Company name: Ping Identity Corp
Activities: Cloud identity security
Head office: Denver, CO
Number of employees: 200
LY revenue: NA
LY net income: NA
Key suppliers: Amazon Web Services, Boundary, Puppet Labs, Splunk, VMware, Zabbix
Ping Identity adds Boundary to its monitoring arsenal for cloud single signon
Analyst: Rachel Chalmers 22 Jun, 2012
In March 2012, Ping Identity launched PingOne as a multiplexed identity switch in the cloud and the first step toward an identity as a service business. PingOne was an important technical and strategic offering for the company. It was also a proof of concept for a brand new product from another vendor altogether: Boundary Inc. Ping Identity’s lead site reliability engineer, Beau Christensen, is one of the first customer references for the fresh out of stealth monitoring specialist.
Early Adopter Snapshot
In 2011, Ping Identity turned to its existing investors, as well as Triangle Peak Partners and Silicon Valley Bank, to raise another $21m, which it used to create an on demand services unit. PingOne is the first fruit of this newly established unit. PingOne provides businesses with Tier 1 single sign on (SSO) access to all of their cloud applications, lets IT centralize control and automate identity management, and allows cloud application providers to offer Tier 1 SSO to all of their customers. For security conscious businesses, Tier 1 requires exclusively standards based federated SSO protocols, such as SAML, OAuth, and OpenID, with zero tolerance for storing passwords or managing duplicate end user accounts in the cloud.
Strategic vision and business drivers
Ping’s Site Reliability Team is explicitly modeled on those at Web facing pioneers Facebook and Google. It combines experts in development and operations, security and risk, hypervisors, databases, and hardware – but the team is only three strong. The ratio of team members to servers is currently 1:200, but Christensen hopes to push it to 1:600. The Site Reliability Team is part of the devops team, working to deploy code into production. As Christensen put it: “We’re the guys on call. We are constantly looking for new tools and technologies.”
Challenges and obstacles
New technologies are needed to help the team manage the ambitious and dynamic environment within Ping Identity. The company’s infrastructure, virtualized since 2008, now spreads across three colocated datacenters – one for test and two for production. The production datacenters are synchronized in real time and operate autonomously, so that if one goes down, the other can take over.
Ping uses a mix of VMware, OpenStack and AWS technologies – a complex and layered virtual environment. To get a handle on all this, Christensen’s team uses a three pronged monitoring strategy. The first line of defense is active monitoring, looking at heartbeats and so on. Here Ping Identity has moved from SolarWinds to Nagios Enterprises to Zenoss to its current favorite, Zabbix. The second line of defense is operational intelligence, and the company is a big Splunk user.
It’s the third line of defense that interests us: network monitoring. Cisco’s NetFlow is widely used, but while Ping Identity is a Cisco shop, its Cisco deployment isn’t huge, and the kind of expenditure associated with NetFlow is out of Ping Identity’s reach. Furthermore, Ping doesn’t own the network in third party clouds.
“As we build automation tools to enable us to deploy into VPCs in Amazon and other cloud platforms,” Christensen explained. “We don’t have access to any of that information whatsoever. No views into systems traffic.” Smart site reliability engineers don’t let the matter rest there.
Boundary’s agents and applications filled that void for Ping Identity. “If you set it up right, it’s the first tripwire,” said Christensen. “You can see immediately when something’s going on. One customer went live on [PingOne portal] CloudDesktop and sent email to thousands of employees around the world. I glanced at the screen and stuck my head up and said to the product manager, ‘What just happened?’”
As Christensen’s team tries to drill into the efficiency of CloudDesktop to make it as fast and as cost effective to run as possible, they run massive performance tests against it. The team has its own scalability lab with giant bare metal machines running big cannons firing traffic at datacenters using JMeter and BrowserMob. Thanks to Boundary, these tests can now identify inefficiencies between the application and data layers that had never shown up before.
Innovation and roadmap
While Ping Identity is only using Boundary in its test environment today, the team has realized big wins in the two to three months it’s been running.
Christensen has used it on the big Splunk indexers to see how they were performing. Now that Boundary has Puppet integration as well, Ping will use it on all its Puppet nodes.
Ultimately, of course, the plan is to push it out into the production environment. This will coincide with a new version of Ping Identity’s homegrown automation software, coming out in June, which will enable EU customers to deploy to AWS’s Irish datacenter in order to comply with EU privacy laws. “As we roll the new automation out, AWS is the first place Boundary is going to go,” Christensen said. “Then we’ll wrap it back into the VMware environment.”