Pia Information Security

Pia implements many security measures and controls across its business and products. This article covers some of the key security measures we have in place pertaining specifically to the product and its software. This article is not intended to be exhaustive nor cover every aspect of the standards for which Pia's business and product are certified.

Pia's information security program sets forth adherence to the following frameworks:

• SOC 2
• ISO27001
• GDPR
• HIPAA

More general information about our security commitments can be found on our website here: https://pia.ai/security-commitments/

Product Development Approach to Security

One of the founding principles of the Pia Platform is to create a way to operate automations and workflows in a secure environment.

At the early stages, we identified that the options for MSPs to create automations were limited. With limited capabilities for orchestration of scripting and management of scripting processes, there are many ways that a poorly configured script can cause harm.

• Use of PowerShell remoting, which can be easily misconfigured and not secured correctly
• Setup of scheduled tasks are at risk of scheduled task tampering
• Often scripts are not managed correctly resulting in the storing of hard coded secrets in plain text on the file system
• Lack of code signing and verification of the creator of the script (i.e. blindly running or executing a script in a "known location" which may have been altered maliciously), resulting in elevation of privileges for an attacker

Pia's platform allows an MSP's automation engineer to focus on a subset of the overall requirements often associated with the creation of scripted automations and workflows. This allows you to create portable, multi-environment automations in a safe environment with protections against many common security pitfalls.

Security Guidance

There are 4 key guidance objectives which drive security on the Pia product:

• Assess and conduct security design
• Isolate where possible
• Expect the worst
• Add security controls and features

Assess and Conduct Security Design

Here are some of the security questions we explore when designing new features for the Pia product:

• What information does the feature make available to a user which it did not before?
• What inputs are allowable and how can incoming data be safely verified and validated?
• Does the new feature suit the existing security access levels? Are new access levels required or existing access levels need to be modified?
• Is the new feature transporting information securely?
• Is the new feature safe from external tampering?
• Does the new feature expose any information externally to Pia?
• Does the feature require specific penetration testing or security specific testing due to nature? (falling under a topic such as security control, identity management, authentication/authorization, encryption, certificates, releasing processes, Pia Agent)

Isolate where possible

The Pia platform can execute and run scripts as provided by you, our customer. It is important that we isolate different execution contexts such that an attacker would be limited from the damage they may cause if they gained unauthorized access to the system.

To mitigate a breach of one Pia tenant from affecting another, we structure our hosting such that:

• All execution of PowerShell scripts you place into your Pia tenant only execute on an isolated virtual machine. When Pia utilizes a Virtual Machine for your tenant, at that point it is dedicated to your tenant until such time it is reset back to its base image (At which point the resources may be reclaimed or the VM may be placed back into a pool. We may do this for resource management reasons however this will be invisible to your usage of Pia).
• Security secrets and keys are isolated to each individual tenant and not shared between any tenant. All tenants have separate sets of keys which are stored in Secure Key Vaults in Azure.
• Individual components which handle sensitive data are isolated by responsibility. These components have minimal trust of other components as we ensure that within our own system we verify and validate data as it moves between components of the system.
• The scripts and automations that you develop are created within an isolated sandbox environment. This gives your automation engineers the ability to test the automations they are working on until they are ready to be promoted to live and used by other staff within your business.

Expect the worst

• During development, we critically assess new features in our product from the perspective of an attacker and mitigate.
• We implement multiple points of validation and verification of user identity and data moving between components of the system.
• We use Azure defender products to detect access attempts, protect against incoming attacks and alert us of anomalies.
• All actions taken in any of Pia's portals are auditable.
• We engage external third parties for penetration testing of our systems to verify the security of our product.
• We adhere to the principal of least privilege. we provide the security controls within your Pia tenant such that you can apply granular access to Pia for your staff.

Add Security Controls and Features

• We prioritize the creation of flexible security controls alongside feature development.
• We regularly review current practices and standards in the IT industry to guide development of new security controls.
• Listen to our partners to understand where additional controls would be helpful.
• Constantly focus a stream of development activities targeted at security measures.

The Pia Agent

For Pia to automate actions on your device endpoints, we require an agent to be installed on each machine. The Pia Agent has been designed to be a lightweight component which connects back to Pia to wait for automations which may need to be executed.

The security features of the Pia Installer are as follows:

• The installer file is a single installer with no external dependencies (dependencies are compressed and internally stored).
• The installer file and its contents are code signed to protect against tampering of the installer files.
• The installer must be run as an administrator, as the agent is installed as a system component to prevent tampering by any users of the machine.
• The installer is not responsible for communication with Pia. This privileged communication is reserved for the Pia Service once it starts after installation is complete (registration occurs on first time run of the Pia Service).

First Time Run - Pia Service Registration

• During startup of the Pia Agent, the service will register with the customers Pia Tenant - this registration step occurs initially securely using TLS encryption between the individual device and the Pia tenant.
• A certificate (RSA public/private keypair) is generated and stored on each machine where the Pia Agent is installed. Conversely, an RSA public/private keypair is generated on Pia's backend for the registering machine. During registration, the public key of the certificates are securely exchanged. From this point forward, all communications between the Agent and Pia are encrypted using the certificate pair. This encryption acts as both a way of identification by both server and client, as well as an added layer of encryption on all communications in addition to TLS. This means that all communications between the Pia Agent and Pia are protected by 2 layers of encryption.
• TLS encryption is handled automatically by the operating system implementation of the https protocol. Pia utilizes an automatically rotating / certificate (Lets Encrypt on the server side which is renewed on a quarterly basis).
• Once the registration process for the Agent is complete, the Agent will appear in the Agent screen of the Pia Partner Portal. At this point, you will need to activate the Agent. This is an added security measure to prevent rogue Agents from registering into your Pia Tenant.