procedures and timelines?
  - Customer users are deleted from the system as soon as they are removed via the User administration section of the portal.
  - Kentik staff accounts are disabled immediately upon change in role or termination and audited monthly.
• What is Kentik’s password policy for systems and infrastructure that is used to host customer data?
  Kentik employs secure-key, 2-factor authentication, and all access is logged to multiple endpoints.

• Does Kentik employ a formal secure application methodology?
  Kentik currently follows OWASP guidelines for secure web development, including use of the OWASP dependency checker.
• What are your processes for security code review and secure development lifecycle?
  Kentik uses several automated source code analysis tools for assessing both performance and security, and we are continuously evolving our development platform and processes to embrace best practices for secure code development. We also conduct regular code reviews, which include security reviews, as part of our implementation process.
• Do you utilize industry standards (Build Security in Maturity Model [BSIMM] Benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build-in security for your Systems/ Software Development Lifecycle (SDLC)?
  Kentik is in the process of deploying the NIST Systems Security Engineering framework for system development and management. Kentik currently uses the OWASP SDLC as the framework for it software development and management.

• Does Kentik have a Data Protection Officer (DPO)?
  Kentik has a designated individual filling the role of DPO. The DPO may be contacted through email at privacy@kentik.com.
• Does Kentik have a breach notification policy?
  Breach notification is integrated into the formalized Kentik Incident Response plan.
• How long does Kentik store data?
  We store customer data for as long as you are an active customer. Once you cancel service, we purge your data from our system. You also can purge your data at any time. Our standard retention period for flow data is 45 days for “full” resolution and 120 days for “trending” resolution.

The tables in the following topics contain information typically requested by prospective customers to assess security concerns related to their vendors:

• Data Types
• Data Handling
• Compliance
• Security Monitoring
• Security Methodology
• Infrastructure Security
• Disaster Recovery

The categories of data that Kentik does and does not collect and store:

What Kentik does with collected data, and where:

Current compliance-related information:

Information on security-related monitoring:

Information about the processes used to ensure the security of the application:

Information related to security on production servers (application and database):

Basic disaster recovery information: